Solved Hiawatha Web server

Hello everyone,

I came across an article when looking for way to secure my Nginx web server giving a lot of praise to the Hiawatha web server https://www.hiawatha-webserver.org/

My understanding is that the security is top notch on this application and I wondered if anyone here is either using it or has used it before and could share your experience.

Thank you.

Fred
 
Very unhelpful but I looked into Hiawatha last year when I switched to nginx. I just wish I could recall why I didn't use it. I am using node.js because it suits my purposes but Hiawatha was in the running. I'm out of town but I'll try and remember what I was thinking about back then.
 
I've been using Hiawatha for three years. It has been very stable and reliable. I especially like that the configuration file is very simple and easy to set[]up. I have never had any issue with security, but all I run with it is PHP with the php-fpm module.
 
I've been using Hiawatha for three years. It has been very stable and reliable. I especially like that the configuration file is very simple and easy to set[]up. I have never had any issue with security, but all I run with it is PHP with the php-fpm module.

This is what I will be using it for as well. It will mainly use it to run Wordpress, Joomla and Drupal CMS. Can I use it to run multiple domains/SSL on one single IP address? How does it compare with Nginx and does it has WAF?
 
This is what I will be using it for as well. It will mainly use it to run Wordpress, Joomla and Drupal CMS. Can I use it to run multiple domains/SSL on one single IP address? How does it compare with Nginx and does it has WAF?

Yes, Hiawatha supports virtual hosts and SSL. It uses PolarSSL (https://polarssl.org/) by default as its SSL API. This will show you how to implement it: https://www.hiawatha-webserver.org/howto/bindings. In regard to a comparison to nginx, I can't give one. I have never used it. Be sure to look though the website, and the How-tos. It's well documented and the forum has very good information as well.
 
Hello everyone,

I came across an article when looking for way to secure my Nginx web server giving a lot of praise to the Hiawatha web server https://www.hiawatha-webserver.org/

My understanding is that the security is top notch on this application and I wondered if anyone here is either using it or has used it before and could share your experience.

Thank you.

Fred

Hi Fred,

I am an active member of the OpenBSD community and in the past 8-9 years I have never seen a single reference to Hiawatha on misc@openbsd. I have seen conversations about all sorts of web servers.

Just for static content I heard good things about NetBSD's built-in http. OpenBSD also got its own http which is surgically created from OpenBSD relayd. Nginx is going to be removed from OpenBSD base in the 5.7 release as it is becoming more "feature rich", read: more like Apache. That being said I use Nginx and a very similar fashion you are describing. Even though relayd got those redirection features this summer, people could not get them to work properly, so I am sticking with Nginx on OpenBSD.
 
Thank you very much Oko . I really value your input on this one..
OpenBSD will be my next venture as I keep thinking that it might be more what I want but I just to to grip with FreeBSD and from what I've gather finding help for OpenBSD is not as easy as with FreeBSd. But I will love to get my head around it:)

Have you got any advise as a starting point?
 
Which problem are you trying to solve with OpenBSD? Nginx runs equally well on FreeBSD. I like the set up in Jail. Introducing a new OS dramatically increases complexity of any organization. I am first and foremost OpenBSD user so it is all too natural for me to use OpenBSD at work for everything network related. I introduced FreeBSD because of ZFS, hardware RAIDs and Jails. I inherited Red Hat because of stupid MATLAB and Oracle Java. Also some desktops. My personal preference which will improve my productivity is to purge Red Hat and Linux from our organization. Not likely to happen but goal worth dreaming.

Note that FreeBSD is more general OS than OpenBSD and if I was not so nit-picky about my version of PF, security, and some peculiar network features I would probably be able to use FreeBSD for everything. That is probably an ideal situation for any organization.
 
Last edited:
I'd like to add some cents.

I'm not sure all those performance remarks make a lot of sense. Because it's a complex thing. To offer a funny example, one may get terribly misled by comparing two servers on otherwise similar machines, one however using a decent network card with TCP offloading and the other one without.
Usually nowadays HTTP servers don't simply serve static content. So diverse factors enter the game, things like the backend protocol (FCGI, etc.) and their implementation. Probably most importantly PHP isn't exactly a speed demon. Using something built on PHP basically makes server comparisons all but vain; rest assured that even a lousy server runs circles around your Drupal or whatever PHP application.

One reason to like Hiawatha is that, while being roughly in the same league with the other players performance wise, Hiawatha was focussed on security from day 1. To put it somewhat crude: for Hiawatha performance was a second thought, for most others security was a second (or third) thought.
This shows in diverse aspects, using PolarSSL as its SSL library being just one.

I've looked at, tried and run, pretty all of the httpd players and Hiawatha has earned to be my preferred httpd server. Be warned though, that I wasn't concerned about performance charts but that I rather looked under the hood with tough eyes, experience, and a pragmatic approach. And: I'm not a PHP user.

Finally, is performance really important? Frankly, usually no. The bottleneck isn't the HTTP server but rather the interpreted applications. For your average site pretty every HTTP server will do fine. Cherokee is a good example; it's quite fast, quite comfortable and user friendly and quite no fuzz usable.

If you happen to work on the next Twitter or similar Giga-application your best choice would be to use a HTTP server for static content only (images, etc) and to write your application in a compiled language.
For the rest of us Hiawatha, nginx, Cherokee, or pretty any other HTTP server will do fine and you should concentrate on other factors than speed.
 
I am an active member of the OpenBSD community and in the past 8-9 years I have never seen a single reference to Hiawatha on misc@openbsd. I have seen conversations about all sorts of web servers.
I'm sure many people also never heard of OpenBSD. Is that a reason for not taking a look at it? This is the very reason why Hiawatha is not very known. People advice other people to use Apache, because the whole world is using Apache. If that is a valid argument, than why aren't you using Windows, Oko?

fred974, the only way to find out if Hiawatha is good for you is to find out for yourself. I'm very sure Hiawatha will serve you well!
 
Hi Hiawatha

I am really pleased that you took part in my post, as the author of the Hiawatha webserver. I am really willing to try it but could you please tell us if you have got any How-to for FreeBSD?

As I have multiple domains, in Nginx, I had one configuration file per domain. From what I saw on your site, everything goes into a single file. How do you managed it all?
 
Hiawatha is available via the ports tree, which allows easy installation for you. The rest isn't FreeBSD specific.

You can use the
Code:
Include <file|directory>
option to do the same in Hiawatha.
 
fred

I can fully support Hiawatha's statement.

Installing Hiawatha on FreeBSD is as simple as make install clean in the ports or installing the package. The configuration is simple, well documented and not OS specific.
 
Hi Hiawatha,

I have decided to give www/hiawatha a go but I have two problems. When I do service hiawatha onestart, I get the following error:
Code:
Starting hiawatha.
Syntax error in hiawatha.conf on line 7.
/usr/local/etc/rc.d/hiawatha: WARNING: failed to start hiawatha
I have the following in my hiawatha.conf file
Code:
# Hiawatha main configuration file
#


# GENERAL SETTINGS
#
ServerId = www-www
ConnectionsTotal = 1000
ConnectionsPerIP = 10
SystemLogfile  = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.log

LogFormat = extended
ServerString = Apache
CGIwrapper = /usr/local/sbin/cgi-wrapper

# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
        Port = 80
#       Interface = 127.0.0.1
        MaxKeepAlive = 30
        TimeForRequest = 3,20
}
#
#Binding {
#       Port = 443
#       Interface = ::1
#       MaxKeepAlive = 30
#       TimeForRequest = 3,20
#       SSLcertFile = hiawatha.pem
#}


# BANNING SETTINGS
# Deny service to clients who misbehave.
#
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes

BanOnDeniedBody = 300
BanOnSQLi = 300
BanOnFlooding = 10/1:15
BanlistMask = allow 85.31.45.1xx, allow 273.116.169.xxx, deny 192.168.0.0/24, deny 127.0.0.1
ReconnectDelay = 3

# COMMON GATEWAY INTERFACE (CGI) SETTINGS
# These settings can be used to run CGI applications.
#
CGIhandler = /usr/local/bin/perl:pl
CGIhandler = /usr/local/bin/php-cgi:php
CGIhandler = /usr/local/bin/python:py
CGIhandler = /usr/local/bin/ruby:rb
#CGIhandler = /usr/local/bin/ssi-cgi:shtml
CGIextension = cgi
#
FastCGIserver {
        FastCGIid = PHP5
        ConnectTo = 127.0.0.1:2005
        Extension = php
}


# URL TOOLKIT
# This URL toolkit rule was made for the Banshee PHP framework, which
# can be downloaded from http://www.hiawatha-webserver.org/banshee
#
#UrlToolkit {
#       ToolkitID = banshee
#       RequestURI isfile Return
#       Match ^/(css|files|images|js|slimstat)($|/) Return
#       Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
#       Match .*\?(.*) Rewrite /index.php?$1
#       Match .* Rewrite /index.php
#}


# DEFAULT WEBSITE
# It is wise to use your IP address as the hostname of the default website
# and give it a blank webpage. By doing so, automated webscanners won't find
# your possible vulnerable website.
#
Hostname = 127.0.0.1
WebsiteRoot = /usr/local/www/hiawatha
StartFile = index.html
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
#ErrorHandler = 404:/error.cgi


# VIRTUAL HOSTS
# Use a VirtualHost section to declare the websites you want to host.
#
#VirtualHost {
include /usr/local/etc/hiawatha/enable-sites/
#       Hostname = www.my-domain.com
#       WebsiteRoot = /var/www/my-domain/public
#       StartFile = index.php
#       AccessLogfile = /var/www/my-domain/log/access.log
#       ErrorLogfile = /var/www/my-domain/log/error.log
#       TimeForCGI = 5
#       UseFastCGI = PHP5
#       UseToolkit = banshee
#}


# DIRECTORY SETTINGS
# You can specify some settings per directory.
#
#Directory {
#       Path = /home/baduser
#       ExecuteCGI = no
#       UploadSpeed = 10,2
#}
In my Nginx configuration, I currently use www www with no problem.

The second question is what is the FreeBSD version of this command (Apparmor configuration)? aa-genprof hiawatha.
 
Code:
[cmd=$]cat -n /tmp/hiaw.conf[/cmd]  
  1  # Hiawatha main configuration file
  2  #
  3 
  4 
  5  # GENERAL SETTINGS
  6  #
  7  ServerId = www-www
  8  ConnectionsTotal = 1000
  9  ConnectionsPerIP = 10
So the problem is in the ServerID. Maybe you could try a name without a hyphen e.g. hiawww.
I have never used Hiawatha, but probably the ServerID needs to be resolvable in DNS too.
 
You might want to web-search for "FreeBSD Capsicum".

In other words, to elaborate somewhat on SirDice's post: AppArmor is a (more correctly, one of diverse) Linux approaches to (kernel related) security (others being Tomoyo, SELinux, ...). Obviously FreeBSD is concerned about the underlying problems, too, and obviously FreeBSD has been/is working on a proper solution, too.

One needs to understand that those "security solutions" address what are in fact quite diverse issues like stack protection, proper memory segment usage, etc.

The problem class you seem to be interested in is typically addressed by capability management, i.e. by some kind of (software) system that associates a set of necessary capabilities (like access to certain devices, ports, etc.) with a given application that is then checked and enforced by the kernel.
Capability management has been researched quite long and well and has shown to offer excellent potential. Unfortunately the number of readily supported applications/daemons is still quite small but you may, of course, add more. Just look up capsicum(4).

Note, though, that FreeBSD (if properly set up) is quite safe out of the box and capsicum (from today's perspective) is considered something more in the high-security realm. For practical purposes the combination FreeBSD and Hiawatha already offer a rather solid level of security. My advice is therefore to rather concentrate on a "watertight" standard FreeBSD and server(s) setup and configuration.
 
Back
Top