« Previous 1 2 3 4
Security first with the Hiawatha web server
Small but Safe
Adding TLS Encryption
Adding TLS encryption (HTTPS) to your website is important. TLS ensures no one can listen in on visitors to your website or steal credit cards. Google also ranks your website higher if it serves HTTPS.
Adding encryption to your website is fairly easy, but getting a working certificate to do so is more difficult. Until recently, the only two viable options for obtaining a certificate to use with TLS/SSL were:
- Make a certificate yourself. That's free, thanks to open source. However, no browser will trust a self-signed certificate, so this route can drive away potential visitors. For your personal webmail site, that might not be a problem, but don't expect it to work for other visitors.
- Buy a certificate. A certificate costs money and requires some technical expertise. Most businesses use a commercial vendor, but because of the cost, many non-profit websites do not use certificates at all.
Another option to consider is a new open source project called Let's Encrypt, which is attempting to make certificates free. Let's Encrypt is still in beta, but it works well on my Linux system. If you feel like exploring Let's Encrypt, see the instructions at the project website [7].
For purposes of this article, I'll assume you are setting up a small, private site and are satisfied with a self-signed certificate. Listing 7 shows the steps for setting up a self-signed certificate for Hiawatha. For simplicity, I'll use this self-signed certificate for both the default website and the virtual host website.
Listing 7
A Self-Signed Certificate
cd /root/certs openssl genrsa -out default-serverkey.pem 2048 openssl req -new -x509 -days 3650 -key default-serverkey.pem -out server.crt echo "" >> default-serverkey.pem cat server.crt >> default-serverkey.pem echo "" >> default-serverkey.pem rm -f server.crt mkdir /etc/hiawatha/certs cp default-serverkey.pem /etc/hiawatha/certs chown www-data:www-data /etc/hiawatha/certs/default-serverkey.pem chmod 400 /etc/hiawatha/certs/default-serverkey.pem
If you decide to acquire a trusted certificate, you will probably want to give each virtual host a unique certificate of its own. In step three, you need to fill in information about your website. Once you have your certificate, you'll need to change the configuration with a port 443 binding and add TLS to the default website configuration (Listing 8).
Listing 8
Binding Port 443
Binding { Port = 443 TLScertFile = /etc/hiawatha/certs/default-serverkey.pem # #Interface = 127.0.0.1 TimeForRequest = 2,45 #default 5,30 }
As you can see in Listing 8, the binding configuration has its own TLS certificate. This certificate will be used for the default website you get if you connect to the web server without a valid host HTTP header. The Interface
line lets you configure the server to listen only on specific IP addresses. (Note that the Interface
option is disabled in Listing 8.)
You also need to change the virtual host configuration to include our new certificate (Listing 9). The configuration for the virtual host is not much different from a host without TLS: just three lines more. Requiring TLS makes sure the web server will redirect unencrypted connections on port 80 to encrypted ones on port 443. This is a good thing, because you want to protect visitors from eavesdropping. The second line states where to find the certificate. Check the latest changes with:
Listing 9
New Virtual Host Configuration
VirtualHost { Hostname = www.thisisagreatwebsite.com, *.thisisagreatwebsite.com TLScertFile = /etc/hiawatha/certs/ default-serverkey.pem RequireTLS = yes #redirect port 80 to 443 WebsiteRoot = /var/www/thisisagreatwebsite StartFile = index.html ErrorHandler = 404:/index.html }
service hiawatha check
If all is well, you can restart Hiawatha:
/etc/init.d/hiawatha restart
Point your browser to https://<ip-address>/ where <ip-address> is the IP address of your web server host. You should now see a browser warning about the untrusted certificate.
Conclusion
Hiawatha is secure and easy-to-use web server alternative that supports many popular CMS options and server extensions. The Hiawatha web server might not have all the bells and whistles you get with Apache, but it is an attractive alternative for small sites where security is important.
Infos
- Hiawatha: https://www.hiawatha-webserver.org/
- TurnKey Linux: https://www.turnkeylinux.org/
- TurnKey Linux Nginx VM: https://www.turnkeylinux.org/nginx-php-fastcgi
- Download Joomla: https://www.joomla.org/download.html
- Sticky bit tutorial: http://computernetworkingnotes.com/managing-file-system-security/sticky-bit.html
- Joomla documentation: https://docs.joomla.org/
- Let's Encypt website: https://letsencrypt.org/
- Hiawatha man page: https://www.hiawatha-webserver.org/manpages/hiawatha
- HTTP Status Codes for troubleshooting: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.