Frugal Delivery

Security Settings

So far in the examples I have not covered the security features of and fraud detection in Hiawatha, which no admin would want to be without in everyday life. The following lines in the VirtualHost blob would enable attack detection:

PreventCSRF = yes
PreventXSS = yes
PreventSQLi= yes

To enable automatic client blacklisting, as well, you need to add the lines

BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 60
BanOnFlooding = 10/1:15

outside the VirtualHost block in hiawatha.conf. In fewer than 50 lines (Listing 2) you have a complete web server configuration, including various security features, with the lightweight web server application.

ServerId = www-data
ConnectionsTotal = 150
ConnectionsPerIP = 10
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
Binding {
  Port = 443
  MaxRequestSize = 128
  TimeForRequest = 3.20
  SSLcertFile = hiawatha.pem
}
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
CGIextension = cgi
CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php-cgi:php
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
FastCGIserver {
  FastCGIid = PHP5
  ConnectTo = 127.0.0.1:2005
  Extension = php
}
UrlToolkit {
  ToolkitID = banshee
  RequestURI isfile Return
  Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
  Match .*\?(.*) Rewrite /index.php?$1
  Match .* Rewrite /index.php
}
Hostname = 208.77.188.166
WebsiteRoot = /var/www/hiawatha
StartFile = index.html
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log

Ideal for Containers

The Hiawatha example can even be spun a little further. Because of its manageable size, Hiawatha is also a good candidate as a container web server that can display arbitrary websites. Once you have built a Hiawatha package as described, you can use it to conjure up a Hiawatha container image quickly on the basis of an existing distribution image for Docker or Podman. If you also use a bind mount to give it access to a configuration file in /etc on the host system, along with folders for storing logfiles, Hiawatha mutates into a generically usable web server container.

The benefits are that you can avoid Apache or Nginx, which tend to bloat container images. Hiawatha itself only consists of about 1.5MB of source code, plus about 5MB of code for the mbedTLS implementation that Leisink ships with Hiawatha. The Hiawatha binary can be practically ignored in terms of size, and because Hiawatha also has far fewer dependencies than Apache and others of that ilk, admins have to handle far fewer loose parts, all told, which also reduces the overall administrative overhead, and not just that for running the web server itself.

Interesting for Embedded

Hiawatha is also just as interesting as a web server in the embedded environment. Small computers like the Raspberry Pi and many devices from the embedded environment have sparse hardware reserves, which is where Hiawatha plays to its strengths. Although current Raspberry Pi implementations no longer suffer so acutely from deficits in terms of CPU and RAM, every CPU cycle and megabyte of RAM you can avoid using still counts.

Even on embedded systems like the Turris Omnia open source router, Hiawatha offers an approach to running a web server in a resource-efficient way. The economy with which Hiawatha operates makes the service ideal in such environments.