The light-footed Hiawatha web server
Frugal Delivery
Security Settings
So far in the examples I have not covered the security features of and fraud detection in Hiawatha, which no admin would want to be without in everyday life. The following lines in the VirtualHost
blob would enable attack detection:
PreventCSRF = yes PreventXSS = yes PreventSQLi= yes
To enable automatic client blacklisting, as well, you need to add the lines
BanOnGarbage = 300 BanOnMaxPerIP = 60 BanOnMaxReqSize = 300 KickOnBan = yes RebanDuringBan = yes BanOnSQLi = 60 BanOnFlooding = 10/1:15
outside the VirtualHost
block in hiawatha.conf
. In fewer than 50 lines (Listing 2) you have a complete web server configuration, including various security features, with the lightweight web server application.
Listing 2
Configuration Example
ServerId = www-data ConnectionsTotal = 150 ConnectionsPerIP = 10 SystemLogfile = /var/log/hiawatha/system.log GarbageLogfile = /var/log/hiawatha/garbage.log Binding { Port = 443 MaxRequestSize = 128 TimeForRequest = 3.20 SSLcertFile = hiawatha.pem } BanOnGarbage = 300 BanOnMaxPerIP = 60 BanOnMaxReqSize = 300 KickOnBan = yes RebanDuringBan = yes CGIextension = cgi CGIhandler = /usr/bin/perl:pl CGIhandler = /usr/bin/php-cgi:php CGIhandler = /usr/bin/python:py CGIhandler = /usr/bin/ruby:rb CGIhandler = /usr/bin/ssi-cgi:shtml FastCGIserver { FastCGIid = PHP5 ConnectTo = 127.0.0.1:2005 Extension = php } UrlToolkit { ToolkitID = banshee RequestURI isfile Return Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return Match .*\?(.*) Rewrite /index.php?$1 Match .* Rewrite /index.php } Hostname = 208.77.188.166 WebsiteRoot = /var/www/hiawatha StartFile = index.html AccessLogfile = /var/log/hiawatha/access.log ErrorLogfile = /var/log/hiawatha/error.log
Ideal for Containers
The Hiawatha example can even be spun a little further. Because of its manageable size, Hiawatha is also a good candidate as a container web server that can display arbitrary websites. Once you have built a Hiawatha package as described, you can use it to conjure up a Hiawatha container image quickly on the basis of an existing distribution image for Docker or Podman. If you also use a bind mount to give it access to a configuration file in /etc
on the host system, along with folders for storing logfiles, Hiawatha mutates into a generically usable web server container.
The benefits are that you can avoid Apache or Nginx, which tend to bloat container images. Hiawatha itself only consists of about 1.5MB of source code, plus about 5MB of code for the mbedTLS
implementation that Leisink ships with Hiawatha. The Hiawatha binary can be practically ignored in terms of size, and because Hiawatha also has far fewer dependencies than Apache and others of that ilk, admins have to handle far fewer loose parts, all told, which also reduces the overall administrative overhead, and not just that for running the web server itself.
Interesting for Embedded
Hiawatha is also just as interesting as a web server in the embedded environment. Small computers like the Raspberry Pi and many devices from the embedded environment have sparse hardware reserves, which is where Hiawatha plays to its strengths. Although current Raspberry Pi implementations no longer suffer so acutely from deficits in terms of CPU and RAM, every CPU cycle and megabyte of RAM you can avoid using still counts.
Even on embedded systems like the Turris Omnia open source router, Hiawatha offers an approach to running a web server in a resource-efficient way. The economy with which Hiawatha operates makes the service ideal in such environments.
Buy this article as PDF
(incl. VAT)