Security first with the Hiawatha web server

Small but Safe

Adding TLS Encryption

Adding TLS encryption (HTTPS) to your website is important. TLS ensures no one can listen in on visitors to your website or steal credit cards. Google also ranks your website higher if it serves HTTPS.

Adding encryption to your website is fairly easy, but getting a working certificate to do so is more difficult. Until recently, the only two viable options for obtaining a certificate to use with TLS/SSL were:

  • Make a certificate yourself. That's free, thanks to open source. However, no browser will trust a self-signed certificate, so this route can drive away potential visitors. For your personal webmail site, that might not be a problem, but don't expect it to work for other visitors.
  • Buy a certificate. A certificate costs money and requires some technical expertise. Most businesses use a commercial vendor, but because of the cost, many non-profit websites do not use certificates at all.

Another option to consider is a new open source project called Let's Encrypt, which is attempting to make certificates free. Let's Encrypt is still in beta, but it works well on my Linux system. If you feel like exploring Let's Encrypt, see the instructions at the project website [7].

For purposes of this article, I'll assume you are setting up a small, private site and are satisfied with a self-signed certificate. Listing 7 shows the steps for setting up a self-signed certificate for Hiawatha. For simplicity, I'll use this self-signed certificate for both the default website and the virtual host website.

Listing 7

A Self-Signed Certificate

cd /root/certs
openssl genrsa -out default-serverkey.pem 2048
openssl req -new -x509 -days 3650 -key default-serverkey.pem -out server.crt
echo "" >> default-serverkey.pem
cat server.crt >> default-serverkey.pem
echo "" >> default-serverkey.pem
rm -f server.crt
mkdir /etc/hiawatha/certs
cp default-serverkey.pem /etc/hiawatha/certs
chown www-data:www-data /etc/hiawatha/certs/default-serverkey.pem
chmod 400 /etc/hiawatha/certs/default-serverkey.pem

If you decide to acquire a trusted certificate, you will probably want to give each virtual host a unique certificate of its own. In step three, you need to fill in information about your website. Once you have your certificate, you'll need to change the configuration with a port 443 binding and add TLS to the default website configuration (Listing 8).

Listing 8

Binding Port 443

Binding {
        Port = 443
        TLScertFile = /etc/hiawatha/certs/default-serverkey.pem
#       #Interface = 127.0.0.1
        TimeForRequest = 2,45           #default 5,30
}

As you can see in Listing 8, the binding configuration has its own TLS certificate. This certificate will be used for the default website you get if you connect to the web server without a valid host HTTP header. The Interface line lets you configure the server to listen only on specific IP addresses. (Note that the Interface option is disabled in Listing 8.)

You also need to change the virtual host configuration to include our new certificate (Listing 9). The configuration for the virtual host is not much different from a host without TLS: just three lines more. Requiring TLS makes sure the web server will redirect unencrypted connections on port 80 to encrypted ones on port 443. This is a good thing, because you want to protect visitors from eavesdropping. The second line states where to find the certificate. Check the latest changes with:

Listing 9

New Virtual Host Configuration

VirtualHost {
  Hostname = www.thisisagreatwebsite.com, *.thisisagreatwebsite.com
  TLScertFile = /etc/hiawatha/certs/ default-serverkey.pem
  RequireTLS = yes #redirect port 80 to 443
  WebsiteRoot = /var/www/thisisagreatwebsite
  StartFile = index.html
  ErrorHandler = 404:/index.html
}
service hiawatha check

If all is well, you can restart Hiawatha:

/etc/init.d/hiawatha restart

Point your browser to https://<ip-address>/ where <ip-address> is the IP address of your web server host. You should now see a browser warning about the untrusted certificate.

Conclusion

Hiawatha is secure and easy-to-use web server alternative that supports many popular CMS options and server extensions. The Hiawatha web server might not have all the bells and whistles you get with Apache, but it is an attractive alternative for small sites where security is important.

The Author

Hans-Cees Speel works as manager and security officer for youth health organizations in the Netherlands. In his spare time, he has a lot of fun tinkering with cheap but effective proof-of-concept security controls. To tinker is to learn! His first encounter with Linux was on single-floppy-disk firewalls.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus