« Previous 1 2 3 4
Security first with the Hiawatha web server
Small but Safe
Adding TLS Encryption
Adding TLS encryption (HTTPS) to your website is important. TLS ensures no one can listen in on visitors to your website or steal credit cards. Google also ranks your website higher if it serves HTTPS.
Adding encryption to your website is fairly easy, but getting a working certificate to do so is more difficult. Until recently, the only two viable options for obtaining a certificate to use with TLS/SSL were:
- Make a certificate yourself. That's free, thanks to open source. However, no browser will trust a self-signed certificate, so this route can drive away potential visitors. For your personal webmail site, that might not be a problem, but don't expect it to work for other visitors.
- Buy a certificate. A certificate costs money and requires some technical expertise. Most businesses use a commercial vendor, but because of the cost, many non-profit websites do not use certificates at all.
Another option to consider is a new open source project called Let's Encrypt, which is attempting to make certificates free. Let's Encrypt is still in beta, but it works well on my Linux system. If you feel like exploring Let's Encrypt, see the instructions at the project website [7].
For purposes of this article, I'll assume you are setting up a small, private site and are satisfied with a self-signed certificate. Listing 7 shows the steps for setting up a self-signed certificate for Hiawatha. For simplicity, I'll use this self-signed certificate for both the default website and the virtual host website.
Listing 7
A Self-Signed Certificate
cd /root/certs openssl genrsa -out default-serverkey.pem 2048 openssl req -new -x509 -days 3650 -key default-serverkey.pem -out server.crt echo "" >> default-serverkey.pem cat server.crt >> default-serverkey.pem echo "" >> default-serverkey.pem rm -f server.crt mkdir /etc/hiawatha/certs cp default-serverkey.pem /etc/hiawatha/certs chown www-data:www-data /etc/hiawatha/certs/default-serverkey.pem chmod 400 /etc/hiawatha/certs/default-serverkey.pem
If you decide to acquire a trusted certificate, you will probably want to give each virtual host a unique certificate of its own. In step three, you need to fill in information about your website. Once you have your certificate, you'll need to change the configuration with a port 443 binding and add TLS to the default website configuration (Listing 8).
Listing 8
Binding Port 443
Binding {
Port = 443
TLScertFile = /etc/hiawatha/certs/default-serverkey.pem
# #Interface = 127.0.0.1
TimeForRequest = 2,45 #default 5,30
}
As you can see in Listing 8, the binding configuration has its own TLS certificate. This certificate will be used for the default website you get if you connect to the web server without a valid host HTTP header. The Interface line lets you configure the server to listen only on specific IP addresses. (Note that the Interface option is disabled in Listing 8.)
You also need to change the virtual host configuration to include our new certificate (Listing 9). The configuration for the virtual host is not much different from a host without TLS: just three lines more. Requiring TLS makes sure the web server will redirect unencrypted connections on port 80 to encrypted ones on port 443. This is a good thing, because you want to protect visitors from eavesdropping. The second line states where to find the certificate. Check the latest changes with:
Listing 9
New Virtual Host Configuration
VirtualHost {
Hostname = www.thisisagreatwebsite.com, *.thisisagreatwebsite.com
TLScertFile = /etc/hiawatha/certs/ default-serverkey.pem
RequireTLS = yes #redirect port 80 to 443
WebsiteRoot = /var/www/thisisagreatwebsite
StartFile = index.html
ErrorHandler = 404:/index.html
}
service hiawatha check
If all is well, you can restart Hiawatha:
/etc/init.d/hiawatha restart
Point your browser to https://<ip-address>/ where <ip-address> is the IP address of your web server host. You should now see a browser warning about the untrusted certificate.
Conclusion
Hiawatha is secure and easy-to-use web server alternative that supports many popular CMS options and server extensions. The Hiawatha web server might not have all the bells and whistles you get with Apache, but it is an attractive alternative for small sites where security is important.
Infos
- Hiawatha: https://www.hiawatha-webserver.org/
- TurnKey Linux: https://www.turnkeylinux.org/
- TurnKey Linux Nginx VM: https://www.turnkeylinux.org/nginx-php-fastcgi
- Download Joomla: https://www.joomla.org/download.html
- Sticky bit tutorial: http://computernetworkingnotes.com/managing-file-system-security/sticky-bit.html
- Joomla documentation: https://docs.joomla.org/
- Let's Encypt website: https://letsencrypt.org/
- Hiawatha man page: https://www.hiawatha-webserver.org/manpages/hiawatha
- HTTP Status Codes for troubleshooting: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
The light-footed Hiawatha web server
Hiawatha is a lightweight web server with a variety of features that distinguish it from heavyweights such as Apache. -
Getting a free TLS certificate from Let's Encrypt
A free TLS certificate from Let's Encrypt means you can add encryption to your network for no cost, so you don't have any more excuses for failing to encrypt. -
WordPress, Joomla, and Drupal compared
Open source content management systems have an abundance of extensions scattered across the web. We compare the features of three CMSs against various consumer requirements.