What is Hiawatha?
Hiawatha is a web server that developed by Hugo Leisink since 2002. Hiawatha is not as well known as Apache; however, it has some unique features that Apache lacks of. Apache requires some modules to do the security purpose, such as modsecurity and mod_rewrite. Hiawatha is already built-in. She can ban some bad traffic and bad activities on your web server. Her footprint is also small, that is 130kb, surprise?! She is the default web server for Austrumi and Puppy Linux.
Although the user manual at her official site is not detail enough (at the time of this writing), it is quite easy to configure and runs on a production server. There may be a bug at cgi-wrapper in Hiawatha 6.17.1 and it requires to modify the source code to solve the problem.
Hiawatha runs MySQL and PHP great in cgi mode. It can run in Windows environment too (but not yet tried). This tutorial is going to show you how to configure Hiawatha to work with MySQL and PHP.
Installation of Linux, Hiawatha, MySQL and PHP - LHMP
Step 0 - Install Ubuntu 9.04
Install
Ubuntu 9.04 Server
and
OpenSSH
. If your web application requires email function, you should also install
Mail Server
also.
Make sure you have perform the following commands at the terminal (or console).
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
If the kernel or kernel modules have been updated, you should reboot your computer/server.
Step 1 - Install PHP5 and MySQL
sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
*
Note : some modules will not be required, such as php5-sqlite and php5-snmp. If your web application requires them, make sure to install them.
Step 2 - Install Hiawatha
Download the current Hiawatha, 6.17.1 at this time of writing.
sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.17.1.tar.gz
tar -xzvf hiawatha-6.17.1.tar.gz
cd hiawatha-6.17.1
Install requires dependenices.
sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev
Fix bug on Hiawatha.
sudo nano cgi-wrapper.c
At line 103, just below
rest = uncomment(line);
add the following lines :
if (*rest == '\0') {
continue;
}
At the
hiawatha-6.17.1
directory, build the Hiawatha deb package.
./configure
make deb
The deb package will be created at your home directory, such as
/home/samiux
. You can install it now.
cd ..
For 64-bit system :
sudo dpkg -i hiawatha_6.17.1_amd64.deb
For 32-bit system :
sudo dpkg -i hiawatha_6.17.1_i386.deb
Step 3 - Configure PHP5
Edit the
php.ini
.
sudo nano /etc/php5/cgi/php.ini
Make change as is.
display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
*
Note : some PHP application may requires
safe_mode = Off
.
Edit Hiawatha's
php-fcgi.conf
.
sudo nano /etc/hiawatha/php-fcgi.conf
Uncomment the following line.
Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data
Activate
php-fcgi
.
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf
If you make any change on
php-fcgi.conf
, make sure to restart it by following commands.
sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf
Step 4 - Configure Hiawatha
Edit the file
hiawatha.conf
.
sudo nano /etc/hiawatha/hiawatha.conf
Uncomment
ServerId
at
GENERAL SETTINGS
.
ServerId = www-data
Add the following line at the
GENERAL SETTINGS
. Apache compatible log file format.
LogFormat = extended
CGIwrapper = /usr/sbin/cgi-wrapper
Uncomment the following entries at
BINDING SETTINGS
.
Binding {
Port = 80
MaxKeepAlive = 30
TimeForRequest = 3,20
}
Uncomment all the entries at
BANNING SETTINGS
.
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 60
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24
*
Note : Make change to the
Banlistmask
in order to meet your network requirement.
Uncomment
php5-cgi
and
CGIextension
lines.
CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi
Uncomment all the entries of
FastCGIserver
and rename
ConnectTo
to
127.0.0.1:2005
.
FastCGIserver {
FastCGIid = PHP5
ConnectTo = 127.0.0.1:2005
Extension = php, php5
SessionTimeout = 30
}
Optional - Create the following lines under
URL TOOLKIT
.
UrlToolkit {
ToolkitID = CMS_common
RequestURI isfile Return
RequestURI exists Return
Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
Match .*\?(.*) Rewrite /index.php?$1
Match .* Rewrite /index.php
}
*
Note :
UrlToolkit
is similar to Apache's mod_rewrite.
Create a
VirtualHost
for your site.
VirtualHost {
Hostname = samiux.blogspot.com
#Alias = /php_my_admin:/usr/share/phpmyadmin
WebsiteRoot = /var/www/blog
StartFile = index.php
AccessLogfile = /var/log/hiawatha/blog/access.log
ErrorLogfile = /var/log/hiawatha/blog/error.log
TimeForCGI = 5
#UseFastCGI = PHP5
UseToolkit = CMS_common
ExecuteCGI = yes
PreventCMDi = yes
PreventCSRF = yes
PreventSQLi = yes
PreventXSS = yes
DenyBot = Googlebot:/
DenyBot = twiceler:/
DenyBot = MSNBot:/
DenyBot = yahoo:/
DenyBot = BaiDuSpider:/
DenyBot = Ask:/
DenyBot = Yahoo! Slurp:/
DenyBot = Sogou web spider:/
DenyBot = Sogou-Test-Spider:/
DenyBot = Baiduspider+:/
DenyBot = Yandex:/
DenyBot = UniversalFeedParser:/
DenyBot = Mediapartners-Google:/
DenyBot = Sosospider+:/
DenyBot = YoudaoBot:/
DenyBot = ParchBot:/
DenyBot = Curl:/
DenyBot = msnbot:/
DenyBot = NaverBot:/
WrapCGI = jail
}
Configure
cgi-wrapper.conf
.
sudo nano /etc/hiawatha/cgi-wrapper.conf
Make changes to the file.
CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
#CGIhandler = /usr/bin/python
#CGIhandler = /usr/bin/ruby
#CGIhandler = /usr/bin/ssi-cgi
Wrap = jail ; /var/www ; www-data:www-data
*
Note : Some CMS will not well when
PreventCMDi = yes
.
DenyBot
entries are optional. If you do not want spiders and bots to crawl your site, you should enable it. Those entries are examples only.
UseToolKit
is also optional.
Make sure
/var/log/hiawatha/blog
exists (example) and its ownership is
www-data
.
If not, make it as is.
sudo chown -R www-data:www-data /var/log/hiawatha/blog
Restart Hiawatha.
sudo /etc/init.d/hiawatha restart
Now, make sure the ownership of
access.log
and
error.log
are
www-data
. If not, make them as is.
sudo chown www-data:www-data /var/log/hiawatha/blog/*
Step 5 - Configure Apparmor (to make Hiawatha more safety)
Create Apparmor profile for Hiawatha.
sudo aa-genprof hiawatha
Edit the profile
usr.sbin.hiawatha
.
sudo nano /etc/apparmor.d/usr.sbin.hiawatha
Make the entries look like this.
# Last Modified: Thu Oct 1 10:00:57 2009
#include <tunables/global>
/usr/sbin/hiawatha {
#include <abstractions/base>
capability chown,
capability dac_override,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
network inet tcp,
/bin/dash rix,
/etc/group r,
/etc/hiawatha/** r,
/etc/host.conf r,
/etc/hosts r,
/etc/mailname r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/php5/cgi/php.ini r,
/etc/php5/conf.d/ r,
/etc/php5/conf.d/**.ini r,
/etc/phpmyadmin/** r,
/etc/postfix/**.cf r,
/etc/protocols r,
/etc/resolv.conf r,
/etc/services r,
/usr/bin/php5-cgi rix,
/usr/lib{,32,64}/** mr,
/usr/sbin/cgi-wrapper rix,
/usr/sbin/hiawatha mr,
/usr/sbin/postdrop rix,
/usr/sbin/sendmail rix,
/usr/share/dbconfig-common/** r,
/usr/share/file/magic.mime r,
/usr/share/mysql/charsets/Index.xml r,
/usr/share/phpmyadmin/ r,
/usr/share/phpmyadmin/** r,
/usr/share/zoneinfo/ r,
owner /var/lib/** rwk,
/var/lib/hiawatha/* rw,
/var/log/hiawatha/* r,
/var/log/hiawatha/** rw,
/var/run/hiawatha.pid rw,
owner /var/spool/postfix/maildrop/** rw,
/var/spool/postfix/public/pickup w,
/var/www/ r,
/var/www/** rw,
}
* suppose you are using postfix.
Make the profile in enforce mode (active).
sudo aa-enforce hiawatha
If you have change some settings, you should reload the profile.
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha
If you want to disable this profile.
sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha
If you want to re-enable this profile after it has been disabled.
sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha
Step 6 - Improve the security of CGI-Wrapper
Now, your hiawatha is very secure but I would like to make it more secure.
sudo apt-get install libcap2-bin
Apply Capabilities on
cgi-wrapper
.
sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper
The result of
getcap
:
sudo getcap /usr/sbin/cgi-wrapper
It will display :
/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep
Reference :
Hiawatha Manual
Hiawatha Features
AppArmor
Known Issue
Alias
cannot be functioned with this configuration so far.
That's all. See you!