Hiawatha Web Server is designed with security in mind. It already built-in some security features to protect common attacks, such as SQLi, XSS, CSRF. Meanwhile, it can be configured to prevent scanning from vulnerability scanners too.
Hiawatha is a light weight and fast as well as secure web server in the market. Hiawatha is working well with PHP and MySQL. The following guide is showing how to configure Hiawatha in a very high secure way on Ubuntu Server LTS.
(B) Software Prerequisite
The current version as at the time of this writing :
(1) Ubuntu Server 16.04.2 LTS
(2) CMake 3.7.2
(3) Hiawatha 10.5
(C) Installation of PHP7.0 and MySQL
sudo apt-get install php7.0-cgi php7.0 php7.0-cli php7.0-mysql php7.0-curl php7.0-gd php7.0-intl php7.0-imap php7.0-mcrypt php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl apache2-utils php7.0-fpm php-memcache php-imagick php-cache mysql-server mysql-client(D) Installation of Hiawatha
sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev(a) Install CMake
wget https://cmake.org/files/v3.7/cmake-3.7.2.tar.gz
tar -xvzf cmake-3.7.2.tar.gz
cd cmake-3.7.2
./configure
make
sudo make install(b) Install Hiawatha
wget http://www.hiawatha-webserver.org/files/hiawatha-10.5.tar.gz
tar -xzvf hiawatha-10.5.tar.gz
cd hiawatha-10.5/extra
./make_debian_package
cd ..
sudo dpkg -i hiawatha_10.5_amd64.deb(E) Configuration of PHP7.0
sudo nano /etc/php/7.0/fpm/php.iniMake changes as is.
allow_url_fopen = Off
session.cookie_httponly = 1
disable_functions = [EXIST_FUNCTION],system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd,* [EXIST_FUNCTION] is the functions that already at "disable_functions" of php.ini
(F) Let's Encrypt on Hiawatha
(a) Configuration of Hiawatha
sudo mkdir -p /etc/hiawatha/enable-sites
sudo mkdir -p /etc/hiawatha/disable-sitesEdit "cgi-wrapper.conf".
sudo nano /etc/hiawatha/cgi-wrapper.confChange the following as is.
CGIhandler = /usr/bin/perl
CGIhandler = /usr/sbin/php7.0-fpm
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi
Wrap = jail_mysite ; /var/www/mysite ; www-data:www-dataChange the ownership of the log files.
cd /var/log/hiawatha
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log
sudo chown www-data:www-data garbage.log
sudo chown root:root system.logChange the ownership of the web application files.
cd /var/www/mysite
sudo chown -R root:root *The following are examples of "hiawatha.conf" and "mysite.com".
/etc/hiawatha/hiawatha.conf example :
/etc/hiawatha/enable-sites/mysite.com example :
(b) Self Signed SSL Certificate Generation
To generate SSL certificate for the web root.
openssl genrsa -out default.pem 4096
openssl req -new -x509 -days 3650 -key default.pem -out server.crt
echo "" >> default.pem
cat server.crt >> default.pem
echo "" >> default.pem
rm -f server.crt
sudo mkdir -p /etc/hiawatha/tls
sudo cp default.pem /etc/hiawatha/tls
sudo chown www-data:www-data /etc/hiawatha/tls/default.pem
sudo chmod 400 /etc/hiawatha/tls/default.pem
sudo chmod 400 -R /etc/hiawatha/tls(c) Let's Encrypt Generation and Configuration
To generate SSL certificate for the www.mysite.com.
wget https://www.hiawatha-webserver.org/files/letsencrypt.tar.gz
tar -xvzf letsencrypt.tar.gz
cd letsencrypt
nano letsencrypt.confChange the email "info@example.org" to your email as Let's Encrypt bot will inform you about the expire date of the certificate :
ACCOUNT_EMAIL_ADDRESS = samiux@gmail.comChange the RSA Key size from "2048" to "4096" :
CERTIFICATE_RSA_KEY_SIZE = 4096Uncomment "Production" and comment out "Testing" :
LE_CA_HOSTNAME = acme-v01.api.letsencrypt.org # Production
#LE_CA_HOSTNAME = acme-staging.api.letsencrypt.org # TestingMake sure Port 80 is working and run the following command.
For the first time, you need to register to Let's Encrypt. Make sure keep the generated "account.key" in a safe place. "account.key" should be in the original place when doing SSL certificate renewal.
./letsencrypt registerTo generate the SSL certificate.
sudo ./letsencrypt www.mysite.comTo revoke the SSL certificate (Optional).
sudo ./letsencrypt /etc/hiawatha/tls/www.mysite.com.pemTo renew SSL certificate (Optional).
sudo ./letsencrypt renewTo get the Let's Encrypt X3 certificate at https://letsencrypt.org/certificates/ and select :
Let’s Encrypt Authority X3 (IdenTrust cross-signed)
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
echo "" >> www.mysite.com.pem
cat lets-encrypt-x3-cross-signed.pem.txt >> www.mysite.com.pem
echo "" >> default.pem
cat lets-encrypt-x3-cross-signed.pem.txt >> default.pemTo generate sha256 base64 hash of the certificates. The first one is the "mysite.com" SSL certification and the second one is the SSL certification for web root directory.
openssl x509 -in /etc/hiawatha/tls/www.mysite.com.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64
openssl x509 -in /etc/hiawatha/tls/default.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64Then change "CustomHeaderClient = Public-Key-Pins:" values at "/etc/hiawatha/enable-sites/mysite.com". The first "pin-sha256" is for "mysite.com" and the second "pin-sha256" is for web root. The others "pin-sha256" are get from Qualys SSL Labs Test site (see below).
With the help of Qualys SSL Labs, you can further configure the HPKP and test the grading of your site. The highest grade is A+.
The grade of the site are A+ on both Qualys SSL Labs and High-Tech Bridge SSL certificate testings. Meanwhile, it is also compliance with PCI DSS 3.1 Requirements that reported by High-Tech Bridge.
The Let's Encrypt SSL Certificate will be expired about 28 days and it requires to be renewed. Make sure you update "CustomHeaderClient = Public-key-Pins:" at /etc/hiawatha/enable-sites/mysite.com (as example). The first "pin-sha256" is required to be updated. After that, restart Hiawatha.
(G) Hardening of Ubuntu Server
(a) sysctl
sudo nano /etc/sysctl.d/60-hiawatha.confsudo sysctl /etc/sysctl.d/60-hiawatha.conf -p(b) Apparmor
sudo apt-get install apparmor-profiles apparmor-utils
sudo nano /etc/apparmor.d/usr.sbin.hiawathasudo aa-enforce hiawathaIf you have change some settings, you should reload the profile.
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawathaIf you want to disable this profile.
sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawathaIf you want to re-enable this profile after it has been disabled.
sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawathaRemarks :
If you encounter "500 Internal Server Error", you may consider to make the Apparmor to "Complain mode".
sudo aa-complain hiawathaAfter several days browsing the website, you may consider to turn the Apparmor to "Enforce mode".
sudo aa-logprof
sudo aa-enforce hiawathaIt is because the captioned usr.sbin.hiawatha may not 100% work for you.
(c) Linux Malware Detect (Optional)
Linux Malware Detect Installation
* the captioned link may be out-dated and it is for your reference only
(d) MySQL
Create Normal User on MySQL
(e) fail2ban
sudo apt-get install fail2banChange the setting at /etc/fail2ban/jail.conf when necessary.
(H) Storage Performance Tuning
It is recommended to use SSD for the storage instead of hard drive for the excellent performance.
(a) SSD
Verify TRIM is supported :
sudo hdparm -I /dev/sda | grep TRIMIf the output is similar to the below which is supported :
* Data Set Management TRIM supported (limit 1 block)If you install your Ubuntu in LVM, the TRIM is usually enabled by default. You can confirm it :
cat /etc/lvm/lvm.conf | grep issue_discardsIf the output is similar to the below which is enabled :
issue_discards = 1Then set the following to "deadline" if it is not done yet.
cat /sys/block/sda/queue/schedulernoop [deadline] cfqIf not, set it :
sudo nano /etc/rc.localInsert the following before "exit 0" :
echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 2048 > /sys/block/sda/queue/nr_requests
echo deadline > /sys/block/sda/queue/scheduler* make sure your device is sda (or sdb ...)
To reload it or reboot your system :
sudo bash /etc/rc.localAfter that, you need to edit the partition table (/etc/fstab) :
To make it looks like the following :
/dev/mapper/ubuntu--vg-root / ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1sudo mount -a
sudo mount -o remount /If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.
(b) Hard Drive
sudo nano /etc/rc.localInsert the following before "exit 0" :
echo 2048 > /sys/block/sda/queue/read_ahead_kb
echo 2048 > /sys/block/sda/queue/nr_requests* make sure your device is sda (or sdb ...)
To reload it or reboot your system :
sudo bash /etc/rc.localAfter that, you need to edit the partition table (/etc/fstab) :
To make it looks like the following :
ext4 noatime,nodiratime,norelatime,errors=remount-ro 0 1sudo mount -a
sudo mount -o remount /If you have an error after running the captioned commands, DO NOT reboot your system. You should correct the typo before doing so; otherwise, you cannot boot to your system again.
(I) Optional
To further hardening Ubuntu Server, you may consider to set up firewall (UFW/iptables) and place the Ubuntu Server behind Unified Threats Management System (UTM) or Intrusion Prevention System (IPS).
Reference
Qualys SSL Labs
High-Tech Bridge
securityheaders.io
URL Rewrite for Hiawatha
That's all! See you.