Hiawatha Web Server

When Hiawatha (my childhood hero) showed up in the Freshports RSS feed the other day, I had to check it out. Turns out Hiawatha is a "secure webserver for Unix... written with 'being secure' as its main goal." If that wasn't enough of a teaser, the website continues: "I bet you're wondering why you should use Hiawatha instead of Apache. Well, Apache is a big fat cow and has a damn ugly configurationfile." No arguments from me there, so I took some time to check it out.

Installation

Hiawatha was committed to FreeBSD ports earlier this month and there doesn't appear to be a package yet on the ftp site. No biggie, I'm used to handcrafting Apache's make options on a per-scenario basis (raise your hand if you've ever waded through Apache's make show-options, make show-categories, and make show-modules).

In contrast, Hiawatha has 2 configurables in its Makefile which are displayed in a menu when you issue make: SSL (on by default) and PHP support (on by default). Note, this port won't install PHP for you, just the ability for the webserver to understand PHP. I kept the defaults to enable both. The installation itself was very quick--just a minute or two on my P4.

I followed the pkg-message instructions to add this line to /etc/rc.conf:

hiawatha_enable="YES"

Note: On a FreeBSD system, third party startup (rc) scripts are found in /usr/local/etc/rc.d. These scripts will not work (i.e. they just give you your prompt back without doing anything) until you put the required parameter into /etc/rc.conf. If you forget the wording of the parameter, you'll find it towards the top of the script itself.

For the heck of it, I ran the startup script before editing the Hiawatha configuration file to see if it would start with the default configuration:

/usr/local/etc/rc.d/hiawatha start
Starting hiawatha.
/usr/local/etc/rc.d/hiawatha status
hiawatha is running as pid 74827
sockstat | grep 74827
33 hiawatha 74827 3 tcp4 *:80 *:*

I then pointed my browser to "localhost" and received a Congratulations, welcome to Hiawatha Server page.

Configuration File

The difference between an Apache and a Hiawatha httpd.conf file is like the difference between Sendmail's freebsd.cf and Postfix's main.cf. Here is the default configuration file:

more /usr/local/etc/hiawatha/httpd.conf
# Hiawatha httpd.conf
#

Binding {
Port = 80
# MaxKeepAlive = 30
# TimeForRequest = 3,20
}

ServerId = 33:33
ConnectionsTotal = 150
ConnectionsPerIP = 10
SystemLogfile = /var/log/hiawatha/system.log
#CGIhandler = /usr/bin/php4-cgi:php
#CGIhandler = /usr/bin/perl:pl
#CGIhandler = /usr/bin/python:py
#TimeForCGI = 5
#BanOnMaxPerIP = 2

Hostname = 127.0.0.1
WebsiteRoot = /usr/local/www/hiawatha
StartFile = index.html
AccesslogFile = /var/log/hiawatha/access.log
#ErrorHandler = /error.cgi

#FastCGIserver {
# Name = PHP4
# Server = localhost:2345
# Extension = php, php4
#}
#
#FastCGIserver {
# Name = PHP5
# Server = appserv1.lan:2345, appserv2.lan:2345
# Extension = php, php5
# SessionTimeout = 30
#}

#VirtualHost {
# Hostname = www.my-domain.com
# WebsiteRoot = /var/www/my-domain/public
# StartFile = index.php
# AccesslogFile = /var/www/my-domain/log/access.log
# ErrorlogFile = /var/www/my-domain/log/error.log
# ExecuteCGI = yes
# FastCGI = PHP4
#}

#Directory {
# Path = /home/baduser
# ExecuteCGI = no
# UploadSpeed = 10:2
#}

All of the configuration parameters are described in man hiawatha.

Initial Thoughts

Hiawatha provides some interesting parameters. You can ban IPs based on detected command injection attempts, for sending more than a configurable amount of requests per time period, for misformed HTTP requests, for exceeding a configurable number of simultaneous connections, for HTTP requests which exceed a configurable size, and for detected SQL injection attempts. (Yes these can be done using firewalls and proxies; having the ability to add another layer to your security onion is not a bad thing). A garbage.log separates misformed HTTP requests from other logged events.

If you're planning on using SSL and always have to find your notes on how to create a certificate, don't use the clean target during install. That is, type make install instead. This will keep the work subdirectory. You'll find some useful scripts in /usr/ports/www/hiawatha/work/hiawatha-5.3/extra/. If you have existing Apache skills, you should be able to find all of the Hiawatha configuration equivalents between man hiawatha and the Hiawatha FAQ.

I haven't had time to use this server in production or to test it for performance, but I certainly appreciate its ease of installation and configuration. Any Hiawatha users out there? How has your experience been?