Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hiawatha - the best webserver you've never heard of

4,474 views

Published on

Apache is, and has been the dominant webserver for years now. But despite this, it lacks some features that I'd like to have seen - or things that require extensive tuning and adjusting to get right. As a developer I want something that requires little configuration to ensure that it's secure and performs well, for me, that's now Hiawatha.

I'll be going through a quick introduction of Hiawatha, looking at some of the configuration options and features it offers, Hiawatha has a focus on security and this is where I'll spend time looking at some of the more unique options it has to protect against attacks & other nasties.

Published in: Software

Hiawatha - the best webserver you've never heard of

  1. 1. Hiawatha https://www.hiawatha-webserver.org/ The best web server you’ve (probably) never heard of. Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  2. 2. Who am I? Matt Brunt Not a sysadmin Web Developer - Burnthebook in Derby @TheMattBrunt Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  3. 3. What I Want Apache is, and has been the dominant webserver for years now. That said, it lacks some features that I'd like to have seen, or things that require more extensive tuning, knowledge and adjusting to get right. I want something that requires little configuration to ensure that it's secure and performs well, for me, that's now Hiawatha (at least on my own servers) Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  4. 4. About Hiawatha Written by Hugo Leisink (@hiawatha_ws) since 2002 Contains lots of core features that are only available as modules in other web servers, or in some cases, just aren’t available. These vary from preventing some common attacks to banning and controlling user access. Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  5. 5. Why Hiawatha? •High-performance •Emphasis on security •Clean configuration syntax •Doesn’t do more than it needs to •Uses PolarSSL Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  6. 6. Why Hiawatha? •High-performance •Emphasis on security •Clean configuration syntax •Doesn’t do more than it needs to •Uses PolarSSL Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  7. 7. Configuration UrlToolkit {! ! ! ToolkitID = footoolkit! ! RequestURI exists Return! ! Match .*?(.*) Rewrite /index.php?$1! ! Match .* Rewrite /index.php! ! } You can also override various settings by adding a .hiawatha file per directory (though UseToolkit is only valid in the root of a site) Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  8. 8. Configuration VirtualHost {! ! ! Hostname = www.mysite.tld, *.mysite.tld! ! WebsiteRoot = /srv/www/vhosts/mysite.tld/public! ! ! EnforceFirstHostname = yes! ! ! ! UseToolkit = footoolkit! ! ! ShowIndex = no! ! ! PreventXSS = yes! ! PreventCSRF = yes! PreventSQLi = yes! ! CustomHeader = X-Frame-Options: sameorigin! ! RandomHeader = 256! } Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  9. 9. Some Cool Options •UseGZfile = yes|no! •If available, upload <requested file>.gz with gzip content encoding instead of the requested file The idea is that you can pre-compress static content instead of having the webserver pipe it through gzip! Stuff like PHP output will still likely want to use gzip, but for static assets it’s wasteful to run it through gzip for each request. Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  10. 10. Security Features •Attack Prevention! •PreventXSS = yes|no •Replaces < > ‘ “ with _ in requests •PreventCSRF = yes|no •Ignores all cookies sent by a browser when following an external link to the website •PreventSQLi = yes|no •Detects injections and denies the request via a 409 response. •ConnectionsPerIP = <length> •Limits the number <length> of simultaneous connections per IP Do not get lazy as a developer though… Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  11. 11. Security Features •Banning Attackers! •BanOnFlooding = X/Y:Z •When a client sends more than X connections in Y time they’re banned for Z seconds. •BanOnMaxPerIP = <length> •If a client exceeds the max number of simultaneous connections per IP, ban for <length> seconds. •BanOnMaxReqSize = <length> •If a client exceeds the max request size, ban for <length> seconds. •RebanDuringBan = yes|no •Reset the ban-time when a client tries to reconnect during a ban. Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  12. 12. Security Features •Encryption Options! •PolarSSL •Used instead of OpenSSL •RequireSSL = yes|no •Specify that a domain must be visited with an SSL connection, if not, automatically 301 redirects. •RandomHeader = <length> • This is my favourite - let’s take a look. Out of the box (assuming you’ve correctly installed your cert) you should easily be able to get a best-practice implementation. Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  13. 13. SSL Labs Result Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  14. 14. Why would I want RandomHeader? Short answer: while TLS stops the content being sniffed or altered, you can’t stop someone guessing the length of the content. Once you know the length of something, it’s much easier to start guessing what that thing is. Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  15. 15. What RandomHeader does RandomHeader adds an X-Random header to the response of HTTPS connections - the contents of which is a string. The length of that string is between 1 and a random value you can specify per vhost (max value of 1000) Because of this, the length of the content (from an outside perspective) is much harder to guess. Overhead is minimal, just the extra bandwidth to transmit that extra header. On sites with less need for security you can reduce the length if you wish. Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  16. 16. RandomHeader in action Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  17. 17. Some New Additions (v9.8) Version 9.8 of Hiawatha (released Sept 27th 2014) introduces an interesting new feature. You can now run wildcard matches on any header from a request. Using the URL toolkit you can write a new rule and handle matches accordingly. There’s an overhead with this, but it’s a neat thing in the meantime for anyone who was still waiting for a patch for Shellshock on their platform. Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  18. 18. Some New Additions (v9.8) UrlTookit {! ! ToolkitID = block_shellshock! Header User-Agent ()s*{ DenyAccess! Header Referer ()s*{ DenyAccess! } UrlTookit {! ! ToolkitID = block_shellshock! Header * ()s*{ DenyAccess! } Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  19. 19. So, why isn’t everyone using it? Short answer: I don’t know. Some ideas: •Apache / cPanel stronghold on shared hosting market is too strong. •People hold (often incorrect) opinions about the unknown. •People are scared of change. •People are scared to be different. Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  20. 20. Conclusion •Lightweight & well performing •(Even when under attack) ! •Incredible included security options ! •Easy to use ! •Best practice SSL ! •Deserves more market share! Fire up a VM and give it a try! Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  21. 21. Questions? Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt
  22. 22. Links & Info https://www.hiawatha-webserver.org/ ! https://dotbalm.org/why-i-use-hiawatha-webserver/ ! http://www.jonathanherzog.com/blog/2010/05/side-channel- leaks-web-applications-reality-today-challenge-tomorrow ! https://www.ssllabs.com/ssltest/ ! ! Hiawatha, the best web server you’ve never heard of - PHPNW14 @TheMattBrunt

×