Hiawatha - the best webserver you've never heard of
-
Upload
matt-brunt -
Category
Software
-
view
1.065 -
download
2
description
Transcript of Hiawatha - the best webserver you've never heard of
Hiawatha
The best web server you’ve (probably) never heard of.
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
https://www.hiawatha-webserver.org/
Matt Brunt
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
Not a sysadmin
Who am I?
Web Developer - Burnthebook in Derby
@TheMattBrunt
What I Want
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
Apache is, and has been the dominant webserver for years now.
I want something that requires little configuration to ensure that it's secure and performs well, for me, that's now Hiawatha (at least on my own servers)
That said, it lacks some features that I'd like to have seen, or things that require more extensive tuning, knowledge and adjusting to get right.
About Hiawatha
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
Written by Hugo Leisink (@hiawatha_ws) since 2002
Contains lots of core features that are only available as modules in other web servers, or in some cases, just aren’t available.
These vary from preventing some common attacks to banning and controlling user access.
Why Hiawatha?
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
•High-performance
•Emphasis on security
•Clean configuration syntax
•Doesn’t do more than it needs to
•Uses PolarSSL
Why Hiawatha?
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
•High-performance
•Emphasis on security
•Clean configuration syntax
•Doesn’t do more than it needs to
•Uses PolarSSL
Configuration
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
UrlToolkit {!!! ToolkitID = footoolkit!! RequestURI exists Return!! Match .*\?(.*) Rewrite /index.php?$1!! Match .* Rewrite /index.php!!}
You can also override various settings by adding a .hiawatha file per directory (though UseToolkit is only valid in the root of a site)
Configuration
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
VirtualHost {!!! Hostname = www.mysite.tld, *.mysite.tld!! WebsiteRoot = /srv/www/vhosts/mysite.tld/public!!! EnforceFirstHostname = yes!! !! UseToolkit = footoolkit!!! ShowIndex = no!!! PreventXSS = yes!! PreventCSRF = yes! PreventSQLi = yes!! CustomHeader = X-Frame-Options: sameorigin!! RandomHeader = 256!}
Some Cool Options
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
•UseGZfile = yes|no!•If available, upload <requested file>.gz with gzip
content encoding instead of the requested file
The idea is that you can pre-compress static content instead of having the webserver pipe it through gzip!
Stuff like PHP output will still likely want to use gzip, but for static assets it’s wasteful to run it through gzip for each request.
Security Features
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
•Attack Prevention!•PreventXSS = yes|no
•Replaces < > ‘ “ with _ in requests •PreventCSRF = yes|no
•Ignores all cookies sent by a browser when following an external link to the website
•PreventSQLi = yes|no •Detects injections and denies the request via a 409
response. •ConnectionsPerIP = <length>
•Limits the number <length> of simultaneous connections per IP
Do not get lazy as a developer though…
Security Features
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
•Banning Attackers!•BanOnFlooding = X/Y:Z
•When a client sends more than X connections in Y time they’re banned for Z seconds.
•BanOnMaxPerIP = <length> •If a client exceeds the max number of simultaneous
connections per IP, ban for <length> seconds. •BanOnMaxReqSize = <length>
•If a client exceeds the max request size, ban for <length> seconds.
•RebanDuringBan = yes|no •Reset the ban-time when a client tries to reconnect
during a ban.
Security Features
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
•Encryption Options!•PolarSSL
•Used instead of OpenSSL •RequireSSL = yes|no
•Specify that a domain must be visited with an SSL connection, if not, automatically 301 redirects.
•RandomHeader = <length> • This is my favourite - let’s take a look.
Out of the box (assuming you’ve correctly installed your cert) you should easily be able to get a best-practice implementation.
SSL Labs Result
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
Why would I want RandomHeader?
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
Short answer: while TLS stops the content being sniffed or altered, you can’t stop someone guessing the length of the content.
Once you know the length of something, it’s much easier to start guessing what that thing is.
What RandomHeader does
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
RandomHeader adds an X-Random header to the response of HTTPS connections - the contents of which is a string. The length of that string is between 1 and a random value you can specify per vhost (max value of 1000)
Because of this, the length of the content (from an outside perspective) is much harder to guess.
Overhead is minimal, just the extra bandwidth to transmit that extra header. On sites with less need for security you can reduce the length if you wish.
RandomHeader in action
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
Some New Additions (v9.8)
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
Version 9.8 of Hiawatha (released Sept 27th 2014) introduces an interesting new feature.
You can now run wildcard matches on any header from a request.
Using the URL toolkit you can write a new rule and handle matches accordingly.
There’s an overhead with this, but it’s a neat thing in the meantime for anyone who was still waiting for a patch for Shellshock on their platform.
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
UrlTookit {!! ToolkitID = block_shellshock! Header * \(\)\s*\{ DenyAccess!}
Some New Additions (v9.8)UrlTookit {!! ToolkitID = block_shellshock! Header User-Agent \(\)\s*\{ DenyAccess! Header Referer \(\)\s*\{ DenyAccess!}
So, why isn’t everyone using it?
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
Short answer:
I don’t know.
Some ideas: •Apache / cPanel stronghold on shared hosting market is
too strong. •People hold (often incorrect) opinions about the
unknown. •People are scared of change. •People are scared to be different.
Conclusion
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
•Lightweight & well performing •(Even when under attack) !
•Incredible included security options !
•Easy to use !
•Best practice SSL !
•Deserves more market share! Fire up a VM and give it a try!
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
Questions?
Links & Info
@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14
https://www.hiawatha-webserver.org/ !
https://dotbalm.org/why-i-use-hiawatha-webserver/ !
http://www.jonathanherzog.com/blog/2010/05/side-channel-leaks-web-applications-reality-today-challenge-
tomorrow !
https://www.ssllabs.com/ssltest/ !!