Hiawatha is a very secure and fast web server in the market. It supports PHP, Perl, Python and Ruby. It is also very lightweight, easy to configure and setup too. How secure? Please refer to the features of Hiawatha.
For the performance, please refer to the study of SaltwaterC at here.
This tutorial is writing for setting up the highest secured web server. Please also to apply the "Optional" steps mentioned below for making the highest secured web server.
Since version 8.3, Hiawatha comes with Reverse Proxy and DAV features. The DAV features can be used for ownCloud for example, which comes with version 8.2.
According to the Author of Hiawatha, the OwnCloud 4.5.1 can be running flawlessly on Hiawatha. The xcache error can be fixed very easily.
Hugo Leisink 27 October 2012, 11:04
I've got 4.5.1 up and running. Don't use any URL rewriting. To get rid of the xcache errors, in lib/cache/xcache, replace the lines 27, 34 and 39 with 'return false'. Now it all looks oke.
Mail Serverwhen installing
Ubuntu Server 12.04 LTS.
Update the fresh install system to the latest status.
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
Select unattendance update to your system. It will push all the updates to your system when there is some. Or, you can create a cron job later to update your system in a certain of time if you prefer.
If the kernel or kernel modules have been updated, you are required to reboot your system before going further.
Step 1 - Installation of PHP5 and MySQL
sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache php5-suhosin php5-ffmpeg apache2-utils mini-httpd php5-fpm
Step 2 - Installation of Hiawatha
Install required dependenices for Hiawatha.
sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev
Download the latest version of CMake at http://www.cmake.org/
tar -xvzf cmake-2.8.9.tar.gz
sudo make install
Download the latest version of Hiawatha (the current version at this writing is 8.6).
tar -xzvf hiawatha-8.6.tar.gz
sudo dpkg -i hiawatha_8.6_amd64.deb
sudo dpkg -i hiawatha_8.6_i386.deb
Step 3 - Configure PHP5
The following settings are for making PHP5 more secure.
sudo nano /etc/php5/cgi/php.ini
Make changes as is.
cgi.rfc2616_headers = 1
zlib.output_compression = On
zlib.output_compression_level = 6
Step 3a - Configure PHP5 (Optional for security purpose)
display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
session.cookie_httponly = 1
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
cgi.fix_pathinfo = 0
*** According to the author of Hiawatha, the cgi.fix_pathinfo should be set to 0 at this moment.
*** There will be something at the end of "disable_functions" at Ubuntu 12.04 LTS, you just append the captioned list to the end of the previous list.
*** some PHP applications may require
safe_mode = off
Step 4 - Configure php-fpm
*** If you just upgrade to Hiawatha 8.6 from 8.5, please refer to here. ***
Append the following to the php-fpm.conf.
sudo nano /etc/php5/fpm/php-fpm.conf
user = www-data
group = www-data
listen = 127.0.0.1:9000
pm = static
pm.max_children = 100
chroot = /var/www/
Step 5 - Configure Hiawatha (Part 1)
sudo nano /etc/hiawatha/hiawatha.conf
ServerId = www-data
Uncomment the following entries at
Port = 80
# Interface = 127.0.0.1
MaxKeepAlive = 30
TimeForRequest = 3,20
Step 5a (Optional for security purpose) :
Add the following line at the
ConnectionsTotal = 1000
ConnectionsPerIP = 30
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.log
LogFormat = extended
ServerString = Apache
CGIwrapper = /usr/sbin/cgi-wrapper
Make changes for the following entries at
BanOnGarbage = 300
BanOnMaxPerIP = 300
BanOnMaxReqSize = 300
BanOnTimeout = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnDeniedBody = 300
BanOnSQLi = 300
BanOnFlooding = 30/1:300
BanlistMask = deny 192.168.0.0/24, deny 127.0.0.1
BanOnInvalidURL = 300
ReconnectDelay = 3
HideProxy = 127.0.0.1
MaxServerLoad = 0.8
Step 5b :
The entries at
COMMON GATEWAY INTERFACE (CGI) SETTINGSshould be looking like this.
CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi
FastCGIid = PHP5
ConnectTo = 127.0.0.1:9000
Extension = php, php5
SessionTimeout = 30
Step 5c :
Add the following line at
*Make sure the make a directory
sudo mkdir /etc/hiawatha/enable-sites
sudo mkdir /etc/hiawatha/disable-sites
Step 6 - Configure Hiawatha (Part 2)
If your domain is mysite.com, you are required to create a file namely
mysite.comand place it under
Hostname = www.mysite.com, mysite.com
WebsiteRoot = /var/www/mysite
StartFile = index.php
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
TimeForCGI = 15
# UseFastCGI = PHP5
UseToolkit = banshee
# if ownCloud or alike is installed, otherwise, it should be "no"
WebDAVapp = yes
# <script .. </script>
# e.g. <script>alert("xss");</script>
DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
DenyBody = ^.*%3CsCrIpT.*%3C%2FScRiPt%3E.*$
DenyBody = ^.*%3CScRiPt.*%3C%2FsCrIpT%3E.*$
DenyBody = ^.*%3CSCRIPT.*%3C%2FSCRIPT%3E.*$
DenyBody = ^.*%3CSCRIPT.*%3C%2Fscript%3E.*$
DenyBody = ^.*%3Cscript.*%3C%2FSCRIPT%3E.*$
# <meta .. />
# e.g. <meta http-equiv="refresh" content='0; URL=http://some.domain"/>
DenyBody = ^.*%3Cmeta.*%2F%3E.*$
DenyBody = ^.*%3CMETA.*%2F%3E.*$
DenyBody = ^.*%3CMeTa.*%2F%3E.*$
DenyBody = ^.*%3CmEtA.*%2F%3E.*$
# <iframe .. />
DenyBody = ^.*%3Ciframe.*%2F%3E.*$
DenyBody = ^.*%3CIFRAME.*%2F%3E.*$
# Null Byte
DenyBody = ^.*(it cannot be displayed here).*$
ExecuteCGI = yes
PreventCSRF = yes
PreventSQLi = yes
PreventXSS = yes
DenyBot = Googlebot:/
DenyBot = twiceler:/
DenyBot = MSNBot:/
DenyBot = yahoo:/
DenyBot = BaiDuSpider:/
DenyBot = Ask:/
DenyBot = Yahoo! Slurp:/
DenyBot = Sogou web spider:/
DenyBot = Sogou-Test-Spider:/
DenyBot = Baiduspider+:/
DenyBot = Yandex:/
DenyBot = UniversalFeedParser:/
DenyBot = Mediapartners-Google:/
DenyBot = Sosospider+:/
DenyBot = YoudaoBot:/
DenyBot = ParchBot:/
DenyBot = Curl:/
DenyBot = msnbot:/
DenyBot = NaverBot:/
DenyBot = taptubot:/
WrapCGI = jail_mysite
*** You can ignore the "
DenyBot" entries when you want the search engines to find your site easily.
*** If you do not implement "Step 7" below, please do not add "WrapCGI = Jail_mysite".
PreventSQLi" is set to "
yes" when your web application is vulnerable to SQL Injection and you cannot fix it at the moment.
Furthermore, if you want to disable this virtual site, you can move the "
/etc/hiawatha/disable-sites/and then restart hiawatha server.
sudo mv /etc/hiawatha/enable-sites/mysite.com /etc/hiawatha/disable-sites/
sudo /etc/init.d/hiawatha restart
Step 7 - Configure Hiawatha (Part 3) (Optional for security purpose)
sudo nano /etc/hiawatha/cgi-wrapper.conf
CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgi
Wrap = jail_mysite ; /var/www/mysite ; www-data:www-data
Step 8 - Configure Apparmor (Optional for security purpose)
Install the following packages :
sudo apt-get install apparmor-profiles apparmor-utils
Execute the following command and then let the web site running for a while, maybe a week or so.
sudo aa-genprof hiawatha
About one week later or the web page/site is misbehaving, issue the following command to update the profile. Remember to reload the profile after the command has been issued.
Or, if you are impatient, you can edit the following file instead.
sudo nano /etc/apparmor.d/usr.sbin.hiawatha
The content of
usr.sbin.hiawathashould look like this or make it look like this.
# Last Modified: Thu Jun 3 01:52:13 2010
owner /etc/hiawatha/ r,
owner /etc/passwd r,
owner /tmp/** rwk,
# /var/www/** rwk, (is for general settings. The following 2 lines are for Banshee only.)
owner /var/lib/php5/** rw,
owner /var/log/hiawatha/** w,
owner /var/run/ r,
owner /var/run/** w,
owner /run/ r,
owner /run/** w,
Make the profile in enforce mode (activate the above settings).
sudo aa-enforce hiawatha
If you have change some settings, you should reload the profile.
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha
If you want to disable this profile.
sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha
If you want to re-enable this profile after it has been disabled.
sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha
Step 9 - Enhance the security of cgi-wrapper (Optional for security purpose)
Now, your hiawatha is very secure but I would like to make it more secure.
sudo apt-get install libcap2-bin
Apply Capabilities on cgi-wrapper.
sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper
The result of getcap :
sudo getcap /usr/sbin/cgi-wrapper
It will display :
/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep
Step 10 - Configure logwatch (Optional)
Please refer to this link to make the LogWatch to know your Hiawatha webserver's log files.
Please make sure to re-do this step when the logwatch is updated or upgraded as it will overwrite the configure file.
Step 11 - Change the ownership of the log files
sudo chown www-data:www-data access.log
sudo chown www-data:www-data error.log
sudo chown www-data:www-data exploit.log
sudo chown www-data:www-data garbage.log
sudo chown root:root system.log
php-fcgi.log" and "
system.log" leave them untouched (root:root).
Step 11a - Change ownership of all directories and files at the /var/www/mysite
Put the web application files to /var/www/mysite and then change the ownership of all directories and files under /var/www/mysite to root:root.
sudo chown -R root:root *
Step 12 - Start, Stop and Restart Hiawatha
sudo /etc/init.d/hiawatha start
sudo /etc/init.d/hiawatha stop
suod /etc/init.d/hiawatha restart
Step 13 - Performance tuning for MySQL (Optional)
You can fine tune the MySQL as per this link.
Step 14 - Secure your Ubuntu Server in a passive way (Optional)
Please refer to this link to secure your server in a passive way.
Step 15 - Setup a FTP server on Ubuntu Server (Optional)
This link shows you how to setup a vsFTPd server.
Step 16 - URL Rewrite rules (Optional)
For the url rewrite rules for your PHP applications, please refer to this link
Make sure you add "UseToolkit" at the VirtualHost section.
Step 17 - Send email to GMail via Postfix (Optional)
Please refer to this link
Step 18 - Create normal user for MySQL or MariaDB (Optional)
Please refer to this link
If you encounter "
500 Internal Server Error", you may consider to make the Apparmor to "
sudo aa-complain hiawatha
After several days browsing the website, you may consider to turn the Apparmor to "
sudo aa-enforce hiawatha
It is because the captioned
usr.sbin.hiawathamay not 100% work for you.
In order to further hardened your Hiawatha web server, please consider the following options :
Optional #1 :
For SSH connection security, you also may consider to implement the Port Knocking feature.
sudo apt-get install knockd
Optional #2 :
You may also consider to enable your firewall at your router or on the Hiawatha Web Server with UFW.
If ufw does not exist in your server, you can install it :
sudo apt-get install ufw
Optional #3 :
Consider to place your web server behind this free service at Cloudflare. The main point is you can manage the DNS yourself and have a fixed IP address.
That's all! See you.