HOWTO : Most secure web server (Hiawatha 6.17.1) on Ubuntu 9.04 Server
What is Hiawatha?
Hiawatha is a web server that developed by Hugo Leisink since 2002. Hiawatha is not as well known as Apache; however, it has some unique features that Apache lacks of. Apache requires some modules to do the security purpose, such as modsecurity and mod_rewrite. Hiawatha is already built-in. She can ban some bad traffic and bad activities on your web server. Her footprint is also small, that is 130kb, surprise?! She is the default web server for Austrumi and Puppy Linux.
Although the user manual at her official site is not detail enough (at the time of this writing), it is quite easy to configure and runs on a production server. There may be a bug at cgi-wrapper in Hiawatha 6.17.1 and it cannot be configured to run PHP5 in cgi-wrapper mode at the moment. However, perl is no problem.
Hiawatha runs MySQL and PHP great in cgi mode. It can run in Windows environment too (but not yet tried). This tutorial is going to show you how to configure Hiawatha to work with MySQL and PHP.
Installation of Linux, Hiawatha, MySQL and PHP - LHMP
Step 0 - Install Ubuntu 9.04
Install
Make sure you have perform the following commands at the terminal (or console).
If the kernel or kernel modules have been updated, you should reboot your computer/server.
Step 1 - Install PHP5 and MySQL
*Note : some modules will not be required, such as php5-sqlite and php5-snmp. If your web application requires them, make sure to install them.
Step 2 - Install Hiawatha
Download the current Hiawatha, 6.17.1 at this time of writing.
Install requires dependenices.
At the
The deb package will be created at your home directory, such as
For 64-bit system :
For 32-bit system :
Step 3 - Configure PHP5
Edit the
Make change as is.
*Note : some PHP application may requires
Edit Hiawatha's
Uncomment the following line.
Activate
If you make any change on
Step 4 - Configure Hiawatha
Edit the file
Uncomment
Add the following line at the
Uncomment the following entries at
Uncomment all the entries at
*Note : Make change to the
Uncomment
Uncomment all the entries of
Optional - Create the following lines under
*Note :
Create a
*Note : Some CMS will not well when
Make sure
If not, make it as is.
Restart Hiawatha.
Now, make sure the ownership of
Step 5 - Configure Apparmor (to make Hiawatha more safety)
Create Apparmor profile for Hiawatha.
Edit the profile
Make the entries look like this.
Make the profile in enforce mode (active).
If you have change some settings, you should reload the profile.
If you want to disable this profile.
If you want to re-enable this profile after it has been disabled.
Step 6 - Configure CGI-Wrapper
To be continue ....
Reference :
Hiawatha Manual
Hiawatha Features
AppArmor
That's all. See you!
Hiawatha is a web server that developed by Hugo Leisink since 2002. Hiawatha is not as well known as Apache; however, it has some unique features that Apache lacks of. Apache requires some modules to do the security purpose, such as modsecurity and mod_rewrite. Hiawatha is already built-in. She can ban some bad traffic and bad activities on your web server. Her footprint is also small, that is 130kb, surprise?! She is the default web server for Austrumi and Puppy Linux.
Although the user manual at her official site is not detail enough (at the time of this writing), it is quite easy to configure and runs on a production server. There may be a bug at cgi-wrapper in Hiawatha 6.17.1 and it cannot be configured to run PHP5 in cgi-wrapper mode at the moment. However, perl is no problem.
Hiawatha runs MySQL and PHP great in cgi mode. It can run in Windows environment too (but not yet tried). This tutorial is going to show you how to configure Hiawatha to work with MySQL and PHP.
Installation of Linux, Hiawatha, MySQL and PHP - LHMP
Step 0 - Install Ubuntu 9.04
Install
Ubuntu 9.04 Server
and OpenSSH
. If your web application requires email function, you should also install Mail Server
also.Make sure you have perform the following commands at the terminal (or console).
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
If the kernel or kernel modules have been updated, you should reboot your computer/server.
Step 1 - Install PHP5 and MySQL
sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
*Note : some modules will not be required, such as php5-sqlite and php5-snmp. If your web application requires them, make sure to install them.
Step 2 - Install Hiawatha
Download the current Hiawatha, 6.17.1 at this time of writing.
sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.17.1.tar.gz
tar -xzvf hiawatha-6.17.1.tar.gz
cd hiawatha-6.17.1
Install requires dependenices.
sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev
At the
hiawatha-6.17.1
directory, build the Hiawatha deb package../configure
make deb
The deb package will be created at your home directory, such as
/home/samiux
. You can install it now.cd ..
For 64-bit system :
sudo dpkg -i hiawatha_6.17.1_amd64.deb
For 32-bit system :
sudo dpkg -i hiawatha_6.17.1_i386.deb
Step 3 - Configure PHP5
Edit the
php.ini
.sudo nano /etc/php5/cgi/php.ini
Make change as is.
display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
*Note : some PHP application may requires
safe_mode = Off
.Edit Hiawatha's
php-fcgi.conf
.sudo nano /etc/hiawatha/php-fcgi.conf
Uncomment the following line.
Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-data
Activate
php-fcgi
.sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf
If you make any change on
php-fcgi.conf
, make sure to restart it by following commands.sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.conf
Step 4 - Configure Hiawatha
Edit the file
hiawatha.conf
.sudo nano /etc/hiawatha/hiawatha.conf
Uncomment
ServerId
at GENERAL SETTINGS
.ServerId = www-data
Add the following line at the
GENERAL SETTINGS
. Apache compatible log file format.LogFormat = extended
Uncomment the following entries at
BINDING SETTINGS
.Binding {
Port = 80
MaxKeepAlive = 30
TimeForRequest = 3,20
}
Uncomment all the entries at
BANNING SETTINGS
.BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 0
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24
*Note : Make change to the
Banlistmask
in order to meet your network requirement.Uncomment
php5-cgi
and CGIextension
lines.#CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi
Uncomment all the entries of
FastCGIserver
and rename ConnectTo
to 127.0.0.1:2005
.FastCGIserver {
FastCGIid = PHP5
ConnectTo = 127.0.0.1:2005
Extension = php, php5
SessionTimeout = 30
}
Optional - Create the following lines under
URL TOOLKIT
.UrlToolkit {
ToolkitID = CMS_common
RequestURI isfile Return
RequestURI exists Return
Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
Match .*\?(.*) Rewrite /index.php?$1
Match .* Rewrite /index.php
}
*Note :
UrlToolkit
is similar to Apache's mod_rewrite.Create a
VirtualHost
for your site.VirtualHost {
Hostname = samiux.blogspot.com
Alias = /php_my_admin:/usr/share/phpmyadmin
WebsiteRoot = /var/www/blog
StartFile = index.php
AccessLogfile = /var/log/hiawatha/blog/access.log
ErrorLogfile = /var/log/hiawatha/blog/error.log
TimeForCGI = 5
UseFastCGI = PHP5
UseToolkit = CMS_common
ExecuteCGI = yes
PreventCMDi = yes
PreventCSRF = yes
PreventSQLi = yes
PreventXSS = yes
DenyBot = Googlebot:/
DenyBot = twiceler:/
DenyBot = MSNBot:/
DenyBot = yahoo:/
DenyBot = BaiDuSpider:/
DenyBot = Ask:/
DenyBot = Yahoo! Slurp:/
DenyBot = Sogou web spider:/
DenyBot = Sogou-Test-Spider:/
DenyBot = Baiduspider+:/
DenyBot = Yandex:/
DenyBot = UniversalFeedParser:/
DenyBot = Mediapartners-Google:/
DenyBot = Sosospider+:/
}
*Note : Some CMS will not well when
PreventCMDi = yes
. DenyBot
entries are optional. If you do not want spiders and bots to crawl your site, you should enable it. Those entries are examples only. UseToolKit
is also optional.Make sure
/var/log/hiawatha/blog
exists (example) and its ownership is www-data
.If not, make it as is.
sudo chown -R www-data:www-data /var/log/hiawatha/blog
Restart Hiawatha.
sudo /etc/init.d/hiawatha restart
Now, make sure the ownership of
access.log
and error.log
are www-data
. If not, make them as is.sudo chown www-data:www-data /var/log/hiawatha/blog/*
Step 5 - Configure Apparmor (to make Hiawatha more safety)
Create Apparmor profile for Hiawatha.
sudo aa-genprof hiawatha
Edit the profile
usr.sbin.hiawatha
.sudo nano /etc/apparmor.d/usr.sbin.hiawatha
Make the entries look like this.
# Last Modified: Tue Sep 1 10:28:15 2009
#include
/usr/sbin/hiawatha {
#include
capability chown,
capability dac_override,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
network inet tcp,
/etc/group r,
/etc/hiawatha/** r,
/etc/nsswitch.conf r,
/etc/passwd r,
/usr/bin/php5-cgi rix,
/usr/sbin/cgi-wrapper mr,
/usr/sbin/hiawatha mr,
/usr/share/dbconfig-common/** r,
/usr/share/phpmyadmin/ r,
/usr/share/phpmyadmin/** r,
/var/lib/** r,
/var/lib/hiawatha/* rw,
/var/log/hiawatha/* r,
/var/log/hiawatha/** rw,
/var/log/hiawatha/blog/* r,
/var/log/hiawatha/blog/** a,
/var/run/hiawatha.pid w,
/var/www/ r,
/var/www/** rw,
}
Make the profile in enforce mode (active).
sudo aa-enforce hiawatha
If you have change some settings, you should reload the profile.
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha
If you want to disable this profile.
sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawatha
If you want to re-enable this profile after it has been disabled.
sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawatha
Step 6 - Configure CGI-Wrapper
To be continue ....
Reference :
Hiawatha Manual
Hiawatha Features
AppArmor
That's all. See you!