Lead Image © Tatiana Popov, 123RF.com

Lead Image © Tatiana Popov, 123RF.com

Security first with the Hiawatha web server

Small but Safe

Article from ADMIN 32/2016
The small but secure Hiawatha web server provides an appealing alternative to the complex Apache and other alternatives.

Security on the Internet is vital. The Hiawatha web server [1], created by Hugo Lensink, is a small (and free) web server that subscribes to the principle "security by default." This article shows how to install and use Hiawatha.

You'll get the most benefit from Hiawatha if you run web applications, such as a CMS or any PHP website that occasionally gets hit by vulnerabilities (and they all do, of course). Hiawatha adds an extra layer of security, delivering ready-to-use rewrite rules for different CMS options.

In comparison with Apache and Nginx, the Hiawatha configuration file is much more concise and easier to edit. Hiawatha makes it very easy to switch on the security features for a CMS, for example; whereas setting up security for a CMS in Nginx or Apache will require the additional work of configuring modules and rules and testing them. See the box titled "Pros and Cons" for a summary of Hiawatha benefits and costs.

Pros and Cons

Why use the Hiawatha web server?

  • Intrusion detection (IDS) and prevention tools are ready-to-use. On-board tools protect your sites from SQL injection, cross-site scripting (XSS), denial of service (DOS), and other attacks. Hiawatha also supports banning; when it detects an attack, it bans the attacking IP address automatically, thus also slowing or stopping other attacks the intruder might be attempting.
  • Security by default. The default configuration file serves your TLS with perfect-forward-secrecy (PFS), does not use OpenSSL, and includes other safety features. The SSL Labs website gives Hiawatha an A-rating, where Apache has a C.
  • Lean. Hiawatha has a small footprint, so it is usable on old machines, or in my case, as a means for serving many websites on a new machine.
  • Easy to configure. Hiawatha has a rather friendly configuration environment, and the creator usually gives superb feedback to solve your questions. The clean configuration makes Hiawatha a breeze to configure.
  • Monitoring. An integrated monitoring tool is available at the Hiawatha website.

Potential problems:

  • Professional support is harder to find than it is with some other web server alternatives.
  • Hiawatha probably can't do everything Apache can. Hiawatha doesn't have the proven track record of Apache or even an alternative tool like Nginx.

A Virtual Machine with Hiawatha

TurnKey Linux [2] is an open source project that provides 100+ free virtual machine images with support for many popular open-source applications, such as Joomla, Nginx, CRM, and more. You can use these virtual images in VMware, AWS Docker, and other virtualization environments. One easy way to set up a Hiawatha virtual machine is to start up the TurnKey Linux Nginx VM [3], then remove Nginx and add Hiawatha.

Start by downloading the TurnKey Linux Nginx VM, a small Linux Debian system, stripped for use as a VM, that comes with MySQL, PHP, and Nginx installed. I use this image because I like to install PHP/MySQL websites such as Joomla.

Deploy the image and give it two network adapters, one for administration and one for the web server. I gave the system 1GB memory, but it has not yet used more than 200MB.

Then, boot the image. You have several choices:

  • Add a password for root account and MySQL root account
  • Choose whether or not to use TurnKey backup
  • Turn on automatic updating of security patches

You'll want to install the security updates right away (get some coffee; it might take a while), apply static IP addresses, and shut down the system. (Because you're setting up a website, you probably want a static IP address, right?)

Now export the VM from VMware to disk as a basis to reuse later (OVA image). Once you get the VM up and running, the next step is to remove Nginx and install Hiawatha. Log in using SSH with the root account via the internal network adapter and the password you just inserted. If you look at the process list, you can see Nginx and fastcgi:

ps waux

See the output in Listing 1. The process overview now shows Nginx and php-fastcgi are running, as expected.

Listing 1

Process List

root       589  0.0  0.3 142492  3092 ?   Ss   20:35   0:00 nginx: master process
   /usr/sbin/nginx -g daemon on; master_process on;
www-data   591  0.0  0.3 142832  3716 ?   S    20:35   0:00 nginx: worker process
www-data   592  0.0  0.3 142832  3716 ?   S    20:35   0:00 nginx: worker process
www-data   593  0.0  0.3 142832  3716 ?   S    20:35   0:00 nginx: worker process
www-data   594  0.0  0.3 142832  3716 ?   S    20:35   0:00 nginx: worker process
www-data  1099  0.0  0.5 357844  5572 ?   S    20:35   0:00 /usr/bin/php-cgi -q -b /var/run/nginx/php-fastcgi.sock
www-data  1100  0.0  0.5 357844  5572 ?   S    20:35   0:00 /usr/bin/php-cgi -q -b /var/run/nginx/php-fastcgi.sock

See the documentation for your Linux distro to see if Hiawatha is available directly from the project repositories. (At this writing, Hiawatha isn't available in Ubuntu.)

If you can't install Hiawatha from your distro's package repository, you'll need to add the install resource http://apt.sparkz.no/:

apt-key adv --recv-keys --keyserver keys.gnupg.net DC242980
echo "deb http://apt.sparkz.no/debian/ squeeze main" >> \

Then, install Hiawatha as follows:

apt-get update
apt-get install hiawatha

Hiawatha is now installed, but it can't bind to port 80 because Nginx is still using port 80. So, do the following:

apt-get remove nginx

Then log in via SSH again and run:

/etc/init.d/hiawatha start

The output should say "Starting web server: Hiawatha." Check the process list to see if Hiawatha is working:

ps waux | egrep iawa
shows hiawatha running
www-data  4766  0.1  0.3 118232  4016 ?        Ssl  20:13 0:00 /usr/sbin/hiawatha

You can use netstat to check the bindings:

netstat -tulpn

See the output in Listing 2.

Listing 2

netstat Output

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0    *               LISTEN      4766/hiawatha
tcp        0      0*               LISTEN      944/perl
tcp        0      0    *               LISTEN      676/sshd
tcp        0      0  *               LISTEN      916/master
tcp        0      0   *               LISTEN      4766/hiawatha
tcp        0      0*               LISTEN      766/shellinaboxd
tcp        0      0 *               LISTEN      764/stunnel4
tcp        0      0 *               LISTEN      764/stunnel4
tcp6       0      0 :::22                   :::*                    LISTEN      676/sshd

Another way to check whether Hiawatha is working is to open a web browser and connect to it by typing the static internal IP address in the browser window.


If you have any problems with installing or starting Hiawatha, you can check for errors in the config file with:

service hiawatha check

Or the following command:

/etc/init.d/hiawatha restart

will also report errors, for instance, when loading certificates fails.

Check the Hiawatha logfile with:

tail -f /var/log/hiawatha/access.log

Configure Hiawatha

Now that you have a VM with the Hiawatha web server running on it, the next step is to install a website. The Hiawatha configuration file is /etc/hiawatha/hiawatha.conf. To open the file in the Vi text editor:

vi /etc/hiawatha/hiawatha.conf

Feel free to use another editor, such as nano, if you prefer.

The Hiawatha config file has the following sections:

  • Variables and general settings – Not so interesting really.
  • Binding settings – If you also need TLS (encryption), you have work to do, because only port 80 is open by default.
  • Banning settings – Use this section to make the websites more secure by building a defense against hackers.
  • CGI settings and URL toolkit – Useful if you want to install something like Joomla or PHP.
  • Default website and virtual hosts – Where you define websites.

It is better not to use the default website for serving your own websites but to serve them as virtual hosts. As the config file states: "automated web scanners won't find your possible vulnerable website" (by searching and scanning IP-addresses). Hiawatha installs a default website for you. In the config file, you can see where it lives:

WebsiteRoot = /var/www/hiawatha
StartFile = index.html
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log

I will leave the default website alone and instead define a new website as a virtual host. To define a new site, I need to configure Hiawatha to serve as a virtual host website and install HTML pages in the right directory.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Getting a free TLS certificate from Let's Encrypt
    A free TLS certificate from Let's Encrypt means you can add encryption to your network for no cost, so you don't have any more excuses for failing to encrypt.
  • Port Knocking
    To ensure that the data on your computers remains accessible only by you and those with whom you want to share, we look at the advantages of combining TCP Wrappers and port knocking.
comments powered by Disqus