Most admins intuitively think of Apache first when they hear "web server." The program is not only one of the longest serving of its kind, but it has built a reputation over the years of being a smart and stable product.

Admittedly, there are other options: in the eyes of many admins, Nginx has long since become the better option. If you can't handle the massive feature set of Nginx or Apache, you'll regularly end up with Lighttpd, which is limited to the bare essentials in many respects. Only rarely do admins settle on Hiawatha (Figure 1).

Figure 1: The W3Techs survey lists very few installations of Hiawatha, but that doesn't begin to do justice to the server's capabilities. © W3Techs

The bottom line is that Hiawatha [1] very much offers a valid alternative to Apache, Nginx, Lighttpd, and other web servers if you don't need exotic features. In this article, I introduce Hiawatha, detail its genesis, and describe how admins can get up and running quickly with the solution.

What Hiawatha Can Do

Anyone researching Hiawatha on the web will be confronted with a variety of possible explanations for the origin of the word. It is a social dance dating back to the 1920s, the mythical leader of the Iroquois Five Nations sometime between the 15th and 18th centuries, or the Iroquois euphemism for "he who rises early." Although it seems likely that the Indian chief was the inspiration, it remains unclear why the author of the software chose this name.

At least we know who programmed Hiawatha: Hugo Leisink was a computer science student from the Netherlands when he started working on the program in 2002. Unlike Linus Torvalds a good decade earlier, he did not do this on a mere whim. Instead, the web servers available at the time, especially Apache, got on his nerves for several reasons.

If you think back to that time, you will recall an era when powerful scripting languages like PHP existed, but they didn't have the quality or prevalence they have today. If you wanted to execute code in the context of a web server, you would tend to use Common Gateway Interface (CGI) scripts; however, web servers gave them practically free rein. Apache, for example, did not define a maximum length of time a CGI script could take to return either a positive or negative value. If you attacked CGI scripts with a certain amount of skill, you could take down an entire web server with a single script.

This made Leisink so mad that he devised a new web server. The idea behind Hiawatha was born, and the program was designed to deliver the security features that Leisink very much missed in the competitors. Although the tool still claims to be a very lean, nimble server for HTTP(S), some features have been added over the years.

CGI and FastCGI

To date, Hiawatha provides comprehensive support for CGI and FastCGI. The constraints that Leisink created and built into the software back in 2002 are still available. If you as the admin want to restrict CGI scripts to a certain runtime, you can so configure it in Hiawatha. If a script goes over the top, Hiawatha takes care of it by firing off a hard-hitting kill -9, without any administrator intervention. However, this is not the only useful feature the solution offers.

Hiawatha was also one of the first web servers to include large file support in its specifications. Admittedly, this doesn't sound particularly spectacular today, but there are still web servers from the small solutions segment that trip up when it comes to larger files.

Reverse Proxying Is Easy

An increasingly common use case for web servers, because of security concerns, is as a reverse proxy. A proxy server serves a client on a private network that uses it to connect to the outside world. Many corporate networks today are so strongly protected by firewalls that it is virtually impossible to access resources behind the various firewalls from the outside.

This is where reverse proxies come in: They accept an incoming connection from the Internet on one side and have a route to the network where the destination service is located. The reverse proxy then uses this route as a transparent intermediary to handle the data traffic between the client and the service. For enterprises, this offers an attractive alternative to turning the firewall into Swiss cheese because it requires less overhead and makes some use cases possible that could not be implemented otherwise because of excessively strict security measures.

Apache and Nginx easily support use as a reverse proxy, but it seems slightly over the top to install the huge feature sets of the two servers to handle what is a relatively easy task. Leisink thought so, too, and implemented support as a reverse proxy in Hiawatha at an early stage. In a few thousand lines of code, you can implement what would otherwise mean considerable bloat in the system if you detoured via Apache or Nginx.