Hiawatha web server

Hiawatha web server
Basic data
developer	Hugo Leisink
Publishing year	2002
Current version	10.11 ; (July 8, 2020)
operating system	Unix derivatives , Linux , macOS , Windows with Cygwin
programming language	C.
category	Web server
License	GPL ( Free Software )
German speaking	No
	www.hiawatha-webserver.org

Hiawatha is a free web server developed by Hugo Leisink since 2002 . It implements all the important functions of a web server.

Range of functions / special features

The program has a monolithic structure and, in contrast to most other programs in this category (e.g. Apache HTTP Server , Lighttpd ) , it does not have the option of loading individual modules when the program is started. From version 2.0 the program only uses threads , which leads to an improved speed. The current version also offers some functions that are not part of the standard and can otherwise only be implemented using external additional programs:

Support of XSL transformation
Protection against SQL injection attacks, DoS attacks and cross-site scripting
Banning: Access to clients can be blocked on the IP level based on their address .
CommandChannel: The server can be controlled via a separate port .
VirtualHosts support

URL -rewrite using regular expressions , is referred to by Hiawatha as a URL toolkit.

Support of CGI and FastCGI

Support for Basic and Digest Access HTTP authentication

IPv6 support

Monitoring traffic with Hiawatha Monitor

Support of WebSocket connections

A full list of functions can be found on the project website.

history

The development of Hiawatha began in January 2002 because Hugo Leisink stated that he was not satisfied with the web servers available at the time. The focus in development is on security , low resource consumption and simple configuration . The development process is as follows:

Version 1.0 (September 2002): First functional version

Version 2.0 (March 2004): Conversion of the program to thread-based execution (instead of fork )

Version 3.0 (September 2004): SSL support

Version 4.0 (December 2005): Support for calling external CGI programs

Version 5.0 (October 2006): implementation of FastCGI , first-time integration in FreeBSD - Portstree in December 2006, with OpenBSD in March 2007

Version 6.0 (October 2007): Implementation of IPv6

Version 7.0 (February 2010): Introduction of Hiawatha Monitor , a monitoring application based on PHP5 , MySQL and Banshee , IPv6 is now also available under Windows

Version 7.5 (May 2011): Support of the Do Not Track HTTP header field

Version 8.0 (January 2012): CMake replaces Autoconf and mbed TLS (still called PolarSSL at the time of publication) replaces OpenSSL , introduction of the HTTP status code : 414 Request-URI Too Long

Version 9.0 (March 2013): Use of a thread pool (instead of multithreading )

Version 9.8 (September 2014): Implementation of the WebSocket protocol

There were regular updates between these major versions, e.g. B. for closing security gaps or eliminating errors .

safety

The Hiawatha web server brings a number of optional security functions with it, including the automatic detection and defense of SQL injection , XSS and CSRF attacks, as well as DoS attacks. In addition, the lighter-weight PolarSSL library is used for the encryption of HTTPS connections instead of OpenSSL, which should lead to higher security. PolarSSL (and thus also Hiawatha), unlike OpenSSL (and web servers based on it such as Apache Web Server or Nginx ), was not affected by the Heartbleed security vulnerability.

In the meantime, however, isolated bugs have appeared in Hiawatha, which completely or in certain situations disabled the security functions. Most recently, on May 31, 2014, it became known that the detection of SQL injection attacks from version 8.6 onwards could be /* */circumvented by using SQL comments . In addition, the defense against XSS attacks did not work for reverse proxies . As a result, both security holes were closed in version 9.6.

distribution

Reliable figures on the number of Hiawatha installations are not available. Since Hiawatha can best be compared with Lighttpd , it also mainly addresses the target group of administrators who want to use a web server that is as lean as possible.

Web links

Official website (English)
Hiawatha on GitLab
First presentation at IT-Toolbox in December 2006 (English)
Article about Hiawatha in Admin Magazine

References

↑ ^a ^b ^c ^d ^e Hiawatha Changelog

↑ Hiawatha Latest

↑ Complete list of features

↑ Entry at freshports.org

↑ http://openports.se/www/hiawatha

↑ http://hiawatha-webserver.org/monitor

↑ http://dnt.mozilla.org/

↑ Error message in connection with squirrelmail ( page no longer available , search in web archives ) Info: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice.@1@ 2Template: Dead Link / www.nabble.com
↑ Heartbleed - Weblog - Hiawatha webserver
↑ PolarSSL Security Advisory 2014-01
^ SQL injection detection patterns - Weblog - Hiawatha webserver

[changelog-1] Hiawatha Changelog

[2] Hiawatha Latest

[FeatureListe-3] Complete list of features

[4] Entry at freshports.org

[5] ttp://openports.se/www/hiawatha

[6] ttp://hiawatha-webserver.org/monitor

[7] ttp://dnt.mozilla.org/

Hiawatha web server
Basic data
developer	Hugo Leisink
Publishing year	2002
Current version	10.11 (July 8, 2020)
operating system	Unix derivatives , Linux , macOS , Windows with Cygwin
programming language	C.
category	Web server
License	GPL ( Free Software )
German speaking	No
www.hiawatha-webserver.org