22
Hiawatha The best web server you’ve (probably) never heard of. @TheMattBrunt Hiawatha, the best web server you’ve never heard of - PHPNW14 https://www.hiawatha-webserver.org/

Hiawatha - the best webserver you've never heard of

Embed Size (px)

DESCRIPTION

Apache is, and has been the dominant webserver for years now. But despite this, it lacks some features that I'd like to have seen - or things that require extensive tuning and adjusting to get right. As a developer I want something that requires little configuration to ensure that it's secure and performs well, for me, that's now Hiawatha. I'll be going through a quick introduction of Hiawatha, looking at some of the configuration options and features it offers, Hiawatha has a focus on security and this is where I'll spend time looking at some of the more unique options it has to protect against attacks & other nasties.

Citation preview

Page 1: Hiawatha - the best webserver you've never heard of

Hiawatha

The best web server you’ve (probably) never heard of.

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

https://www.hiawatha-webserver.org/

Page 2: Hiawatha - the best webserver you've never heard of

Matt Brunt

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

Not a sysadmin

Who am I?

Web Developer - Burnthebook in Derby

@TheMattBrunt

Page 3: Hiawatha - the best webserver you've never heard of

What I Want

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

Apache is, and has been the dominant webserver for years now.

I want something that requires little configuration to ensure that it's secure and performs well, for me, that's now Hiawatha (at least on my own servers)

That said, it lacks some features that I'd like to have seen, or things that require more extensive tuning, knowledge and adjusting to get right.

Page 4: Hiawatha - the best webserver you've never heard of

About Hiawatha

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

Written by Hugo Leisink (@hiawatha_ws) since 2002

Contains lots of core features that are only available as modules in other web servers, or in some cases, just aren’t available.

These vary from preventing some common attacks to banning and controlling user access.

Page 5: Hiawatha - the best webserver you've never heard of

Why Hiawatha?

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

•High-performance

•Emphasis on security

•Clean configuration syntax

•Doesn’t do more than it needs to

•Uses PolarSSL

Page 6: Hiawatha - the best webserver you've never heard of

Why Hiawatha?

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

•High-performance

•Emphasis on security

•Clean configuration syntax

•Doesn’t do more than it needs to

•Uses PolarSSL

Page 7: Hiawatha - the best webserver you've never heard of

Configuration

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

UrlToolkit {!!! ToolkitID = footoolkit!! RequestURI exists Return!! Match .*\?(.*) Rewrite /index.php?$1!! Match .* Rewrite /index.php!!}

You can also override various settings by adding a .hiawatha file per directory (though UseToolkit is only valid in the root of a site)

Page 8: Hiawatha - the best webserver you've never heard of

Configuration

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

VirtualHost {!!! Hostname = www.mysite.tld, *.mysite.tld!! WebsiteRoot = /srv/www/vhosts/mysite.tld/public!!! EnforceFirstHostname = yes!! !! UseToolkit = footoolkit!!! ShowIndex = no!!! PreventXSS = yes!! PreventCSRF = yes! PreventSQLi = yes!! CustomHeader = X-Frame-Options: sameorigin!! RandomHeader = 256!}

Page 9: Hiawatha - the best webserver you've never heard of

Some Cool Options

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

•UseGZfile = yes|no!•If available, upload <requested file>.gz with gzip

content encoding instead of the requested file

The idea is that you can pre-compress static content instead of having the webserver pipe it through gzip!

Stuff like PHP output will still likely want to use gzip, but for static assets it’s wasteful to run it through gzip for each request.

Page 10: Hiawatha - the best webserver you've never heard of

Security Features

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

•Attack Prevention!•PreventXSS = yes|no

•Replaces < > ‘ “ with _ in requests •PreventCSRF = yes|no

•Ignores all cookies sent by a browser when following an external link to the website

•PreventSQLi = yes|no •Detects injections and denies the request via a 409

response. •ConnectionsPerIP = <length>

•Limits the number <length> of simultaneous connections per IP

Do not get lazy as a developer though…

Page 11: Hiawatha - the best webserver you've never heard of

Security Features

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

•Banning Attackers!•BanOnFlooding = X/Y:Z

•When a client sends more than X connections in Y time they’re banned for Z seconds.

•BanOnMaxPerIP = <length> •If a client exceeds the max number of simultaneous

connections per IP, ban for <length> seconds. •BanOnMaxReqSize = <length>

•If a client exceeds the max request size, ban for <length> seconds.

•RebanDuringBan = yes|no •Reset the ban-time when a client tries to reconnect

during a ban.

Page 12: Hiawatha - the best webserver you've never heard of

Security Features

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

•Encryption Options!•PolarSSL

•Used instead of OpenSSL •RequireSSL = yes|no

•Specify that a domain must be visited with an SSL connection, if not, automatically 301 redirects.

•RandomHeader = <length> • This is my favourite - let’s take a look.

Out of the box (assuming you’ve correctly installed your cert) you should easily be able to get a best-practice implementation.

Page 13: Hiawatha - the best webserver you've never heard of

SSL Labs Result

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

Page 14: Hiawatha - the best webserver you've never heard of

Why would I want RandomHeader?

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

Short answer: while TLS stops the content being sniffed or altered, you can’t stop someone guessing the length of the content.

Once you know the length of something, it’s much easier to start guessing what that thing is.

Page 15: Hiawatha - the best webserver you've never heard of

What RandomHeader does

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

RandomHeader adds an X-Random header to the response of HTTPS connections - the contents of which is a string. The length of that string is between 1 and a random value you can specify per vhost (max value of 1000)

Because of this, the length of the content (from an outside perspective) is much harder to guess.

Overhead is minimal, just the extra bandwidth to transmit that extra header. On sites with less need for security you can reduce the length if you wish.

Page 16: Hiawatha - the best webserver you've never heard of

RandomHeader in action

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

Page 17: Hiawatha - the best webserver you've never heard of

Some New Additions (v9.8)

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

Version 9.8 of Hiawatha (released Sept 27th 2014) introduces an interesting new feature.

You can now run wildcard matches on any header from a request.

Using the URL toolkit you can write a new rule and handle matches accordingly.

There’s an overhead with this, but it’s a neat thing in the meantime for anyone who was still waiting for a patch for Shellshock on their platform.

Page 18: Hiawatha - the best webserver you've never heard of

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

UrlTookit {!! ToolkitID = block_shellshock! Header * \(\)\s*\{ DenyAccess!}

Some New Additions (v9.8)UrlTookit {!! ToolkitID = block_shellshock! Header User-Agent \(\)\s*\{ DenyAccess! Header Referer \(\)\s*\{ DenyAccess!}

Page 19: Hiawatha - the best webserver you've never heard of

So, why isn’t everyone using it?

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

Short answer:

I don’t know.

Some ideas: •Apache / cPanel stronghold on shared hosting market is

too strong. •People hold (often incorrect) opinions about the

unknown. •People are scared of change. •People are scared to be different.

Page 20: Hiawatha - the best webserver you've never heard of

Conclusion

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

•Lightweight & well performing •(Even when under attack) !

•Incredible included security options !

•Easy to use !

•Best practice SSL !

•Deserves more market share! Fire up a VM and give it a try!

Page 21: Hiawatha - the best webserver you've never heard of

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

Questions?

Page 22: Hiawatha - the best webserver you've never heard of

Links & Info

@TheMattBruntHiawatha, the best web server you’ve never heard of - PHPNW14

https://www.hiawatha-webserver.org/ !

https://dotbalm.org/why-i-use-hiawatha-webserver/ !

http://www.jonathanherzog.com/blog/2010/05/side-channel-leaks-web-applications-reality-today-challenge-

tomorrow !

https://www.ssllabs.com/ssltest/ !!