Hiawatha is a
web server
A web server is computer software and underlying hardware that accepts requests via HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initiate ...
available for multiple platforms. It has been developed by
Hugo Leisink since 2002.
History
Hiawatha started in January 2002 as a small web server, suitable for servers with old hardware. Leisink, a computer science student at the time, initially created the server to support Internet servers in student houses in
Delft
Delft () is a List of cities in the Netherlands by province, city and Municipalities of the Netherlands, municipality in the Provinces of the Netherlands, province of South Holland, Netherlands. It is located between Rotterdam, to the southeast, ...
of
South Holland
South Holland ( nl, Zuid-Holland ) is a province of the Netherlands with a population of over 3.7 million as of October 2021 and a population density of about , making it the country's most populous province and one of the world's most densely ...
, the
Netherlands
)
, anthem = ( en, "William of Nassau")
, image_map =
, map_caption =
, subdivision_type = Sovereign state
, subdivision_name = Kingdom of the Netherlands
, established_title = Before independence
, established_date = Spanish Netherl ...
. As the server was designed with improved security as its focus, Leisink states that "there are a lot of security features in Hiawatha you won't find in any other webserver."
The author has said "I know for a long time that vulnerabilities
xist in other web servers.
ne thingthat bothers me: the runtime of a CGI. A CGI process
nder other web serverscan run forever. A single CGI script can DoS a webserver. A system administrator is needed to kill the script. And what about a client
r hackerthat keeps on guessing passwords for HTTP authentication? These kind of issues inspired me to create Hiawatha, with settings for maximum request sending time, maximum CGI run time, client banning, etc. Features that, in my opinion, every daemon should have."
The January 2009 edition of ''
Linux Magazine
''Linux Magazine'' is an international magazine for Linux software enthusiasts and professionals. It is published by the former Linux New Media division of the German media company Medialinx AG.
The magazine was first published in German in 199 ...
'' included an article on the Hiawatha web server, describing it as "a light web server with good performance and some innovative security functions". Hiawatha is frequently cited as a lightweight alternative to
Apache
The Apache () are a group of culturally related Native American tribes in the Southwestern United States, which include the Chiricahua, Jicarilla, Lipan, Mescalero, Mimbreño, Ndendahe (Bedonkohe or Mogollon and Nednhi or Carrizaleño an ...
, as it prioritizes easy installation and reduced storage over including many other additional features.
;Important releases:
* 1.0: September 2002. A basic but functional web server.
* 2.0: March 2004. Use of multithreading instead of forking.
* 3.0: September 2004. SSL support.
* 4.0: December 2005. A CGI-wrapper for improved security was included.
* 5.0: October 2006.
FastCGI
FastCGI is a binary protocol
A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any kind of variation of a physical quantity. The protocol defines the rules, s ...
support for improved CGI speed.
* 5.2: November 2006. First-time integration to the
FreeBSD Ports
The FreeBSD Ports collection is a package management system for the FreeBSD operating system, providing an easy and consistent way of installing software packages. As of February 2020, there are over 38,487 ports available in the collection. It has ...
system at version 5.2 in December 2006, to the
OpenBSD
OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. According to the website, the OpenBSD project em ...
ports tree at version 5.7 in March 2007.
* 5.12: August 2007. URL rewriting support.
* 6.0: October 2007.
IPv6
Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communication protocol, communications protocol that provides an identification and location system for computers on networks and routes traffic ...
support.
* 6.6: April 2008.
XSLT
XSLT (Extensible Stylesheet Language Transformations) is a language originally designed for transforming XML documents into other XML documents, or other formats such as HTML for web pages, plain text or XSL Formatting Objects, which may subseque ...
support.
* 6.10 : October 2008. Prevent cross-site request forgery added.
* 7.0: February 2010. Remote monitoring support.
* 8.0: January 2012.
Autoconf
GNU Autoconf is a tool for producing configure scripts for building, installing, and packaging software on computer systems where a Bourne shell is available.
Autoconf is agnostic about the programming languages used, but it is often used for ...
replaced with
CMake
In software development, CMake is cross-platform free and open-source software for build automation, testing, packaging and installation of software by using a compiler-independent method. CMake is not a build system itself; it generates anothe ...
,
OpenSSL
OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTT ...
replaced with
PolarSSL
Mbed TLS (previously PolarSSL) is an implementation of the TLS and SSL protocols and the respective cryptographic algorithms and support code required. It is distributed under the Apache License version 2.0. Stated on the website is that Mbed ...
.
* 9.0: March 2013. Clients handled via thread pool instead of creating threads on the fly.
* 10.0: November 2015. Streamlined handling of Directory sections in server configuration.
* 10.9: February 2019. Last major developed release.
In February 2019 Leisink simultaneously announced the release of version 10.9 and the end of major development in a pair of blog posts.
Features
Hiawatha web server implements all important functions of a modern web server, such as:
*
CGI and
load balancing FastCGI
FastCGI is a binary protocol
A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any kind of variation of a physical quantity. The protocol defines the rules, s ...
support
* Large file support
*
Reverse proxy
In computer networks, a reverse proxy is the application that sits in front of back-end applications and forwards client (e.g. browser) requests to those applications. Reverse proxies help increase scalability, performance, resilience and securi ...
functionality
*
Chroot
A chroot on Unix and Unix-like operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normally ...
support
* URL toolkit which supports
URL rewriting
In web applications, a rewrite engine is a software component that performs rewriting on URLs (Uniform Resource Locators), modifying their appearance. This modification is called URL rewriting. It is a way of implementing URL mapping or routing ...
*
SSL and
TLS support
* Basic and digest HTTP
authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
* Upload speed control by
traffic shaping
Traffic shaping is a bandwidth management technique used on computer networks which delays some or all datagrams to bring them into compliance with a desired ''traffic profile''. Traffic shaping is used to optimize or guarantee performance, improv ...
* Internal file caching
*
IPv6
Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communication protocol, communications protocol that provides an identification and location system for computers on networks and routes traffic ...
support
*
HTTP compression
HTTP compression is a capability that can be built into web servers and web clients to improve transfer speed and bandwidth utilization.
HTTP data is compressed before it is sent from the server: compliant browsers will announce what methods are ...
using
gzip
gzip is a file format and a software application used for file compression and decompression. The program was created by Jean-loup Gailly and Mark Adler as a free software replacement for the compress program used in early Unix systems, and in ...
*
Virtual hosting
Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server (or pool of servers). This allows one server to share its resources, such as memory and processor cycles, without requiring all ...
* Support for
WebDAV
WebDAV (Web Distributed Authoring and Versioning) is a set of extensions to the Hypertext Transfer Protocol (HTTP), which allows user agents to collaboratively author contents ''directly'' in an HTTP web server by providing facilities for concu ...
applications
* Support for
Server Name Indication
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a serv ...
included in v8.6
Hiawatha has many security features that no other web server has, like preventing
SQL-injection, cross-site scripting (
XSS),
Cross-site request forgery
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced ''sea-surf'') or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitt ...
(CSRF) prevention,
denial-of-service
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...
protection, control external image linking, banning of potential hackers and limiting the runtime of
CGI applications. The author worked on
RFC3546 support, but "the OpenSSL documentation
n this subjectis just extremely poor" so progress was difficult. Although,
RFC3546 support has been included since v8.6 version which is developed with
PolarSSL
Mbed TLS (previously PolarSSL) is an implementation of the TLS and SSL protocols and the respective cryptographic algorithms and support code required. It is distributed under the Apache License version 2.0. Stated on the website is that Mbed ...
v1.2.
Performance
Although security is the main focus, Hiawatha users also speak highly of its speed and performance. According to a performance test carried out by an independent researcher (SaltwaterC), Hiawatha is faster than the ten other servers tested for Drupal static content, while performing comparably to the rest in other metrics.
PHP_web_serving_study
Hiawatha supports load-balanced FastCGI
FastCGI is a binary protocol
A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any kind of variation of a physical quantity. The protocol defines the rules, s ...
and had its own PHP-FastCGI utility, although the latter has been deprecated and replaced with the PHP project's FastCGI Process Manager (PHP-FPM). This makes it fast and scalable for handling dynamic content.
See also
* Comparison of web server software
Web server software allows computers to act as web servers. The first web servers supported only static files, such as HTML (and images), but now they commonly allow embedding of server side applications.
Some web application frameworks include s ...
References
External links
*
* ( Unix blog )
*
{{Web server software
Free web server software
Free software programmed in C
Cross-platform free software
Unix network-related software
Reverse proxy
Web server software for Linux