Rechercher une page de manuel
hiawatha
Langue: en
Version: 111845 (mandriva - 01/05/08)
Section: 1 (Commandes utilisateur)
Sommaire
NAME
hiawatha - Advanced and secure webserverSYNOPSIS
hiawatha [<directory which contains the configurationfiles>]DESCRIPTION
Hiawatha Hiawatha is a secure webserver for Unix. It has been written with 'being secure' as its main goal. Hiawatha has lots of features that no other webserver has. This and the fact that Hiawatha's source code is free of security-bugs, makes Hiawatha the most secure webserver available.Hiawatha has been tested and runs perfectly on Linux, FreeBSD, MacOS X and Cygwin.
CONFIGURATION FILES
Hiawatha has the following configurationfiles:- cgi_wrapper.conf
- See cgi_wrapper(1) for more information.
- httpd.conf
- See sections SERVER CONFIGURATION, BINDING CONFIGURATION, VIRTUAL HOST CONFIGURATION and DIRECTORY CONFIGURATION for more information.
- mimetype.conf
- See section MIMETYPES for more information.
- throttle.conf
- See section CONTROL UPLOADSPEED for more information.
- .hiawatha
- See section USER SETTINGS PER DIRECTORY for more information.
SECTIONS
The binding, virtual host and directory configuration must be placed inside sections. There are two ways to define a section:Section {
...
}
or
<Section>
...
</Section>
where the word "Section" must be replaced by "Binding", "VirtualHost" or "Directory". These options are case insensitive.
SERVER CONFIGURATION
The main configuration for the webserver.- set variable = value
- With set, you can declare a variable. Make sure the name of the variable doesn't conflict with any of the configuration options. The variables are case-sensitive and cannot be redeclared!
Example: set local_net = 192.168.1.0/24
AccessList = allow:local_net, deny:0.0.0.0/0 (See AccessList for more information about this option) - BanlistMask = <allow|deny>:<ip-address>[/netmask][, <allow|deny>:<ip-address>[/netmask], ...]
- Prevent IPs from getting banned in case of bad behaviour. By default, all IPs can be banned.
Example: BanlistMask = allow:192.168.1.2, deny:192.168.0.0/16 - BanOnFlooding = <number>/<time>:<ban-time>
- When a client sends more than <number> requests in <time> seconds, the IP will be banned for <ban-time> seconds.
Default = -/-:0, example: BanOnFlooding = 10/1:15 - BanOnGarbage = <ban-time>
- Number of seconds to ban an IP in case of a misformed HTTP request (400 Bad Request). Webbrowsers normally don't send misformed HTTP requests. So in case of a 400 errorcode, someone is probably trying something not-so-nice.
Default = 0, example: BanOnGarbage = 60 - BanOnMaxPerIP = <ban-time>
- How many seconds a client will be banned when the maximum number of simultaneous connections has been crossed. See ConnectionsPerIP.
Default = 2, example: BanOnMaxPerIP = 5 - BanOnMaxReqSize = <ban-time>
- Number of seconds to ban an IP in case of a too large HTTP request (413 Request Entity Too Large). See MaxRequestSize.
Default = 0, example: BanOnMaxReqSize = 10 - BanOnSQLi = <ban-time>
- Number of seconds to ban an IP in case of a detected SQL injection attempt. See PreventSQLi.
Default = 0, example: BanOnFlooding = 60 - BanOnTimeout = <ban-time>
- Number of seconds to ban an IP in case of a timeout before the first request has been send. See TimeForRequest
Default = 0, example: BanOnTimeout = 30 - CGIextension = <extension>[, <extension>, ...]
- Default extension of a CGI program.
Example: CGIextension = cgi - CGIhandler = <CGI handler>:<extension>[, <extension>, ...]
- Specify the handler for a CGI extension. A handler is an executable which will 'run' the CGI script.
Example: CGIhandler = /usr/bin/php4-cgi:php,php4 - CGIwrapper = <CGI wrapper>
- Specify the wrapper for CGI processes. A secure CGI wrapper is included in the Hiawatha package. See cgi_wrapper(1) for more information.
Example: CGIwrapper = /usr/sbin/cgi_wrapper - CommandChannel = <portnumber>,<password>
- The port and the password for the CommandChannel. You can use telnet to connect to the CommandChannel. The password must be encrypted with the crypt(3) function. You can only connect to the CommandChannel from localhost. Type 'help' in the CommandChannel for more information. This feature must be switched on during compilation of Hiawatha.
Example: CommandChannel = 81,Qfk5/z/SvnUiY - ConnectionsPerIP = <number>
- Maximum number of simultaneous connections per IP address.
Default = 10, example: ConnectionsPerIP = 5 - ConnectionsTotal = <number>
- Maximum number of simultaneous connections.
Default = 50, example: ConnectionsTotal = 100 - GarbageLogfile = <filename with full path>
- Logfile for all misformed HTTP requests.
Example: GarbageLogfile = /var/log/hiawatha/garbage.log - Include <filename>
- Include another configurationfile.
Example: Include /etc/hiawatha/hosts.conf - KickOnBan = yes|no
- Close all other connections that originate from the same IP in case of a ban.
Default = no, example: KickOnBan = yes - LogfileMask = <allow|deny>:<ip-address>[/netmask][, <allow|deny>:<ip-address>[/netmask], ...]
- List of IPs from which HTTP requests will be logged. If an IP does not match an entry in the list, the request will be logged.
Example: LogfileMask = deny:10.0.0.0/24 - MimetypeConfig = <configurationfile>
- The location of the mimetype configurationfile. It the path is omitted, Hiawatha's configurationfile directory will be used.
Default = mimetype.conf, example = /etc/mime.types - RebanDuringBan = yes|no
- Reset the ban-time when a client tries to reconnect during a ban.
Default = no, example: RebanDuringBan = yes - ReconnectDelay = <time>
- The number of seconds Hiawatha will remember the IP address of the connection and pretent the client is still connected. In combination with ConnectionsPerIP, this can be used to prevent flooding. Note that the BanOnMaxPerIP ban-timer will be used, not the BanOnFlooding ban-timer.
Default = 0, example: ReconnectDelay = 3 - ServerId = <userid>|<userid>:<groupid>[,<groupid>, ...]
- The userid and groupid(s) the server will change to. If only a userid is specified, the groupid(s) will be looked up in /etc/passwd and /etc/group.
Default = 65534:65534, example: ServerId = www-data - ServerKey = <SSL certificate file>
- The file containing the SSL private key and certificate. These will be used for all SSL bindings that don't have their own certificate file. See ServerKey and UseSSL in the BINDING section.
Default: serverkey.pem, example: ServerKey = /etc/ssl/hiawatha.pem - ServerRoot = <directory>
- Rootdirectory for the webserver. Hiawatha will chroot() to this directory after reading the configurationfile and writing the PID file. Cannot be used in combination with UserWebsites.
Example: ServerRoot = /var/www - ServerString = <text>
- The text behind 'Server: ' in the HTTP header of a response.
Default = Hiawatha v<version>, example: ServerString = myWebserver - SystemLogfile = <filename with full path>
- Logfile for all system- and errormessages.
Default = /var/log/hiawatha/system.log, example: SystemLogfile = /var/log/hiawatha.sys - ThrottleConfig = <configurationfile>
- The location of the throttle configurationfile. It the path is omitted, Hiawatha's configurationfile directory will be used.
Default = throttle.conf, example = /etc/somewhere/throttle.conf - TimeForCGI = <time>
- Maximum time in seconds for a CGI-process to finish its job.
Default = 5, example: TimeForCGI = 15
BINDING CONFIGURATION
A binding is where a client connects to (a port opened on an interface).- EnableTRACE = yes|no
- Enable the TRACE HTTP request method for this binding.
Default = no, example: EnableTRACE = yes - Interface = <ip-address>
- The address of an interface that will be binded.
Default = 0.0.0.0, example: Interface = 192.168.0.1 - MaxKeepAlive = <number>
- Maximum number of HTTP requests per connection. If this number is reached, the connection will be closed. Of course, the browser can reconnect. But this gives other users a chance to connect in case of a 'crowded' webserver.
Default = 50, example: MaxKeepAlive = 100 - MaxRequestSize = <size>
- The maximum size of a request in kilobytes the webserver is allowed to receive.
Default = 64, example: MaxRequestSize = 256 - Name = <name>
- Name can be used to bind a virtual host to an interface. See RequiredBinding.
Example: Name = LAN - Port = <portnumber>
- The portnumber that will be used for the binding. This is a required option.
Example: Port = 80 - ServerKey = <SSL certificate file>
- The file containing the SSL private key and certificate. These will only be used for the current binding.
Example: ServerKey = lan_binding.pem - TimeForRequest = [<time1>, ]<time2>
- Maximum time in seconds for a client to send its HTTP request. time1 is for the first request, time2 is for the following requests (Keep-Alive time).
Default = 5, 30, example: TimeForRequest = 2, 45 - UseSSL = yes|no
- Use SSL for this binding (HTTPS) or not. SSL is also used for a binding when ServerKey is specified.
Default = no, example: UseSSL = yes
VIRTUAL HOST CONFIGURATION
The (virtual) hosts the webserver will be serving. The first host must NOT be placed inside a section. This is the default host and therefor not virtual. It is wise to have the IP-address of the webserver as the Hostname of the default host and give it a blank page. Automated vulnerable-website searchers will not find your possible vulnerable website if you do so.- AccessList = <allow|deny|pwd>:<ip-address>[/netmask] [, <allow|deny|pwd>:<ip-address>[/netmask], ...]
- Define which IPs have access to the website. If an IP does not match an entry in the list, access is granted. 'all' is an alias for 0.0.0.0/0. The IP address of the machine that connects and the IP adress specified in the X-Forwarded-For header field will be matched.
Example: AccessList = deny:10.0.0.13, allow:10.0.0.0/24, deny:all - AccessLogfile = <filename with full path>
- Logfile for the HTTP requests.
Default = /var/log/hiawatha/access.log, example: AccessLogfile = /var/log/hiawatha.acc - Alias = <softlink>:<path>[, <softlink>:<path>]
- Create a virtual softlink to a directory within a virtual host.
Example: Alias = /doc:/usr/share/doc - CGIwrapId = <wrapid>
- Specify a CGI wrapper id for this virtual host. See the CGI WRAPPER section for more information.
Example: CGIwrapId = test - DenyBot = <name bot>:<path>[, <path>, ...]
- Return a 403 Forbidden when a searchbot tries to index <pathh>. <name bot> must be present in the User-Agent string of the searchbot.
Example: DenyBot = msnbot:/files - ErrorHandler = <filename>[, <returncode>]
- When an error occures, this file will be send to the browser. The WebsiteRoot and the ErrorHandler together must form the complete path to the file. The returncode is the HTTP returncode that will be used instead of the raised errorcode.
Example: ErrorHandler = /oops.html - ErrorLogfile = <filename with full path>
- Logfile for the messages that have been written to stdout by CGI processes.
Default = /var/log/hiawatha/error.log, example: ErrorLogfile = /var/log/hiawatha.err - ExecuteCGI = yes|no
- Allow execution of CGI programs.
Default = no, example: ExecuteCGI = yes - FollowSymlinks = yes|no
- Allow Hiawatha to follow symlinks to files and directories. Symlinks that stay inside the webroot or are owned by root are always followed.
Default = no, example: FollowSymlinks = yes - Hostname = <hostname>, [<hostname>, ...]
- Name(s) of the host that Hiawatha will be serving. May start with a wildcard, except the first hostname (a valid name is required in case of a 301 error). Hostname is a required field.
Example: Hostname = www.my-domain.com, *.my-domain.com, www.some-alias.com - ImageReferer = hostname[, hostname, ...]:<alternative image>
- If the referer of a request for an image is not one of the specified hosts, return the alternative image instead.
Example: ImageReferer = my-domain.com:/var/www/pics/forbidden.gif - LoginMessage = <text>
- Message that will be displayed in the login window in case of HTTP authentication. See PasswordFile.
Default = Private page, example: LoginMessage = Hugo's MP3 collection - PasswordFile = <passwordfile>|none
- File which contains the username and password necessary to access this directory. You can create or alter this file with htpasswd(1). The format of the lines in the passwordfile is:
<username>:<password encrypted with the crypt(3) function>[:user defined fields: ...]
Example: PasswordFile = /var/www/.passwords - PreventCMDi = yes|no
- Prevent command injection by replacing a backquote, pipe or semicolon in the URL, POST-data and cookie with and underscore. Writing safe code is of course better, so only use this for 'untrusted' code. Note that this can break up the uploading of binaries, like images. See also BanOnCMDi.
Default = no, example: PreventCMDi = yes - PreventSQLi = yes|no
- Prevent SQL injection by placing a slash before every single-quote in the URL, POST-data and cookie. This is the same as PHP's magic-quotes. So, you should only use this for non-PHP scripts. Writing safe code is of course better, so only use this for 'untrusted' code. Note that this option can break up the uploading of binaries, like images. See also BanOnSQLi.
Default = no, example: PreventSQLi = yes - PreventXSS = yes|no
- Prevent cross-site scripting by replacing a less-then, greater-then or double-quote in the URL with an underscore.
Default = no, example: PreventXSS = yes - RequiredBinding = <name>[, <name>, ...]
- Bind a virtual host to one or more interfaces (See binding settings). The virtual host can now only be reached via the binded interfaces.
Example: RequiredBinding = LAN - RequiredGroup = <groupname>[, <groupname>, ...]:<groupfile>
- The <groupname> is the name of the group a user must be a member of to have access. The <groupfile> contains the groupnames followed by the names of the users that are a member of that group. The format of the lines in the groupfile is:
<groupid>:<username>[ <username> ...]
This option will only be used when PasswordFile is set.
Example: RequiredGroup = webadmins,staff:/var/www/.groups - RequireSSL = yes|no
- Specify that a domain must be visited with a SSL connection. If it is visited via HTTP, Hiawatha will send a redirect (301) with a HTTPS URL.
Default = no, example: RequireSSL = yes - SetEnvir = <key>:<value>[, <key>:<value>, ...]
- Define environment settings for CGI programs.
Example: SetEnvir = PHPRC:/var/www/conf - ShowIndex = yes|no
- Return a directory listing in HTML format for a directory request when the startfile does not exist.
Default = no, example: ShowIndex = yes - StartFile = <filename>
- The file which will be send to the browser when a directory is requested.
Default = index.html, example: StartFile = start.php - UserWebsites = yes|no
- Activates user websites for this (virtual) host (the /~user/ URL's). Cannot be used in combination with ServerRoot.
Default = no, example: UserWebsites = yes - VolatileObject = <filename with full path>
- This file will be completely read into the memory before it is send. Because of this, the file can not be greater than 1MB. Use this option for files that change rapidly, such as webcam pictures.
Example: VolatileObject = /var/www/webcam.gif - WebsiteRoot = <full path>
- Rootdirectory for this virtual host.
Default = /var/www, example: WebsiteRoot = /home/webmaster/website
DIRECTORY CONFIGURATION
Override the configuration for specific directories.- Path = <path|sub-path>
- The path to the directory. Path is a required field. Note that only the first Directory record that has a matching Path will be used. If Path ends with a slash (/), Hiawatha will seek anywhere in the path of the requested fiile for a match. If it does not end with a slash, Hiawatha will start matching from the beginning of the path.
Example: Path = /var/www/cgi-bin or Path = /public_html/ - UploadSpeed = <speed>,<maximum number of connections>
- Set the uploadspeed in kB/s for all the files in the directory regardless of the extension or mimetype. The uploadspeed will be divided by the number of connections.
Example: UploadSpeed = 20,4
AccessList ,
ExecuteCGI ,
CGIwrapId ,
FollowSymlinks ,
ImageReferer ,
PasswordFile ,
RequiredGroup ,
SetEnvir and
ShowIndex
USER SETTINGS PER DIRECTORY
A user can override the settings listed below for a certain directory. This can be done by placing one or more of those settings in a .hiawatha file in that directory.- IndexStyle = [http://<hostname>]/<stylesheet>
- Use another stylesheet for the directory listing (see ShowIndex for more information).
Example: IndexStyle = /index.css
AccessList ,
ErrorHandler ,
LoginMessage ,
PasswordFile ,
RequiredGroup ,
SetEnvir ,
ShowIndex and
StartFile
MIMETYPES
Specify the mimetypes of files in /etc/hiawatha/mimetypes.conf.- <mimetype> <extension> [<extension> ...]
- Example: image/jpeg jpg jpeg
CONTROL UPLOADSPEED
The uploadspeed of some files can be controled via /etc/hiawatha/throttle.conf.- <main-mimetype>/[<sub-mimetype>]:<uploadspeed in kB/s>
- Example: audio/mpeg:30 or video/:30
- .<extension> : <uploadspeed in kB/s>
- Example: .mp3 : 20
EXTRA
- gzip Content-Encoding support
- Hiawatha has gzip Content-Encoding support is a unique way. Other webservers with gzip Content-Encoding support will compress a file everytime this file is requested, over and over again. Compression is only usefull for large files. Since most of the large files on a website are JPEG files and JPEG files are hard to compress, most of the compression done by such webservers is a waste of CPU power.
Hiawatha will do this in a more efficient way. When a file, say file.txt, is requested by a browser with gzip support, Hiawatha will search for a gzipped version of that file: file.txt.gz. If found, Hiawatha will upload this file instead of the original file.
SIGNALS
- TERM
- Will shutdown the webserver.
- USR1
- Will unban all clients.
- USR2
- Will disconnect all clients.
FILES
/usr/sbin/hiawatha/etc/hiawatha/httpd.conf
/etc/hiawatha/mime.types
/etc/hiawatha/throttle.conf
/etc/hiawatha/cgi_wrapper.conf
SEE ALSO
cgi_wrapper(1)AUTHOR
Hiawatha is written by Hugo Leisink <hugo@leisink.net> in C. For more info about Hiawatha, seehttp://hiawatha.leisink.org/
Contenus ©2006-2024 Benjamin Poulain
Design ©2006-2024 Maxime Vantorre