Hiawatha is an open source webserver with a focus on security. I started Hiawatha in January 2002. Before that time, I had used several webservers, but I didn't like them. They had unlogical, almost cryptic configuration syntax and none of them gave me a good feeling about their security and robustness. So, I decided it was time to write my own webserver. I never thought that my webserver would become what it is today, but I enjoyed working on it and liked to have my own open source project. In the years that followed, Hiawatha became a fully functional webserver.
Like every new project, Hiawatha started very small. All the nice features Hiawatha has today, weren't available in the beginning. To give you an idea about how Hiawatha grew up, here is an overview of the most important Hiawatha releases and their best new features.
- 1.0: September 2002, a basic but functional webserver.
- 2.0: March 2004, use of multithreading instead of forking.
- 3.0: September 2004, SSL support.
- 4.0: December 2005, a CGI-wrapper for improved security was included.
- 5.0: October 2006, FastCGI support for improved CGI speed.
- 5.12: August 2007. URL rewriting support.
- 6.0: October 2007, IPv6 support.
- 6.6: April 2008. XSLT support.
- 7.0: February 2010, the Hiawatha Monitor for remote webserver monitoring.
- 8.0: January 2012, Autoconf replaced with CMake and OpenSSL replaced with PolarSSL.
- 8.3: May 2012, reverse proxy added.
- 9.0: March 2013, usage of a thread pool instead of forking threads on the fly.
For a list of the most important capabilities of the Hiawatha webserver, take a look at this feature list.
Because of my great interest in IT security, I paid extra attention to security while I was working on Hiawatha. Beside all the default security measures you can expect from a modern webserver, there are a lot of security features in Hiawatha you won't find in any other webserver. Many of them started as an experiment, but in the meantime, most of them have proven to be very usefull.
A second thing I wanted my webserver to be is easy-to-use. This resulted in a readable configuration syntax and not having to be a HTTP or CGI expert in order to get Hiawatha running.
I strongly believe that many features you find in several other webservers, shouldn't be placed inside a webserver but in a web application. They make them big and bloated. Hiawatha only has the features necessary to do what a webserver has to do; serving web applications. Hiawatha's small size makes it therefor perfect for embedded systems and older hardware.
Hiawatha started as a webserver for my own Debian Linux server, but in the meantime it has become available on many operating systems. Compile and run tests of Hiawatha have successfully been done (by myself and others) on Debian, Ubuntu, Gentoo, Fedora, Slackware, FreeBSD, OpenBSD, NetBSD, MacOS X, Solaris and Cygwin. Because of the use of a platform-independent build system, it's very likely that Hiawatha will compile and run on other Unix-clones as well.
What other people say about Hiawatha:
So 'tis the season to setup a new e-commerce site, or so it seems. In the last week, I've setup two separate Magento instances for two different friends in the industry. Unfortunately, it was written specifically against Apache, and therefore relies heavily on Apache-specific behavior (lots of rewrites, .htaccess hacks, direct interaction with certain Apache modules via PHP, etc). Thus, it frankly scales like crap without a decent load balancer, it's trivial to DoS, and requires many hours of tuning and tinkering to be ready for real customer traffic.
Thankfully, in the wake of Heartbleed
, people have been much more receptive to looking beyond "safe" technologies like Apache and OpenSSL, thus leaving the door open to alternative stacks.
With Hiawatha's new-ish ReverseProxy functionality, I was able to support 10x the traffic of vanilla Apache, 30% more simultaneous TLS handshakes, and make it completely immune to SlowLoris
/slowheaders style DoS (mirroring the results
you published last month). I was also able to make Apache's memory footprint much more predictable, forcing it to spawn a specific number of static forks instead of allowing the normal balloon behavior which fragments memory and eats precious CPU time. So, while it's not quite as fast as Hiawatha + php5-fpm would be, it's not too far off. Add to this Hiawatha's ability to cache up to 100M of proxied static content, and it's lower-latency than vanilla Apache as well, giving users a snappier, more professional feeling interface.
could there be a more secure, efficient, high-performance, and easy-to-use web server that seems born to run on embedded systems?
We decided that we could do better than our previous webserver and set about benchmarking everything out there. After comprehensive testing (and I do mean comprehensive - we optimised and tested them all!), we found Hiawatha to be superior in terms of configurability, speed, stability (no memory leaks! No crashes!), support and security. It now forms an integral part of our and our client's infrastructure and is serving pages at around 150% of the capacity of our previous webserver on the same hardware.
I started using it at my work place yesterday and today I'm already getting too much attention from colleagues. They've all attested to the speed with which they download; it's cool to note that its memory consumption and footprint are small.
A software developer at the International Institute of Tropical Agriculture
Apache's security approach is terrible (ha.ckers.org/blog/20090617/slowloris-http-dos
), so I started to search for an alternative. Wikipedia pointed me to Hiawatha. I was testing it for months, and currently it serves all our customer websites. The support is very professional, questions on the forum are answered within minutes! Configuration is a breeze, with unique security options. You just have to try it, to realize that setting up a secure webserver must not be a rocket science.
I came across Hiawatha from the Puppy linux community. After much testing, I found that Hiawatha is a rock solid, secure, fast and lightweight server. I have been a fan of Hiawatha ever since. We were having huge bandwidth usage on Puppylinux.ca. Recently, we even crossed 1000 GB of bandwidth usage a day. There were lot of abusers and robots that were causing this spike. We switched our server to Hiawatha and we are having only around 40GB bandwidth usage a day which is way below the past usage. The ban options in Hiawatha have helped us immensely. I also find Hiawatha very easy to setup and configure. This is my server of choice. To add on to all this, Hugo who created Hiawatha has been very helpful in answering any questions we had. He continues to improve Hiawatha with every version. Thanks a lot for this great web server. Please keep developing this.
In January 2002, Hugo decided to develop his own webserver. This led to Hiawatha, which, in contrast to competitors, has several interesting security features. With its excellent performance and limited size of 600kb, it's ideal for low-end and embedded machines.
The difference between an Apache and a Hiawatha configuration file is like the difference between Sendmail's freebsd.cf and Postfix's main.cf.
...I certainly appreciate its ease of installation and configuration.
, Canadian network and systems administrator, IT instructor, author and international speaker