Weblog

Hiawatha 9.5 and Monitor 0.7 have been released

23 April 2014, 21:21

New versions of the Hiawatha webserver and the Hiawatha Monitor have been released. The Monitor has had some major changes. The support for request monitoring has been removed and support for CGI statistics has been added. Of course, Hiawatha has been changed for that as well.

Other new things in Hiawatha are the EnforceFirstHostname option, which allows you to enforce the usage of a certain hostname for a virtual host, and the ScriptAlias, which does what it says. :)

by Hugo Leisink

Heartbleed

10 April 2014, 09:15

Yesterday, the whole internet was talking about heartbleed, a nasty bug in OpenSSL. This bug allows an attacker to remotely steal information, including the private key being used, from the memory of your server without leaving a trace.

Users of the Hiawatha webserver can relax, you are all safe. Thanks to PolarSSL. The bug in OpenSSL was introduced in March 2012 and Hiawatha switched to PolarSSL in january 2012. So, although a bit of luck is involved, Hiawatha didn't let you down when it comes to security. Once again.

Tags: bugSSL
by Hugo Leisink

Hiawatha 9.4 has been released

22 March 2014, 11:40
In this new release, I've dropped support for RC4 and improved the reverse proxy. The ErroXSLTfile option allows you to create your own error messages and the RandomHeader option is for improved SSL security.
by Hugo Leisink

Performance testing while under attack

28 February 2014, 20:30

Chris Wadge has used the slowhttptest tool to see how well several (untuned) webservers are handling the slowloris attack. The results are quite interesting. I'll let them speak for themselves.

Test parameters
Test typeSLOW HEADERS
Number of connections4096
VerbGET
Content-Length header value4096
Extra data max length52
Interval between follow up data10 seconds
Connections per seconds128
Timeout for probe connection3
Target test duration240 seconds
Using proxyno proxy

It's all about the green line and the required time to deal with the bad requests. It shows that Hiawatha stays available for other clients while under attack from one. In other words, if you want sleep well at night knowing that your websites are online even while under attack, go for Hiawatha!

Cherokee crash

The Cherokee webserver was also tested. But because it crashed out of the box during the test, it didn't meet the tester's 'untuned' criteria, which was used for all of the other webservers featured.

by Hugo Leisink

Hiawatha logo

11 January 2014, 01:03

For quite some time, a particular person is having a problem with the logo of the Hiawatha webserver, and the one of the Cherokee webserver. Both have a happy little Indian kid for a logo, but for some reason this person sees it as an insult to the Indian people. I've always withhold myself from interfering with this nonsense discussion, but for once I had to respond. Hope this humbug ends soon.

Tags: logo
by Hugo Leisink