New versions of the Hiawatha webserver and the Hiawatha Monitor have been released. The Monitor has had some major changes. The support for request monitoring has been removed and support for CGI statistics has been added. Of course, Hiawatha has been changed for that as well.
Other new things in Hiawatha are the EnforceFirstHostname option, which allows you to enforce the usage of a certain hostname for a virtual host, and the ScriptAlias, which does what it says. :)
Yesterday, the whole internet was talking about heartbleed, a nasty bug in OpenSSL. This bug allows an attacker to remotely steal information, including the private key being used, from the memory of your server without leaving a trace.
Users of the Hiawatha webserver can relax, you are all safe. Thanks to PolarSSL. The bug in OpenSSL was introduced in March 2012 and Hiawatha switched to PolarSSL in january 2012. So, although a bit of luck is involved, Hiawatha didn't let you down when it comes to security. Once again.
Chris Wadge has used the slowhttptest tool to see how well several (untuned) webservers are handling the slowloris attack. The results are quite interesting. I'll let them speak for themselves.
| Test parameters | |
|---|---|
| Test type | SLOW HEADERS |
| Number of connections | 4096 |
| Verb | GET |
| Content-Length header value | 4096 |
| Extra data max length | 52 |
| Interval between follow up data | 10 seconds |
| Connections per seconds | 128 |
| Timeout for probe connection | 3 |
| Target test duration | 240 seconds |
| Using proxy | no proxy |
It's all about the green line and the required time to deal with the bad requests. It shows that Hiawatha stays available for other clients while under attack from one. In other words, if you want sleep well at night knowing that your websites are online even while under attack, go for Hiawatha!
The Cherokee webserver was also tested. But because it crashed out of the box during the test, it didn't meet the tester's 'untuned' criteria, which was used for all of the other webservers featured.
For quite some time, a particular person is having a problem with the logo of the Hiawatha webserver, and the one of the Cherokee webserver. Both have a happy little Indian kid for a logo, but for some reason this person sees it as an insult to the Indian people. I've always withhold myself from interfering with this nonsense discussion, but for once I had to respond. Hope this humbug ends soon.
