Weblog

HTTP.sys

16 April 2015, 20:45

Although there is already a patch available for the HTTP.sys vulnerability, I think it's usefull to know that Hiawatha can block requests that exploit a vulnerability. If you were required to wait for a patch, you could have used Hiawatha as a reverse proxy with the following configuration to block HTTP.sys exploits.

UrlToolkit {
  ToolkitID = httpsys
  Header Range [0-9]{6,} Ban 86400
}

VirtualHost {
  Hostname = www.example.com
  UseToolkit = httpsys
  ReverseProxy .* http://<webserver IP address>/
}
Tags: security
by Hugo Leisink

Rewriting Hiawatha in Java

1 April 2015, 09:13

To make Hiawatha more cross-platform, I've decided to move away from C. I'm now busy rewriting Hiawatha in Java. About 90% of all features have already been rewritten. To read more about this migration and to download a preview, click here [page removed].

Update:
Of course, this was an april's fool joke. No way in hell I'm gonna do something with Java.

Tags: future
by Hugo Leisink

HTTP/2 specification approved

18 February 2015, 11:49

The IETF HTTP Working Group has approved the HTTP/2 specification. This draft will now get the 'request-for-comments' status for a short while, which allows others to make their comments. After that, the IETF will publish it as an official standard.

Tags: HTTP/2
by Hugo Leisink

Hiawatha v9.12 has been released

13 February 2015, 10:04

After every release, I always think: what's next? But somehow, there is always something to improve or fix. This new release of the Hiawatha webserver contains two main changes.

  • First, Hiawatha now uses mbed TLS instead of PolarSSL. What, a new SSL library? No, PolarSSL has been acquired by ARM, so PolarSSL has been rebranded as mbed TLS. The effect of this name change is that Hiawatha can no longer support earlier versions of PolarSSL, because several changes has been done to the code. mbed TLS 1.3.10 uses both polarssl and mbedtls in the code (quite confusing), but a/the next release of mbed TLS will contain no reference to the name PolarSSL any more. So, also a/the next release of Hiawatha will no longer support earlier version of mbed TLS.
  • The Hiawatha SSL library (not PolarSSL / mbed TLS itself) contained a memory leak, which occured when a client tried to connect with SSL3.0, while support for it was turned off or not included at all. For every 'No cypher overlap during SSL handshake.' in your system.log, there was a small leak. But when someone did a large amount of SSL3.0 connection attempts to your server, you could have problem. I therefor advice everyone to update to v9.12. The leak was by the way very easy to find via the XCode tool Instruments, which is an awesome tool!
by Hugo Leisink

Hiawatha v9.11 has been released

18 January 2015, 15:39

Version 9.11 of the Hiawatha webserver has been released. This release brings the ChallengeClient option, which gives Hiawatha the ability to reduce the effects of a DDoS attack. This is done by checking if the client has a certain cookie set. If this is not the case for the first request within a connection, Hiawatha sends a 307 and this cookie (via a Set-Cookie HTTP header or a Javascript) back to the client. If the second request within a connection doesn't has this cookie, the client is banned. The idea is that normal browsers understand the 307 and the HTTP Set-Cookie header or the Javascript, but HTTP bots don't.

Please note that this although this option works from a technical point of view, it should be used with great care. Proper testing is strongly advised. Also note that this option should only be used when options like ConnectionsPerIP, ReconnectDelay and BanOnFlooding are insufficient.

Many thanks to Andrey Vasilev and Chris Wadge for all the testing and feedback.

Tags: release
by Hugo Leisink