27 January 2017, 12:06

Exactly 15 years ago, I released Hiawatha v0.1. A lot has happened since then. From a small, simple and mostly experimental webserver, Hiawatha has grown to a mature and fully functional webserver. Many experimental security features have proven to be very usefull, even in a production environment, and make Hiawatha a very secure webserver. It might even be the most secure webserver available.

Hiawatha usage

Despite all my attempts to make Hiawatha more known to the world, Hiawatha still doesn't have many users. My best guess is that Hiawatha is installed at a few hundred servers with only a few dozen serious users. The last few years, I'm perfectly fine with that. I've accepted that the world doesn't need another webserver, specially not one that has a main focus on security. Speed and performance is what truly matters to most people. Although Hiawatha is not a slow webserver [1, 2], I simply don't put my main focus on it and don't advertise it much.

The future of the Hiawatha webserver

The only feature that is missing to make Hiawatha really ready for the future is HTTP/2 support. It's not a secret that I'm not a big fan of HTTP/2 [3, 4]. In my opinion, HTTP/2 is a protocol by Google, for Google. If you're not (like) Google, you won't benefit much from it. Because implementing HTTP/2 will cost a lot of time, Hiawatha users won't benefit from it in any way and Hiawatha doesn't have many users, chances are very slim Hiawatha will have HTTP/2 support soon. Because many devices with an HTTP interface, like modems, routers, printers, storage devices, etc, only support HTTP/1.x at the moment, it's unlikely browsers will drop support for HTTP/1.x within the next decade. And in a decade, much can change. Perhaps I find the time and will to implement HTTP/2. Perhaps if I implement a bit of it each year, it will be ready in a few years. Maybe somebody else helps me implement it. Who knows. I still like developing and still like IT security, so Hiawatha will probably remain my hobby webserver for as long as I live.

Since Hiawatha v7.0, you can keep track of a lot of things that are going on at your webserver via the Hiawatha Monitor. It gives me a lot of information about hack attempts, malfunctioning websites or which website simply needs a bit of attention. Although I use it a lot myself, it also doesn't have many users. So, I will keep using and supporting it, but don't expect much new development there as well.

What's next?

So, what can you expect instead? Hiawatha is and will always be a webserver with a main focus on security. So, new releases will contain new security features, both proven useful and experimental. But because Hiawatha is already a mature webserver, new versions won't be released as often as in the past time. Of course, bugs will be taken seriously and be dealt with as fast as I can.

Whether or not your website gets hacked, mostly depends on the security of the website itself, not the security of the webserver. Therefor, I also developed a secure PHP framework, called Banshee. Because there's more to do in Banshee than in Hiawatha, in the future, more of my free time will go to Banshee instead of Hiawatha.

Last but not least...

To celebrate the 15th anniversary, I've released Hiawatha v10.5.

27 January 2017, 12:26
Hello Hugo,
thank you very much for this great webserver. Happy birthday hiawatha.
I installed 10.5 successfully on OpenBSD, Raspbian, Armbian, Debian and Ubuntu.
Monitor is an usefull and afine tool. Also banshee is the framework for my website.
Let us look forward to the future for the next 15 years.
27 January 2017, 14:50
Hi Hugo,

Many thanks for your so appreciated time in its creation and Happy Birthday with a Long Life to our beloved Hiawatha webserver running under Ubuntu ! Cheers, Germain from Switzerland
27 January 2017, 14:51
Rest assured that Hiawatha is running on quite a few more systems than you might imagine

We alone run it on 2700+ containers, mostly for internal/dev use for now, but we also have some production instances with Hiawatha.

For some use cases nginx is better suited (e.g. large file sizes), but in general we like Hiawatha a lot.

Thank you and keep up the good work.
27 January 2017, 15:08
Dear Hugo,
Congrats on celebrating 15 years of this amazing web server. I've been using it on my production servers for at least 3 years now and I LOVE it.
Hiawatha stands out from the crowd with it's speed, security and spot on support and I for one think that having a small user community is better. We all enjoy great attention to details, quick releases and fixes and a "Botique" server software.

Keep on the amazing good job! Your care, thoughts and planning are easily seen in Hiawatha and its features and they are highly appreciated by all of us!
27 January 2017, 16:18
congrats and many thanks for that fine piece of software!

I love hiawatha especially for it´s ease of use and clean configuration.
Keep focus on that, it´s security and small footprint.
Using it on alpine, debian and ubuntu for my private projects, but never say never taking it into business´ production environment in the future.

Still global companies - self-proclaimed market leaders - are not able to bring HTTP/2 to a stable state within their L7 fullproxy appliances.. ;-)
No need to hurry here. I don´t think hiawatha was meant to deal as a high traffic site webserver...
27 January 2017, 17:13
Happy birthday Hiawatha!
The best webserver in the world, which made all my projects easy and secure!
I love Hiawatha and don't want to miss it
Hugo you're a genius, thank you.
Gerard Lally
27 January 2017, 19:36
We don't want the world to know we're using Hiawatha, Hugo!
28 January 2017, 08:35
Congratulations on the 15th birthday of Hiawatha!
I'm still in love with my favorite web server. Thank you so much for this software pearl and for your tireless work, Hugo.
28 January 2017, 13:19
Happy Birthday Hiawatha!
kudos to Hugo!!
28 January 2017, 14:27
Thank you very much Hugo for all of your work and support. Happy birthday Hiawatha.
28 January 2017, 19:23
Hiawatha really stands out of the crowd. It is easy to configure, secure and has a very small footprint at the same time. Exactly what I was always looking for. Using Hiawatha in my Intranet and in some Internet Projects, I can only say: Happy Birthday Hiawatha and a very great thank you to Hugo. You really rock the Web!
29 January 2017, 17:26

The manual does not update.
29 January 2017, 18:57
Thanks for your efforts and many happy returns of the day!
Hugo Leisink
30 January 2017, 08:36
Thanks everybody for the kind feedback!
Chris Wadge
31 January 2017, 03:00
Congrats on another great release, Hugo. ;-)

I forgot to post about this the other day, but Hiawatha 10.5 has been built for Debian with Hiawatha Monitor support. Deb packages are available in the usual places.

All the best,
David Oliver
2 February 2017, 00:56
Belated congratulations on your birthday, Hiawatha. Many thanks!
2 February 2017, 09:41

What about UWSGI support in future versions?
2 February 2017, 10:25
Happy Birthday Hiawatha
Thanks hugo and community to keep hiawatha alive
Hugo Leisink
2 February 2017, 21:01
3 February 2017, 00:32
Any plan to implement reloading of certs without restarting the server? Maybe via tomahawk or watching the cert file for changes.
mika zika
4 February 2017, 16:30
happy birthday and ...
10.5 changelog is not written
alessandro simon
5 February 2017, 00:30
I love Hiawatha, it was love at first sight, safe fast and easy to use and is still a teenager in the world of Web Servers.

Happy Birthday Hiawatha.
5 February 2017, 16:07
@Hugo Leisink
Well, UWSGI is virtually necessary for Python webapps deployment. It would be handy feature IMHO.
Hugo Leisink
5 February 2017, 22:29
As far as I know, Python also supports FastCGI. So, there is no need for me to implement UWSGI.
11 February 2017, 01:15
What can I say, I use hiawatha to host more than 100 websites by now and I'm really happy with it. Has been rock solid and reliable, every website should be running with hiawatha, but ohh well what could we do to achieve that . Happy 15 years and thanks for this wonderful gift to the community, you are a vivid example to follow!
Hugo Leisink
11 February 2017, 20:50
Thanks for your kind feedback!
23 February 2017, 14:18
@Hugo Leisink
Well, I think nobody use FastCGI to deploy Python webapps, only (u)WSGI. And you can use uWSGI to run other non-Python webapps too.
3 March 2017, 23:23
Congratulations and thank you for making such a great web-server!

Perhaps use of the nghttp2 library could enable adding http/2 support with less work?
Hugo Leisink
4 March 2017, 13:38
I got my eye on nghttp2 for quite some time. It's very well possible that I will be using that library, otherwise it's just too much work. Don't know how secure it is and if it will work well with mbed TLS. But good you mentioned it. I'll start doing some serious research on whether it's an option or not.
21 March 2017, 21:59
Hi Hugo,

Actually BSDfan is right : pretty much nobody uses FastCGI to deploy Python webapps ; WSGI is used instead for Python web apps dployment. FastCGI is actually removed from Django 1.9 and above (and deprecated in Django 1.8).

WSGI support in Hiawatha would be an awesome (and needed) feature ! Currently, people seem to use Gunicorn and Nginx, or uWSGI and Nginx to run a (Django) Python web app.

Would you care to look into this ?
Hugo Leisink
26 March 2017, 11:30
I'm not very familiar with Python and (u)WSGI. But if I understand it all correctly, WSGI is the interface / protocol, like FastCGI. uWSGI is a tool to run Python applications with a webserver that support the WSGI protocol. Right?

I read that uWSGI also supports the FastCGI protocol [omgitsmgp.com]. That makes WSGI support in Hiawatha not really necessary to run Python applications. Correct?
13 April 2017, 22:15
I have been a very happy user of Hiawatha for more than 10 years on Windows 7 x32 and x64, Windows 10 and recently Arch Linux.
I have updated it regularly and no version has ever failed on any system. It is simply the most reliable and secure software across versions I have come across.

It is a mystery to me why it hasn't picked up more than this. Its market share can be followed here:

Dodzi Dzakuma
4 June 2017, 16:22
Thanks a lot for all of your support. You have done a great job and I have been a big fan of your work.

I continue to use your tech where it is beneficial.
Hugo Leisink
27 August 2017, 21:58
Use this patch for that:

> /* Remove IP addresses from the list
> */
> private function remove_ip_addresses($hostnames) {
> $result = array();
> foreach ($hostnames as $hostname) {
> if (filter_var($hostname, FILTER_VALIDATE_IP) == false) {
> array_push($result, $hostname);
> }
> }
> return $result;
> }
> $website_alt_hostnames = $this->remove_ip_addresses($website_alt_hostnames);