27 September 2014, 15:17

A new version of the Hiawatha webserver has been released. The main new feature in this release is the support for websockets. Although I've had several requests for this feature in the past, I had absolutely no response to my request for beta testers for this feature. So, I hope it works well.

Rumor has it that the second patch for the Bash Shellshock vulnerability also doesn't fix it completely. If that's the case, Hiawatha can help. The UrlToolkit's Header option now accepts a wildcard allowing you to match every HTTP header with a certain pattern. Use this wisely, because it comes of course with a performance cost.

UrlTookit {
  ToolkitID = block_shellshock
  Header * \(\)\s+\{ DenyAccess
27 September 2014, 19:37

Can we compile WebSocket support OUT of hiawatha, we only want to run that standard server.

Is that possible?

27 September 2014, 19:40

Your UrlToolkit example does not work properly. It produces 403 for all requests.
27 September 2014, 19:44

Refer to my last comment. Do you means?

UrlToolkit {
ToolkitID = block_shellshock
Header * \(\)\s*\{ DenyAccess
Hugo Leisink
27 September 2014, 19:57
@Marco: No, just don't configure a websocket. The rest of the webserver is still the same.

@Samiux: Yes, thanks for the feedback.
28 September 2014, 11:58
I wonder, does the UrlToolkit rule for countering shellshock need to be placed Before any previous UrlToolkit? Like, UseToolkit = rewrite, block_shellshock

Or is it safe to place it afterwards? Like UseToolkit = block_shellshock, rewrite
Hugo Leisink
28 September 2014, 12:03
Since there is no use in rewriting URLs from requests you are about to block, use the block_shellshock rule first.
28 September 2014, 18:50
UrlToolkit is really a fine tool. I will use on my Pi
My OpenBSD has no bash.
Thanks for your idea!
2 October 2014, 11:42
thanks for the websocket support!
I was one of those who asked for that feature in the past. I will start using these now but feedback may be slow due to very limited time on my side.