Hiawatha supports PHP, Perl, Python and Ruby. It is a lightweight and fast as well as secured web server.
Installation of Linux, Hiawatha, MySQL and PHP - LHMP
Step 0 - Install Ubuntu 9.10
Install
Ubuntu 9.10 Server and OpenSSH. If your web application requires email function, you should also install Mail Server also.Make sure you have perform the following commands at the terminal (or console).
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgradeIf the kernel or kernel modules have been updated, you should reboot your computer/server.
Step 1 - Install PHP5 and MySQL
sudo apt-get install mysql-server mysql-client php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl*Note : some modules will not be required, such as php5-sqlite and php5-snmp. If your web application requires them, make sure to install them.
Step 2 - Install Hiawatha
Download the current Hiawatha, 6.19 at this time of writing.
sudo wget http://www.hiawatha-webserver.org/files/hiawatha-6.19.tar.gz
tar -xzvf hiawatha-6.19.tar.gz
cd hiawatha-6.19Install requires dependenices.
sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-devAt the
hiawatha-6.19 directory, build the Hiawatha deb package../configure
make debThe deb package will be created at your home directory, such as
/home/samiux. You can install it now.cd ..For 64-bit system :
sudo dpkg -i hiawatha_6.19_amd64.debFor 32-bit system :
sudo dpkg -i hiawatha_6.19_i386.debStep 3 - Configure PHP5
Edit the
php.ini.sudo nano /etc/php5/cgi/php.iniMake change as is.
display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd*Note : some PHP application may requires
safe_mode = Off.Edit Hiawatha's
php-fcgi.conf.sudo nano /etc/hiawatha/php-fcgi.confUncomment the following line.
Server = /usr/bin/php5-cgi ; 127.0.0.1:2005 ; www-dataActivate
php-fcgi.sudo php-fcgi -c /etc/hiawatha/php-fcgi.confIf you make any change on
php-fcgi.conf, make sure to restart it by following commands.sudo php-fcgi -k -c /etc/hiawatha/php-fcgi.conf
sudo php-fcgi -c /etc/hiawatha/php-fcgi.confStep 4 - Configure Hiawatha
Edit the file
hiawatha.conf.sudo nano /etc/hiawatha/hiawatha.confUncomment
ServerId at GENERAL SETTINGS.ServerId = www-dataAdd the following line at the
GENERAL SETTINGS. Apache compatible log file format.LogFormat = extended
ExploitLogfile = /var/log/hiawatha/exploit.log
ServerString = Apache
CGIwrapper = /usr/sbin/cgi-wrapperUncomment the following entries at
BINDING SETTINGS.Binding {
Port = 80
MaxKeepAlive = 30
TimeForRequest = 3,20
}Uncomment all the entries at
BANNING SETTINGS.BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes
BanOnSQLi = 60
BanOnFlooding = 10/1:15
BanlistMask = allow 192.168.0.0/24*Note : Make change to the
Banlistmask in order to meet your network requirement.Uncomment
php5-cgi and CGIextension lines.CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php5-cgi:php
CGIhandler = /usr/bin/python:py
CGIhandler = /usr/bin/ruby:rb
CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgiUncomment all the entries of
FastCGIserver and rename ConnectTo to 127.0.0.1:2005.FastCGIserver {
FastCGIid = PHP5
ConnectTo = 127.0.0.1:2005
Extension = php, php5
SessionTimeout = 30
}Optional - Create the following lines under
URL TOOLKIT.UrlToolkit {
ToolkitID = CMS_common
RequestURI isfile Return
RequestURI exists Return
Match ^/(favicon.ico|robots.txt|sitemap.xml)$ Return
Match .*\?(.*) Rewrite /index.php?$1
Match .* Rewrite /index.php
}*Note :
UrlToolkit is similar to Apache's mod_rewrite.Create a
VirtualHost for your site.VirtualHost {
Hostname = samiux.blogspot.com
#Alias = /php_my_admin:/usr/share/phpmyadmin
WebsiteRoot = /var/www/blog
StartFile = index.php
AccessLogfile = /var/log/hiawatha/blog_access.log
ErrorLogfile = /var/log/hiawatha/blog_error.log
TimeForCGI = 5
#UseFastCGI = PHP5
UseToolkit = CMS_common
ExecuteCGI = yes
PreventCSRF = yes
PreventSQLi = yes
PreventXSS = yes
DenyBot = Googlebot:/
DenyBot = twiceler:/
DenyBot = MSNBot:/
DenyBot = yahoo:/
DenyBot = BaiDuSpider:/
DenyBot = Ask:/
DenyBot = Yahoo! Slurp:/
DenyBot = Sogou web spider:/
DenyBot = Sogou-Test-Spider:/
DenyBot = Baiduspider+:/
DenyBot = Yandex:/
DenyBot = UniversalFeedParser:/
DenyBot = Mediapartners-Google:/
DenyBot = Sosospider+:/
DenyBot = YoudaoBot:/
DenyBot = ParchBot:/
DenyBot = Curl:/
DenyBot = msnbot:/
DenyBot = NaverBot:/
DenyBot = taptubot:/
WrapCGI = jail
}Configure
cgi-wrapper.conf.sudo nano /etc/hiawatha/cgi-wrapper.confMake changes to the file.
CGIhandler = /usr/bin/perl
CGIhandler = /usr/bin/php5-cgi
CGIhandler = /usr/bin/python
CGIhandler = /usr/bin/ruby
CGIhandler = /usr/bin/ssi-cgiWrap = jail ; /var/www ; www-data:www-data*Note :
DenyBot entries are optional. If you do not want spiders and bots to crawl your site, you should enable it. Those entries are examples only. UseToolKit is also optional.Make sure
/var/log/hiawatha/blog exists (example) and its ownership is www-data.If not, make it as is.
sudo chown -R www-data:www-data /var/log/hiawatha/blogRestart Hiawatha.
sudo /etc/init.d/hiawatha restartNow, make sure the ownership of
access.log and error.log are www-data. If not, make them as is.sudo chown www-data:www-data /var/log/hiawatha/blog/*Step 5 - Configure Apparmor (to make Hiawatha more safety)
Create Apparmor profile for Hiawatha.
sudo aa-genprof hiawathaEdit the profile
usr.sbin.hiawatha.sudo nano /etc/apparmor.d/usr.sbin.hiawathaMake the entries look like this.
# Last Modified: Thu Oct 1 10:00:57 2009
#include
/usr/sbin/hiawatha {
#include
capability chown,
capability dac_override,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
network inet tcp,
/bin/dash rix,
/etc/group r,
/etc/hiawatha/** r,
/etc/host.conf r,
/etc/hosts r,
/etc/mailname r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/php5/cgi/php.ini r,
/etc/php5/conf.d/ r,
/etc/php5/conf.d/**.ini r,
/etc/phpmyadmin/** r,
/etc/postfix/**.cf r,
/etc/protocols r,
/etc/resolv.conf r,
/etc/services r,
/usr/bin/php5-cgi rix,
/usr/lib{,32,64}/** mr,
/usr/sbin/cgi-wrapper rix,
/usr/sbin/hiawatha mr,
/usr/sbin/postdrop rix,
/usr/sbin/sendmail rix,
/usr/share/dbconfig-common/** r,
/usr/share/file/magic.mime r,
/usr/share/mysql/charsets/Index.xml r,
/usr/share/phpmyadmin/ r,
/usr/share/phpmyadmin/** r,
/usr/share/zoneinfo/ r,
owner /var/lib/** rwk,
/var/lib/hiawatha/* rw,
/var/log/hiawatha/* r,
/var/log/hiawatha/** rw,
/var/run/hiawatha.pid rw,
owner /var/spool/postfix/maildrop/** rw,
/var/spool/postfix/public/pickup w,
/var/www/ r,
/var/www/** rw,
}* suppose you are using postfix.
Make the profile in enforce mode (active).
sudo aa-enforce hiawathaIf you have change some settings, you should reload the profile.
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawathaIf you want to disable this profile.
sudo ln -s /etc/apparmor.d/usr.sbin.hiawatha /etc/apparmor.d/disable/
sudo apparmor_parser -R < /etc/apparmor.d/usr.sbin.hiawathaIf you want to re-enable this profile after it has been disabled.
sudo rm /etc/apparmor.d/disable/usr.sbin.hiawatha
sudo apparmor_parser -r < /etc/apparmor.d/usr.sbin.hiawathaStep 6 - Improve the security of CGI-Wrapper
Now, your hiawatha is very secure but I would like to make it more secure.
sudo apt-get install libcap2-binApply Capabilities on
cgi-wrapper.sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapperThe result of
getcap :sudo getcap /usr/sbin/cgi-wrapperIt will display :
/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+epStep 7 - logwatch configuration
LogWatch configuration as per Ubuntu 9.04
Reference :
Hiawatha Manual
Hiawatha Features
AppArmor
Known Issue
Alias cannot be functioned with this configuration so far.That's all. See you!
No comments:
Post a Comment