, 2 min read

Set-Up Hiawatha Web-Server

Original post is here eklausmeier.goip.de/blog/2018/03-06-set-up-hiawatha-web-server.

I stumbled upon Hiawatha web-server when I read about a web-server for a houseboat by Ronald Scheckelhoff, WB8LZR. I had used Apache, thttpd, Lighttp, NGINX, and others before. Now I use Hiawatha web-server.

Hiawatha has three objectives, which are nicely met:

  1. Security: Hiawatha resisted Heartbleed and Slowloris attacks
  2. Ease of use: use the man-pages for configuring the web-server, no extensive Googling
  3. Lightweight on resources

Also see Hiawatha - the best webserver you've never heard of, or see Why I use Hiawatha Webserver.

The following diagram shows the number of source code lines using

wc `find . -iname \*.c -o -iname \*.h -o -iname \*akefile\* `

for each web-server.

Below configuration mostly follows the example configuration and provides Perl and PHP as CGI:

ServerId = http
ConnectionsTotal = 1000
ConnectionsPerIP = 25
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log

Binding {
        Port = 80
        MaxRequestSize = 1572864
        MaxUploadSize = 2047
        TimeForRequest = 90,180

CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php-cgi:php

Directory {
        DirectoryID = DownloadArea
        Path = /Download
        ShowIndex = yes

Directory {
        DirectoryID = WebPresence
        Path = /
        ExecuteCGI = yes

Hostname =
WebsiteRoot = /srv/http

VirtualHost {
        Hostname = www.eklausmeier.tk, eklausmeier.tk,, klm.no-ip.org, klm.ddns.net, edh.no-ip.org, edh.ddns.net, klmport.no-ip.org, borussia.no-ip.org
        WebsiteRoot = /srv/http
        FollowSymlinks = yes
        UseDirectory = WebPresence, DownloadArea

So I have a directory where Hiawatha shows a graphical representation of some files I can download. And it has an ordinary directory where I serve HTML and PHP files. I had to change MaxRequestSize and MaxUploadSize as I sometimes upload large chunks of data.

Since the 2014 Microsoft shotgun attack on No-IP.org I have many different DNS names to better withstand this vandalism.

Enabling GD for PHP is described here: php-gd -- just uncomment extension=gd.