Hiawatha

intermediate

Security-focused web server with protection against common attacks.

Overview

Hiawatha is a security-focused web server developed by Hugo Leisink that prioritizes protection against common web attacks while maintaining a lightweight footprint. Originally designed for embedded systems and resource-constrained environments, Hiawatha includes built-in protection against XSS, CSRF, and SQL injection attacks without requiring additional modules or complex configurations. The web server features an integrated URL toolkit for URL rewriting similar to Apache's mod_rewrite, making it suitable for modern web applications requiring clean URLs and request routing. This Docker configuration creates a hardened web server environment that combines Hiawatha's inherent security features with containerized deployment benefits. The setup includes persistent volume mounting for web content and configuration files, allowing for easy content management while maintaining security isolation. Unlike traditional web servers that require extensive security hardening through third-party modules, Hiawatha provides enterprise-grade security features out of the box, making it particularly valuable for organizations that need secure web hosting without the complexity of configuring multiple security layers. This stack is ideal for security-conscious developers, embedded system deployments, and organizations running web applications in high-risk environments where attack prevention is critical.

Key Features

Built-in XSS protection that automatically filters malicious scripts from user input
CSRF attack prevention through token validation and referrer checking
SQL injection protection via input sanitization and query analysis
URL toolkit for advanced URL rewriting and request routing without external modules
Exploit logging system that tracks and reports attack attempts
Ban system that automatically blocks IP addresses after repeated attack attempts
CGI and FastCGI support with security sandboxing
SSL/TLS termination with modern cipher suite support and HTTP/2 compatibility

Common Use Cases

1Hosting web applications in high-security environments where attack prevention is paramount
2Deploying lightweight web servers on embedded systems or IoT devices with limited resources
3Running development environments that need realistic security testing against common attacks
4Serving static websites and SPAs that require clean URL routing without heavy server overhead
5Creating security-hardened staging environments for penetration testing and vulnerability assessment
6Hosting internal corporate applications where built-in security reduces compliance complexity
7Deploying web servers in container orchestration environments where resource efficiency is critical

Prerequisites

Docker Engine 20.10+ and Docker Compose V2 for container orchestration support
Minimum 128MB RAM allocation for the Hiawatha container in production environments
Basic understanding of Hiawatha configuration syntax and directive structure
Knowledge of SSL certificate management for HTTPS configuration
Familiarity with web server log analysis for security monitoring
Understanding of firewall rules and port forwarding for external access on ports 80 and 443

For development & testing. Review security settings, change default credentials, and test thoroughly before production use. See Terms

docker-compose.yml

1services: 
2  hiawatha: 
3    image: jgeusebroek/hiawatha:latest
4    container_name: hiawatha
5    restart: unless-stopped
6    volumes: 
7      - ./html:/var/www/hiawatha:ro
8      - ./hiawatha/hiawatha.conf:/etc/hiawatha/hiawatha.conf:ro
9    ports: 
10      - "80:80"
11      - "443:443"
12    networks: 
13      - hiawatha-network
14
15networks: 
16  hiawatha-network: 
17    driver: bridge

.env Template

.env

1# Hiawatha configuration

Usage Notes

1Docs: https://www.hiawatha-webserver.org/manpages/
2Security-focused: built-in XSS, CSRF, SQL injection protection
3URL toolkit for rewrites - similar to mod_rewrite
4Lightweight footprint - ideal for embedded or resource-limited systems
5Configure via /etc/hiawatha/hiawatha.conf
6Prevents common attacks out of the box without extra modules

Quick Start

terminal

1# 1. Create the compose file
2cat > docker-compose.yml << 'EOF'
3services:
4  hiawatha:
5    image: jgeusebroek/hiawatha:latest
6    container_name: hiawatha
7    restart: unless-stopped
8    volumes:
9      - ./html:/var/www/hiawatha:ro
10      - ./hiawatha/hiawatha.conf:/etc/hiawatha/hiawatha.conf:ro
11    ports:
12      - "80:80"
13      - "443:443"
14    networks:
15      - hiawatha-network
16
17networks:
18  hiawatha-network:
19    driver: bridge
20EOF
21
22# 2. Create the .env file
23cat > .env << 'EOF'
24# Hiawatha configuration
25EOF
26
27# 3. Start the services
28docker compose up -d
29
30# 4. View logs
31docker compose logs -f

One-Liner

Run this command to download and set up the recipe in one step:

terminal

1curl -fsSL https://docker.recipes/api/recipes/hiawatha/run | bash

Troubleshooting

403 Forbidden errors on valid requests: Check file permissions in ./html directory and ensure read access for container user
Configuration syntax errors preventing startup: Validate hiawatha.conf syntax using hiawatha -k command before container deployment
SSL certificate errors with HTTPS connections: Verify certificate paths in configuration and ensure proper certificate chain ordering
FastCGI or CGI scripts not executing: Confirm CGI-wrapper configuration and script execute permissions in mounted volumes
High memory usage despite lightweight claims: Review access logs for attack patterns triggering security modules and adjust ban thresholds
URL rewriting not working as expected: Debug URL toolkit rules using Hiawatha's test mode and verify rule order in configuration

Community Notes

Loading notes...

Download Recipe Kit

Get all files in a ready-to-deploy package

Includes docker-compose.yml, .env template, README, and license

Components

hiawatha

Related Recipes

Ad Space

Shortcuts: C CopyF FavoriteD Download