Import hiawatha-5.4

Hiawatha is a secure webserver for Unix. It has been written with 'being secure' as its main goal. Hiawatha has many security features that no other webserver has. Hiawatha does not have all the fancy features, but it is very secure and fast and is really easy to configure. Rootjail, run CGIs under any uid/gid you want, prevention of SQL injection and cross-site scripting, banning of clients who try such exploits and many other features make Hiawatha an interesting webserver for those who need more security than what the other available webservers are offering. ok steven@
2006-12-31 10:32:42 +00:00 · 2006-12-31 10:32:42 +00:00 · 9efd6b93ef
commit 9efd6b93ef
parent 50d152af49
10 changed files with 235 additions and 0 deletions
--- a/www/hiawatha/Makefile
+++ b/www/hiawatha/Makefile
@ -0,0 +1,43 @@
+# $OpenBSD: Makefile,v 1.1.1.1 2006/12/31 10:32:42 ajacoutot Exp $
+
+COMMENT=	"secure webserver"
+
+DISTNAME=	hiawatha-5.4
+CATEGORIES=	www net
+
+HOMEPAGE=	http://hiawatha.leisink.org
+
+MAINTAINER=	Antoine Jacoutot <ajacoutot@openbsd.org>
+
+# GPLv2
+PERMIT_PACKAGE_CDROM=	Yes
+PERMIT_PACKAGE_FTP=	Yes
+PERMIT_DISTFILES_CDROM= Yes
+PERMIT_DISTFILES_FTP=	Yes
+
+MASTER_SITES=	${HOMEPAGE}/files/
+
+WANTLIB=	c crypto pthread ssl
+
+WEBROOTDIR=	/var/hiawatha
+
+CONFIGURE_STYLE=gnu
+CONFIGURE_ENV=	webrootdir=${WEBROOTDIR}
+CONFIGURE_ARGS=	--localstatedir=/var
+
+pre-configure:
+	perl -pi -e 's,!!LOCALBASE!!,${LOCALBASE},g;' \
+		-e 's,!!SYSCONFDIR!!,${SYSCONFDIR},g' \
+		${WRKSRC}/etc/hiawatha/httpd.conf.in \
+		${WRKSRC}/etc/hiawatha/cgi_wrapper.conf \
+		${WRKSRC}/doc/cgi_wrapper.1 \
+		${WRKSRC}/doc/hiawatha.1
+
+post-install:
+	${INSTALL_DATA_DIR} ${PREFIX}/share/examples/hiawatha/
+	${INSTALL_DATA} ${WRKSRC}/etc/hiawatha/*.conf \
+		${PREFIX}/share/examples/hiawatha 
+	${INSTALL_DATA} ${WRKSRC}/doc/index.html \
+		${PREFIX}/share/examples/hiawatha 
+
+.include <bsd.port.mk>
--- a/www/hiawatha/distinfo
+++ b/www/hiawatha/distinfo
@ -0,0 +1,4 @@
+MD5 (hiawatha-5.4.tar.gz) = afabfddfd7525e95dbe893eacb1ee325
+RMD160 (hiawatha-5.4.tar.gz) = 370f138e3678abdfd5e03617f57b439c9b91b7c5
+SHA1 (hiawatha-5.4.tar.gz) = c98d91dd3b8ab18abc514e9ebe8506a3b12b3cc8
+SIZE (hiawatha-5.4.tar.gz) = 184894
--- a/www/hiawatha/patches/patch-Makefile_in
+++ b/www/hiawatha/patches/patch-Makefile_in
@ -0,0 +1,14 @@
+$OpenBSD: patch-Makefile_in,v 1.1.1.1 2006/12/31 10:32:42 ajacoutot Exp $
+--- Makefile.in.orig	Sat Dec 16 14:37:10 2006
+++ Makefile.in	Wed Dec 20 12:07:53 2006
+@@ -727,9 +727,8 @@ info: info-am
+ 
+ info-am:
+ 
+-install-data-am: install-logDATA install-man install-webrootDATA
+install-data-am: install-man
+ 	@$(NORMAL_INSTALL)
+-	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+ 
+ install-exec-am: install-sbinPROGRAMS
+ 
--- a/www/hiawatha/patches/patch-doc_cgi_wrapper_1
+++ b/www/hiawatha/patches/patch-doc_cgi_wrapper_1
@ -0,0 +1,12 @@
+$OpenBSD: patch-doc_cgi_wrapper_1,v 1.1.1.1 2006/12/31 10:32:42 ajacoutot Exp $
+--- doc/cgi_wrapper.1.orig	Wed Dec 20 14:42:36 2006
+++ doc/cgi_wrapper.1	Wed Dec 20 14:39:44 2006
+@@ -9,7 +9,7 @@ cgi_wrapper
+ The CGI wrapper is part of the Hiawatha webserver. See hiawatha(1) for more information about Hiawatha.
+ 
+ .SH CGI WRAPPER
+-The CGI wrapper can be used to run certain CGI programs with a different userid then Hiawatha's userid. It replaces the HostId option in previous versions. To function properly, the CGI wrapper binary needs the su-bit. To prevent abuse, it has the necessary security checks. As a result, the CGI wrapper can only be executed by Hiawatha. Via the configuration file (/etc/hiawatha/cgi_wrapper.conf), you can specify what the CGI wrapper is allowed to execute.
+The CGI wrapper can be used to run certain CGI programs with a different userid then Hiawatha's userid. It replaces the HostId option in previous versions. To function properly, the CGI wrapper binary needs the su-bit. To prevent abuse, it has the necessary security checks. As a result, the CGI wrapper can only be executed by Hiawatha. Via the configuration file (!!SYSCONFDIR!!/hiawatha/cgi_wrapper.conf), you can specify what the CGI wrapper is allowed to execute.
+ .br
+ 
+ The following options are available:
--- a/www/hiawatha/patches/patch-doc_hiawatha_1
+++ b/www/hiawatha/patches/patch-doc_hiawatha_1
@ -0,0 +1,76 @@
+$OpenBSD: patch-doc_hiawatha_1,v 1.1.1.1 2006/12/31 10:32:42 ajacoutot Exp $
+--- doc/hiawatha.1.orig	Thu Dec 28 13:27:50 2006
+++ doc/hiawatha.1	Fri Dec 29 07:25:00 2006
+@@ -21,7 +21,7 @@ hiawatha \- Advanced and secure webserve
+ Hiawatha is a secure webserver for Unix. It has been written with 'being secure' as its main goal. Hiawatha has lots of features that no other webserver has. This and the fact that Hiawatha's source code is free of security-bugs, makes Hiawatha the most secure webserver available.
+ .br
+ 
+-Hiawatha has been tested and runs perfectly on Linux, FreeBSD, MacOS X and Cygwin.
+Hiawatha has been tested and runs perfectly on Linux, {Open,Free}BSD, MacOS X and Cygwin.
+ 
+ .\" ==========[ Configuration files ]==========================================
+ .SH CONFIGURATION FILES
+@@ -151,7 +151,7 @@ Example: CGIhandler = /usr/bin/php4-cgi:
+ .B CGIwrapper = <CGI wrapper>
+ Specify the wrapper for CGI processes. A secure CGI wrapper is included in the Hiawatha package. See cgi_wrapper(1) for more information.
+ .br
+-Example: CGIwrapper = /usr/sbin/cgi_wrapper
+Example: CGIwrapper = !!LOCALBASE!!/sbin/cgi_wrapper
+ .TP
+ .B CommandChannel = <portnumber>,<password>
+ The port and the password for the CommandChannel. You can use telnet to connect to the CommandChannel. The password must be encrypted with the crypt(3) function. You can only connect to the CommandChannel from localhost. Type 'help' in the CommandChannel for more information. This feature must be switched on during compilation of Hiawatha.
+@@ -179,7 +179,7 @@ Example: GarbageLogfile = /var/log/hiawa
+ .B Include <filename>
+ Include another configurationfile.
+ .br
+-Example: Include /etc/hiawatha/hosts.conf
+Example: Include !!SYSCONFDIR!!/hiawatha/hosts.conf
+ .TP
+ .B KickOnBan = yes|no
+ Close all other connections that originate from the same IP in case of a ban.
+@@ -214,7 +214,7 @@ Default = /var/run/hiawatha.pid, example
+ .B ServerId = <userid>|<userid>:<groupid>[,<groupid>, ...]
+ The userid and groupid(s) the server will change to. If only a userid is specified, the groupid(s) will be looked up in /etc/passwd and /etc/group.
+ .br
+-Default = 65534:65534, example: ServerId = www-data
+Default = 579:579, example: ServerId = www-data
+ .TP
+ .B ServerKey = <SSL certificate file>
+ The file containing the SSL private key and certificate. These will be used for all SSL bindings that don't have their own certificate file. See ServerKey and UseSSL in the BINDING section.
+@@ -566,13 +566,13 @@ and
+ .B StartFile
+ 
+ .SH MIMETYPES
+-Specify the mimetypes of files in /etc/hiawatha/mimetypes.conf.
+Specify the mimetypes of files in !!SYSCONFDIR!!/hiawatha/mimetypes.conf.
+ .TP
+ .B <mimetype> <extension> [<extension> ...]
+ Example: image/jpeg jpg jpeg
+ 
+ .SH CONTROL UPLOADSPEED
+-The uploadspeed of some files can be controled via /etc/hiawatha/throttle.conf.
+The uploadspeed of some files can be controled via !!SYSCONFDIR!!/hiawatha/throttle.conf.
+ .TP
+ .B <main-mimetype>/[<sub-mimetype>]:<uploadspeed in kB/s>
+ Example: audio/mpeg:30  or  video/:30
+@@ -599,15 +599,15 @@ Will unban all clients.
+ Will disconnect all clients.
+ 
+ .SH FILES
+-.B /usr/sbin/hiawatha
+.B !!LOCALBASE!!/sbin/hiawatha
+ .br
+-.B /etc/hiawatha/httpd.conf
+.B !!SYSCONFDIR!!/hiawatha/httpd.conf
+ .br
+-.B /etc/hiawatha/mime.types
+.B !!SYSCONFDIR!!/hiawatha/mime.types
+ .br
+-.B /etc/hiawatha/throttle.conf
+.B !!SYSCONFDIR!!/hiawatha/throttle.conf
+ .br
+-.B /etc/hiawatha/cgi_wrapper.conf
+.B !!SYSCONFDIR!!/hiawatha/cgi_wrapper.conf
+ 
+ .SH SEE ALSO
+ cgi_wrapper(1)
--- a/www/hiawatha/patches/patch-etc_hiawatha_cgi_wrapper_conf
+++ b/www/hiawatha/patches/patch-etc_hiawatha_cgi_wrapper_conf
@ -0,0 +1,12 @@
+$OpenBSD: patch-etc_hiawatha_cgi_wrapper_conf,v 1.1.1.1 2006/12/31 10:32:42 ajacoutot Exp $
+--- etc/hiawatha/cgi_wrapper.conf.orig	Wed Dec 20 14:27:46 2006
+++ etc/hiawatha/cgi_wrapper.conf	Wed Dec 20 14:28:20 2006
+@@ -2,7 +2,7 @@
+ 
+ # CGIhandler = /path/to/cgihandler
+ #
+-#CGIhandler = /usr/bin/php4-cgi
+#CGIhandler = !!LOCALBASE!!/bin/php
+ #CGIhandler = /usr/bin/perl
+ 
+ # Wrap = <wrap-id>:<cgiroot>:<userid>[:<group>]
--- a/www/hiawatha/patches/patch-etc_hiawatha_httpd_conf_in
+++ b/www/hiawatha/patches/patch-etc_hiawatha_httpd_conf_in
@ -0,0 +1,20 @@
+$OpenBSD: patch-etc_hiawatha_httpd_conf_in,v 1.1.1.1 2006/12/31 10:32:42 ajacoutot Exp $
+--- etc/hiawatha/httpd.conf.in.orig	Thu Dec  7 11:11:51 2006
+++ etc/hiawatha/httpd.conf.in	Wed Dec 20 14:57:37 2006
+@@ -7,13 +7,13 @@ Binding {
+ #	TimeForRequest = 3,20
+ }
+ 
+-ServerId = 33:33
+ServerId = _hiawatha:_hiawatha
+ ConnectionsTotal = 150
+ ConnectionsPerIP = 10
+ SystemLogfile = @logdir@/system.log
+-#CGIhandler = /usr/bin/php4-cgi:php
+#CGIhandler = !!LOCALBASE!!/bin/php:php
+ #CGIhandler = /usr/bin/perl:pl
+-#CGIhandler = /usr/bin/python:py
+#CGIhandler = !!LOCALBASE!!/bin/python:py
+ #TimeForCGI = 5
+ #BanOnMaxPerIP = 2
+ 
--- a/www/hiawatha/patches/patch-serverconfig_c
+++ b/www/hiawatha/patches/patch-serverconfig_c
@ -0,0 +1,23 @@
+$OpenBSD: patch-serverconfig_c,v 1.1.1.1 2006/12/31 10:32:42 ajacoutot Exp $
+--- serverconfig.c.orig	Sun Dec 24 13:08:08 2006
+++ serverconfig.c	Thu Dec 28 07:39:33 2006
+@@ -19,7 +19,7 @@
+ #define mc_NO_BINDING    -5
+ #define mc_REQUIRE       -6
+ 
+-#define id_NOBODY 65534
+#define id_HIAWATHA 579
+ 
+ enum t_section { syntax_error = -1, none, binding, virtualhost, directory, fcgi_server };
+ enum t_section_type { tag, bracket, end };
+@@ -171,8 +171,8 @@ t_config *default_config(void) {
+ #endif
+ 
+ 		config->server_root        = NULL;
+-		config->server_uid         = (uid_t)id_NOBODY;
+-		config->server_gid         = (gid_t)id_NOBODY;
+		config->server_uid         = (uid_t)id_HIAWATHA;
+		config->server_gid         = (gid_t)id_HIAWATHA;
+ 		config->server_string      = "Hiawatha v"VERSION;
+ 		config->groups.number      = 0;
+ 		config->groups.array       = NULL;
--- a/www/hiawatha/pkg/DESCR
+++ b/www/hiawatha/pkg/DESCR
@ -0,0 +1,9 @@
+Hiawatha is a secure webserver for Unix. It has been written with 'being
+secure' as its main goal.  Hiawatha has many security features that no
+other webserver has.
+Hiawatha does not have all the fancy features, but it is very secure and
+fast and is really easy to configure.  Rootjail, run CGIs under any
+uid/gid you want, prevention of SQL injection and cross-site scripting,
+banning of clients who try such exploits and many other features make
+Hiawatha an interesting webserver for those who need more security than
+what the other available webservers are offering.
--- a/www/hiawatha/pkg/PLIST
+++ b/www/hiawatha/pkg/PLIST
@ -0,0 +1,22 @@
+@comment $OpenBSD: PLIST,v 1.1.1.1 2006/12/31 10:32:42 ajacoutot Exp $
+@newgroup _hiawatha:579
+@newuser _hiawatha:579:579:daemon:Hiawatha HTTP Server:/nonexistent:/sbin/nologin
+@man man/man1/cgi_wrapper.1
+@man man/man1/hiawatha.1
+sbin/cgi_wrapper
+sbin/hiawatha
+sbin/wigwam
+share/examples/hiawatha/
+@sample ${SYSCONFDIR}/hiawatha/
+share/examples/hiawatha/cgi_wrapper.conf
+@sample ${SYSCONFDIR}/hiawatha/cgi_wrapper.conf
+share/examples/hiawatha/httpd.conf
+@sample ${SYSCONFDIR}/hiawatha/httpd.conf
+@sample /var/hiawatha/
+share/examples/hiawatha/index.html
+@sample /var/hiawatha/index.html
+share/examples/hiawatha/mimetype.conf
+@sample ${SYSCONFDIR}/hiawatha/mimetype.conf
+share/examples/hiawatha/throttle.conf
+@sample ${SYSCONFDIR}/hiawatha/throttle.conf
+@sample /var/log/hiawatha/