What's new in Hiawatha 10.3
Jun 27, 2016
- PreventCSRF, PreventSQLi and PreventXSS improved.
- Prevention of MySQL data mining via SQL injection. Thanks to Esmaeil Rahimian .
- Added revoke option to Let's Encrypt script.
- Hiawatha ignores RequireTLS for Let's Encrypt authentication requests.
- Small bugfixes and improvements.
- Bugfix: possible HTTP request pipelining error after CSRF prevented.
New in Hiawatha 10.2 (Jun 27, 2016)
- Added Let's Encrypt script (see extra/letsencrypt).
- Added support for requesting Let's Encrypt certificates (see AccessList and PasswordFile settings in manual page).
- Small improvements.
- Bugfix: HideProxy not working for Forwarded header.
New in Hiawatha 10.1 (Jun 27, 2016)
- Added Extensions setting.
- Added support for X-Sendfile header.
- mbed TLS updated to 2.2.1.
- Improved SQL injection detection.
- Small bugfixes and improvements.
New in Hiawatha 10.0 (Jun 27, 2016)
- Usage of Directory sections changed.
- Added support for RFC 5785.
- Added support for GZip compression. Removed the UseGZfile option.
- Added ECDSA support for TLS 1.0 and TLS 1.1.
- Replaced UrlToolkit Expire option with ExpirePeriod in Directory section.
- Replaced IgnoreDotHiawatha option with UseLocalConfig.
- Removed the VolatileObject option.
- Improved SQL injection detection.
- mbed TLS updated to 2.2.0.
- Small improvements.
New in Hiawatha 10.0 Beta (Nov 13, 2015)
- Usage of Directory sections changed.
- Added support for RFC 5785.
- Added support for GZip compression. Removed the UseGZfile option.
- Added ECDSA support for TLS 1.0 and TLS 1.1.
- Replaced UrlToolkit Expire option with ExpirePeriod in Directory section.
- Replaced IgnoreDotHiawatha option with UseLocalConfig.
- Removed the VolatileObject option.
- Improved SQL injection detection.
- mbed TLS updated to 2.2.0.
New in Hiawatha 9.14 (Aug 15, 2015)
- mbed TLS updated to 2.0.0.
- Small bug fixes.
- Bug fix: crash when sending very large request to FastCGI server.
New in Hiawatha 9.13 (May 12, 2015)
- Renamed SSLcertFile to TLScertFile.
- Renamed RequireSSL to RequireTLS.
- Renamed SSL_* CGI environment variables to TLS_*.
- Renamed UrlToolkit option UseSSL to UseTLS.
- Replaced MinSSLversion by MinTLSversion.
- LogTimeouts option added.
- Added 'skip directories' parameter to reverse proxy.
- Failed logins sent to Hiawatha Monitor.
- Small bugfix and improvements.
New in Hiawatha 9.5 (Apr 24, 2014)
- Added support for CGI statistics in Hiawatha Monitor.
- MonitorRequests and MonitorStatsInterval option removed.
- Added support for Origin HTTP header to prevent CSRF.
- EnforceFirstHostname option added.
- ScriptAlias option added.
- PolarSSL updated to version 1.3.6.
- Dropped support for PolarSSL 1.2.
New in Hiawatha 9.2 (Jun 24, 2013)
- Added support for compiling Hiawatha against the system's default version (>=1.2.0) of the PolarSSL library.
- PolarSSL updated to version 1.2.8.
- Small bugfixes (memory leaks in error situations).
- Bugfix: virtual hostname selection for IPv6 with non-standard port.
New in Hiawatha 9.1 (Apr 16, 2013)
- FileHashes option added.
- PolarSSL updated to version 1.2.7. Enabled ciphersuite selection based on protocol version.
- Enabled accf_http support for FreeBSD. Thanks to Martin Tournoij.
- Better handling of previous installed configuration files under MacOS X. Thanks to Sander Niemeijer.
- ImageReferer option removed.
- Bugfix: incorrect BanOnFlooding behavior.
- Small improvements.
New in Hiawatha 9.0 (Mar 28, 2013)
- Clients handled via thread pool instead of creating threads on the fly.
- ThreadPoolSize option added.
- Header option added to URL Toolkit.
- Improved client SSL certificate handling. Environment variables renamed.
- PolarSSL updated to version 1.2.6.
- Improved Reverse Proxy caching support for requests with URL parameters.
- CacheMinFilesize option removed.
- DenyBot option removed. Use UrlToolkit's Header option instead.
- OldBrowser option removed from URL Toolkit. Use Header option instead.
- Improved UrlToolkit rule testing in wigwam.
- Small bugfixes and improvements.
New in Hiawatha 8.8 (Feb 21, 2013)
- Caching for Reverse Proxy. CacheRProxyExtensions option added.
- Basic HTTP authentication now supports the glibc2 version of crypt().
- Hostname in ImageReferer can now contain a wildcard.
- DenyBody matching is now case insensitive.
- PolarSSL updated to version 1.2.5.
- Small improvements.
New in Hiawatha 8.7 (Jan 10, 2013)
- Support for HTTP Strict Transport Security (RFC 6797). Integrated in RequireSSL option.
- DHsize option added.
- PolarSSL updated to version 1.2.3.
- CloudFlare headers placed in environment variables.
- Removed php-fcgi.
- Small improvements.
- Bugfix: slow page loading via Reverse Proxy.
New in Hiawatha 8.6 (Nov 2, 2012)
- PolarSSL updated to version 1.2. Added support for TLS 1.2 and secure renegotiation.
- Added support for Server Name Indication.
- MinSSLversion option added.
- ServerRoot option removed.
- Improved MacOS X package building script.
- Marked php-fcgi as deprecated. Use php-fpm instead.
- Small bugfixes and improvements.
New in Hiawatha 8.5 (Sep 10, 2012)
- Improved Reverse Proxy.
- Changed error message style.
- Renamed Command Channel to Tomahawk.
- Return 403 instead of 401 upon correct password for HTTP authentication but user not in right group.
- Small improvements.
- Bugfix: replaced select() with poll() to prevent crashes in case of large amount of simultaneous connections. Thanks to Peter Bex.
New in Hiawatha 8.4 (Jun 9, 2012)
- MaxServerLoad option added.
- Bugfix: invalid reverse proxy request when URL parameters are present.
- PolarSSL updated to version 1.1.4.
- Small bugfixes and improvements.
New in Hiawatha 8.3.2 (Jun 5, 2012)
- Bugfix: memory leak in SSL library.
New in Hiawatha 8.2 (May 3, 2012)
- WebDAVapp option added. Enables support for WebDAV applications like ownCloud (http://owncloud.org/).
- Removed support for the OPTIONS method.
- AllowDotFiles option added.
- Global forks setting in php-fcgi.conf moved to Server setting.
- Small bug fixes and improvements.
New in Hiawatha 8.1 (Feb 27, 2012)
- BanOnInvalidURL option added.
- PolarSSL updated to version 1.1.1.
- Small improvements in Windows packaging script.
- Bug fix: paths missing in default values and examples in manual pages.
New in Hiawatha 8.0 (Feb 6, 2012)
- Replaced Autoconf with CMake. Many thanks to Sander Niemeijer.
- Replaced OpenSSL with PolarSSL. Many thanks to Paul Bakker.
- AllowedCiphers and DHparameters options removed.
- Added IE7 to UrlToolkit's OldBrowser list, removed IE5.
- MaxUrlLength option added, can return 414 Request-URI Too Long.
- Changed default value of TriggerOnCGIstatus to 'no'.
- Equalized format of logfiles.
- Extra checks added to php-fcgi.
- Small improvements.
New in Hiawatha 7.8.1 (Nov 12, 2011)
- Small improvements.
- Bugfix: null byte in HTTP header of cached CGI content.
New in Hiawatha 7.8 (Nov 1, 2011)
- Control CGI output cache via X-Hiawatha-Cache and X-Hiawatha-Cache-Remove CGI headers. See the CGI OUTPUT CACHE section in the manual page.
- BanOnWrongPassword now also triggers on wrong username.
- Small improvements.
- Bug fix: timeout issue with large POST requests on SSL connections.
New in Hiawatha 7.7 (Oct 6, 2011)
- First parameter of Alias can now contain subdirectories.
- Improved stability for connections with SSL client authentication.
- Bugfix: BanOnFlooding was broken.
New in Hiawatha 7.6 (Aug 22, 2011)
- PreventSQLi option rewritten.
New in Hiawatha 7.5 (May 31, 2011)
- OldBrowser option added to URL toolkit.
- Improved mimetype configuration.
- Do-not-track HTTP header support.
- Password file entries can now be created with Wigwam.
- Small bugfixes and improvements.
- Bugfix: sent one byte too few for Range -XX.
- Bugfix: possible crash when using PreventSQLi.
New in Hiawatha 7.4 (Nov 9, 2010)
- Connections per IP added to RequestLimitMask.
- NoExtensionAs made a per-host setting.
- Small bugfixes and improvements.
- Bugfix: usage of HideProxy caused Hiawatha to refuse new connections after ConnectionsTotal connections.
- Bugfix: memory leak in XSLT module.
New in Hiawatha 7.3 (Jun 7, 2010)
- RequestLimitMask option added.
- URL parameters for ErrorHandler.
- Support for Haiku OS.
- Small security bugfixes.
New in Hiawatha 7.2 (Apr 22, 2010)
- URL toolkit code restructured.
- UseSSL option added to URL toolkit.
- Digest HTTP authentication works with htdigest(1) created password files.
- Small improvements.
New in Hiawatha 7.1 (Mar 29, 2010)
- Small bugfixes.
- Bugfix: deny access and redirect result via toolkit subroutine.
- Bugfix: broken flooding protection.
New in Hiawatha 7.0 (Feb 15, 2010)
- Remote Monitoring support. MonitorServer, MonitorRequests and MonitorStatsInterval options added.
- IPv6 support for Windows version, due to IPv6 support in Cygwin 1.7.
- XSLT support turned on by default.
- All directory listings are done via XSLT. The internal index layout has been removed. IndexStyle option removed.
- ServerRoot option has been made available via configure parameter.
- Small improvements.
New in Hiawatha 6.19 (Dec 7, 2009)
- Expire option added to URL toolkit.
- HideProxy option added.
- UNIX socket support for connections to FastCGI daemons.
- ExploitLogfile option added.
- Small bugfixes.
New in Hiawatha 6.17.1 (Sep 7, 2009)
- Bugfix: possible crash due to bug in log.c
New in Hiawatha 6.17 (Aug 31, 2009)
- Directory index via XSLT.
- Small bugfixes and improvements.
- Bugfix: incorrect SCRIPT_NAME value with PathInfo.
New in Hiawatha 6.14 (Jun 4, 2009)
- Platform independent read-timeout handlers.
- RequiredCA option added.
- UseSSL option removed, ServerKey option renamed to UseSSL and made available only in Binding section.
- Small bugfixes and improvements.
- Bugfix: fork-mutex issue when executing CGI.
New in Hiawatha 6.13 (May 7, 2009)
- LSB style header added to init script.
- SSL initialization improved for cross compiling.
- Change in signal handling (HUP and USR2 signal).
- Small bugfixes and improvements.
- Bugfix: incorrect MD5 hashing on 64bit machines.
New in Hiawatha 6.12 (Mar 30, 2009)
- Compile errors under the latest Ubuntu release fixed.
- Small bugfixes and improvements.
New in Hiawatha 6.11 (Dec 29, 2008)
- Duplicate hostname check included in Wigwam.
- All HTTP headers starting with X- are added to CGI environment and set as XSLT parameter.
- Non-present HTTP/CGI variable set as empty XSLT parameter.
- Bugfix: toolkit's FastCGI setting issues.
- Small bugfixes and improvements.
New in Hiawatha 6.10 (Oct 30, 2008)
- Prevention of cross-site request forgery. PreventCSRF option added.
- A start and stop preference pane has been added to the MacOS X package.
- A new dedicated website for Hiawatha has been launched. Please, visit http://www.hiawatha-webserver.org/. The welcome webpage inside the package has been updated to match the new design.
- Small bugfixes and improvements.
New in Hiawatha 6.9 (Oct 14, 2008)
- NoExtensionAs option added.
- Tool added to the Windows package to start Hiawatha as a service under Windows (see Installation.txt in Windows package for more information).
- Small bugfixes and improvements.
- Bugfix: URL encoding of links in directory listing.
New in Hiawatha 6.8 (Jul 23, 2008)
- XSLT parameter support.
- 'URL rewriting' has been renamed to 'URL toolkit' (because rewriting is just one of the four options of this feature).
- FastCGI option added to URL toolkit.
- WaitForCGI option added.
- Small bugfixes and improvements.
New in Hiawatha 6.7 (May 29, 2008)
- BanOnWrongPassword option added.
- Workaround to handle non-compliant CGI headers.
- Updated Debian package building files.
- Small bugfixes and improvements.
New in Hiawatha 6.6 (Apr 29, 2008)
- XSLT support (compile with --enable-xslt).
- Bugfix: possible crash when using HTTPS.
New in Hiawatha 6.5 (Mar 14, 2008)
- Small bugfixes and improvements.
- Bugfix: integer overflow in str2int().
- Bugfix: compile error with --disable-ssl.