Guide to running Concrete5 on the Hiawatha Webserver.

Permalink 1 user found helpful

This is a guide to running Concrete5 on the Hiawatha Webserver.

According to it's developer, Hugo Leisink, “Hiawatha is an open source webserver with a focus on security.” Hugo self proclaims the server as, “The world's most secure and advanced webserver.” Hiawatha has been independently audited for security. What I like about Hiawatha, in addition to it's security focus, is that it is lightweight and easy to setup. I am the package maintainer for Hiawatha in the Arch Linux AUR. A nice feature summary may be found at

Here's how I setup Concrete5 using Hiawatha. It was very easy, but requires some specific settings changes. I address the Hiawatha specific parts of the installation. I do not address database setup or other Concrete5 issues whose answers may be found in the installation materials.

First, you need to make some changes to your php.ini as follows:

cgi.rfc2616_headers = 1

Hiawatha is compliant with the standard when when sending HTTP response codes. However, your php.ini is probably set to “cgi.rfc2616_headers = 0” because the default defers to Apache's non standard approach.

# Enable GZip content encoding
zlib.output_compression = On
zlib.output_compression_level = 6
# Security settings
expose_php = Off
display_errors = Off
register_globals = Off
magic_quotes_gpc = Off
allow_url_include = Off

Assuming that you enabled the other PHP settings required by Concrete5, you can move to the Hiawatha Webserver configuration.

Configuration is very easy. Previously Hiawatha had its own fast cgi daemon called php-fcgi. This has been deprecated in favor of the php-fpm ( ). you will need to install php-fpm separately. We'll start by configuring Hiawatha's fast cgi capabilities. You will need to edit two files, php-fpm.conf and hiawatha.conf. You must set the TCP or unix socket in your php-fpm.conf file and then refer to that socket in your hiawatha.conf file.

Please refer to the php-fpm documentation for its configuration details.

Now let's edit hiawatha.conf. First, we'll create a reference to our fast cgi server, php-fpm within the configuration. In the following example, we use a unix socket. If it does not already exist, create a section in hiawatha.conf as follows:

# ACTIVATE a FastCGI server for php
FastCGIserver {
    FastCGIid = PHP5
#   ConnectTo =
    ConnectTo = /run/php-fpm/php-fpm.sock
    Extension = php
    SessionTimeout = 30

The “FastCGIid” is just a name that will be later used to access the php-fgci server. Make sure that the “ConnectTo” references the server that you identified in php-fcgi.conf. We have now completed all of the setup to allow our website to utilize php-fpm.

Let's configure the web site. You can use the default website or a virtual host. In Hiawatha the settings for the default website are in the root of the config file, while virtual servers are set up in braces like the above block for the “FastCGIserver”. For example, setting the “WebsiteRoot” for the default server uses the syntax:

WebsiteRoot = /srv/http/concrete5

While a virtual server uses:
VirtualHost {
    WebsiteRoot = /srv/http/concrete5

I'll use the virtual server syntax, but the parameters are the same. Let's set up our virtual host for Concrete5. The parameters are mostly self explanatory. I'll review the exceptions.

# Concrete Admin Site
VirtualHost {
    WebsiteRoot = /srv/http/concrete5
    Hostname =
    AccessLogfile = /var/log/hiawatha/concrete5/access.log
    ErrorLogfile = /var/log/hiawatha/concrete5/error.log
    StartFile = index.php
    UseFastCGI = PHP5
    EnablePathInfo = yes
    TriggerOnCGIstatus = false
    TimeForCGI = 30
    UseToolkit = concrete5

Make sure that your log file paths exist and that all directory permissions are correct for the hiawatha user in the “ServerId” parameter in hiawatha.conf.

Note the parameter “UseFastCGI = PHP5” This tells the host to use the php-fcgi server that we configured with the name PHP5 in this same file, hiawatha.conf.

“TimeForCGI = 30
” sets the timeout for waiting for php-fcgi scripts to complete. Set this to whatever suits the needs of your site.

“TriggerOnCGIstatus = false
” was, if I correctly recall, required to prevent errors during the Concrete5 install; I have not found it necessary once the site was up and running.

“UseToolkit = concrete5” is related to URL rewriting. You will need this if you choose to use pretty urls in Concrete5. Concrete5's admin panel contains a setting for activating pretty urls, and, when selected, it provides code to add to Apache's .htaccess file. However, Hiawatha does not use .htaccess to rewrite urls. Instead it uses it's own “URL Toolkit”. So, to use pretty urls in hiawatha you need to create a url toolkit entry in hiawatha.conf. In the above example, the url toolkit must be named “concrete5”. Let's build it:

UrlToolkit {
        ToolkitID = concrete5
        RequestURI exists Exit
        # The above directive is equivalent to the two following directives
        #RequestURI isfile Exit
        #RequestURI isdir Exit
         Match ^(.*)$ Rewrite /index.php$1

That's not too different from the .htaccess directives, but it is part of the server configuration.

We're almost there, but there are some global server configuration parameters that you need to address. First is the parameter, “MaxRequestSize”, which is part of the binding section in hiawatha.conf. When you upload images through the admin panel in Concrete5, “HTTP GET” is used. “MaxRequestSize” identifies The maximum size of a request in kilobytes that the webserver is allowed to receive, not including PUT requests. So the “MaxRequestSize” parameter must be as big as the largest file that you allow to be imported; Concrete will go out to lunch if you try to import something that exceeds the size of this parameter, so be aware! Hiawatha has another parameter, “MaxUploadSize”, that sets the maximum size of a PUT request.

Binding {
   Port = 80
          #MaxKeepAlive = 30
          # TimeForRequest = 3,20
          # The Following added to import graphics into concrete
          MaxRequestSize = 1024

Note that your “MaxUploadSize” setting in Hiawatha must be consistent with PHP's upload_max_filesize, memory_limit and post_max_size parameters.

Hiawatha has many security features not typically found in other servers. One such feature is banning. Be sure to disable any banning features in hiawatha.conf until your system is working and you understand their impact. You could easily think that Concrete was not working when, in reality, the server has banned you for one reason or another. It's not uncommon to find yourself banned during installation and testing, when you tend to be doing things out of the ordinary.

Concrete5 should be up and running on Hiawatha Webserver. Following is a typical complete hiawatha.conf.

# Hiawatha main configuration file
ServerId = http
ConnectionsTotal = 150
ConnectionsPerIP = 10
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exploit.log
# A binding is where a client can connect to.
Binding {
   Port = 80
#   MaxKeepAlive = 30
#   TimeForRequest = 3,20

View Replies: