Forum

I installed Hiawatha on my CHIP, running debian stretch, MariaDB from debian repos + PHP7 and then wordpress. Basicly i followed this guide:

https://www.htpcguides.com/install-php7-nginx-mariadb-wordpress-debian-jessie/

except for webserver I chose to use Hiawatha. Everything seems to work fine but when I enter my server to complete Wordpress installation I'm stuck immediately at "the famous 5min installation process". Basicly I get the welcome screen and select language and after that I can set title, username, password, email... But when trying to go forward to next step I always get message:

Please provide a valid username.

Is this because of some server settings, permission settings or wordpress problem? I have found similar issues by search but no solution yet. Can you help me forward?

And here's my hiawatha.conf file (note this is my first time ever server setup, soatm I just leaved lot commented out, don't know yet what will be final setup. Also this is intentionally LAN usage atm, no available at internet yet). Folder permissions are setted as the guide linked at first post.

# Hiawatha main configuration file
#

# VARIABLES
# With 'set', you can declare a variable. Make sure the name of the
# variable doesn't conflict with any of the configuration options.
# The variables are case-sensitive and cannot be redeclared.
#
#set LOCALHOST = 127.0.0.0/8


# GENERAL SETTINGS
#
ServerId = www-data
ConnectionsTotal = 1000
ConnectionsPerIP = 25
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exloit.log
ThreadKillRate = 3


# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
        Port = 80
}
#
Binding {
        Port = 203
        BindingID = port_203
}

#Binding {
#       TLScertFile = tls/hiawatha.pem
#       Interface = 127.0.0.1
#       MaxRequestSize = 2048
#       TimeForRequest = 30
#}


# BANNING SETTINGS
# Deny service to clients who misbehave.
#
#
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes


# COMMON GATEWAY INTERFACE (CGI) SETTINGS
# These settings can be used to run CGI applications.
#
#CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php-cgi:php
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
#CGIextension = cgi
#
FastCGIserver {
        FastCGIid = PHP7
        ConnectTo = /run/php/php7.0-fpm.sock
        Extension = php
}


# URL TOOLKIT
# This URL toolkit rule was made for the Banshee PHP framework,
# which can be downloaded from http://www.banshee-php.org/
#
UrlToolkit {
        ToolkitID = wordpress
        RequestURI exists Return
        Match ^/(css|files|fonts|images|js)($|/) Return
        Match ^/(favicon.ico|robots.txt)$ Return
        Match [^?]*(\?.*)? Rewrite /index.php$1
}


# DIRECTORY SETTINGS
# You can specify some settings per directory.
#

Directory {
        DirectoryID = assets
        Path = /
        Extensions = css, js, png, webp, jpg, pdf, woff, woff2
        ExpirePeriod = 2 weeks, public
}

# DEFAULT WEBSITE
# It is wise to use your IP address as the hostname of the default website
# and give it a blank webpage. By doing so, automated webscanners won't find
# your possible vulnerable website.
#
Hostname = 127.0.0.1
WebsiteRoot = /var/www/hiawatha
StartFile = index.html
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log


# VIRTUAL HOSTS
# Use a VirtualHost section for each website you want to host.
#
VirtualHost {
        Hostname = 192.168.1.203
        WebsiteRoot = /var/www/wordpress
        RequiredBinding = port_203
        StartFile = index.php
        AccessLogfile = /var/www/wordpress/logs/access.log
        ErrorLogfile = /var/www/wordpress/logs/error.log
        TimeForCGI = 5
        UseFastCGI = PHP7
        UseToolkit = wordpress
        UseDirectory = assets
        ShowIndex = no
        TimeForCGI = 10
        UseFastCGI = PHP7
        CustomHeader = Vary: Accept-Encoding
        CustomHeader = X-Frame-Options: sameorigin
        PreventXSS = yes
        PreventCSRF = yes
        PreventSQLi = yes
}

Try the installation without the PreventXSS, -CSRF and -SQLi options.

Thanks!

That did the trick, but seems that in order to customize wordpress I needed to turn those off again. Also can't upload header image via GUI, I got HTTP error even when protection is turned off. Also soon after that problem that wordpress site cannot be reached. Hiawatha on the other hand is still running and serves defaul page normally. Wordpress site after reboot. Also haven't yet managed to install healthy check plugin.

As stated in the manual, only use those options to mitigate an attack. Don't use it as your first line of defense. About the upload of images, look at the MaxRequestSize setting.

Thanks! I think I can sort it out now. Sorry for asking these basic things but since this is the first server setup.... Well at least I've already learned something.

No problem!