NAME

DESCRIPTION

Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line.

Arguments containing whitespace should be surrounded by double quotes (").

SERVER CONFIGURATION

debug ⟨on off⟩

If mohawk(8) is compiled with -DUSE_DEBUG, this option control the debug mode. The cli option '-d' take precedence.

on

Activate the debug mode, this prevent mohawk(8) to fork in background as well as activeing verbose output.

off (default)

Run in background.

For example,

debug on
    

chroot ⟨directory⟩

mohawk(8) will chroot itself in the given directory.

For example,

chroot /var/www/chroot
    

include ⟨pattern⟩

Include file(s) that match pattern. If the default max level recursion (5) is not enought, recompile mohawk(8) with -DMAX_INCLUDE_DEPTH=your_level

For example,

include /usr/local/etc/mohawk.d/local.conf
    

mime_type ⟨file⟩

Read mime type from file.

For example,

mime_type /etc/nginx/mime.types
    

mime_type ⟨key value⟩

Global list of mime type (where type and extension(s) are autodetected), delimited with brace. Default is application/octet-stream. Shortest extension come first.

For example,

mime_type { text/plain "c h" x application/xxx }
mime_type { html text/html txt text/plain }
    

Invert the two lines and a request for a 'h' document will return 'text/html' and a request for a 'x' document will return 'text/plain'. The first match win.

pidfile ⟨file⟩

mohawk(8) write his pid in this file, before any chroot. The cli option '-p pidfile' take precedence.

For example,

pidfile /var/run/mohawk.pid
    

syslog_facility ⟨facility⟩

Use facility for logging. See /usr/include/syslog.h for the list of facilities name. Default is daemon.

For example,

syslog_facility local2
    

user ⟨username⟩

Run mohawk(8) as another user, nobody by default. username must exists on the system.

For example,

user www-data
    

VHOSTS CONFIGURATION

List of option could be uni or multi line, comment start with '#'.

For example,

vhost default {
⟨list of option

⟩

}

authentication ⟨on off⟩

Enable / disable (default) authentication. See auth_path below.

For example,

authentication off
    

auth_blacklistd ⟨on off⟩

Send / not send (default) authentication result to blacklistd(8) (if available).

For example,

auth_blacklistd off
    

cgi_expose_mohawk_version ⟨on off⟩

Enable / disable (default) the environment variable MOHAWK_VERSION.

For example,

cgi_expose_mohawk_version on
    

dirlist ⟨on off⟩

Enable / disable (default) directory listing.

For example,

dirlist on
    

hostname_in_rootdir ⟨on off⟩

Use / don't use hostname (default) in rootdir. When vhost contains patterns, use it.

For example,

hostname_in_rootdir on
    

x_forwarded_for ⟨on off⟩

Enable / disable (default) use X-Forwarded-For header

auth_path ⟨directory⟩

Path to the authentication file. The rootdir of the vhost *must not* contains this directory.

For example,

auth_path /tmp/chroot/secure_vhost/secure
    

charset ⟨charset⟩

Set the default charset.

For example,

charset iso-8859-15
    

dirlist_css_url ⟨url⟩

The custom css for directory listing page relative to the vhost rootdir.

For example,

dirlist_css_url /dirlist.css
    

email_admin ⟨email⟩

Set the email of the administrator

For example,

email_admin foo.bar@example.com
    

maxage ⟨number⟩

If defined, set Expires and Cache-Control headers

For example,

maxage 3600
    

mohawk_name ⟨name⟩

Set the environment variable SERVER_SOFTWARE and footer when listing directory

For example,

mohawk_name "What did you expect ?"
    

rootdir ⟨directory⟩

The root directory for the given vhost. The 'document_root' is defined as chroot + rootdir. If hostname_in_root is on, the document_root is defined as chroot + rootdir + hostname. For 'default' vhost, 'document_root' is always defined as chroot + rootdir.

For example,

rootdir /tmp/chroot/virtual-hosts
    

status_url ⟨url⟩

The url for the status page (information concerning the running mohawk(8) process).

auth_patterns ⟨list of pattern⟩

The glob patterns to determine which url require authentication. For a fully authentication vhost, use '*'. See auth_path option.

For example,

auth_patterns { /admin/* /secure/* }
    

blacklist_patterns ⟨list of pattern⟩

The glob patterns to determine which url generate a BLACKLIST_ABUSIVE_BEHAVIOR to blacklistd(8) (if available).

For example,

blacklist_patterns { *.php /honeypot/* }
    

cgi_patterns ⟨list of pattern⟩

The glob patterns to determine which files are to be considered as CGIs.

For example,

cgi_patterns { *.cgi *.pl *.sh }
    

index_names ⟨list of pattern⟩

List of file name to use as index directory

For example,

index_names { index.html index.htm default.html index.pl }
    

no_auth_patterns ⟨list of pattern⟩

The glob patterns to determine which url does not require authentication.

For example,

no_auth_patterns { /css/* /js/* /img/* }
    

no_cgi_maps ⟨list of pattern⟩

List the url that will not be mapped to cgi even if defined in a cgi_map.

For example,

no_cgi_map { /rescue/status* }
    

no_log_patterns ⟨list of pattern⟩

Don't log if request match pattern.

For example,

no_log_patterns { /css/* /js/* /img/* /packages/* }
    

grant_access ⟨list of prefix/mask⟩

If set, access is granted only if remote_addr match one of the prefixes. Using '!' deny access to the specified prefix/netmak.

For example,

grant_access { 127.0.0.0/8 192.168.0.0/16 2001:dead:beaf::/48 }
grant_access { 192.168.0.0/24 !192.168.0.1 } # bad access / deny order:
grant_access { !2001:dead:beaf:1::/64 2001:dead:beaf::/48 } # good access / deny order:
    

cgi_env ⟨list of key value⟩

List of environnement variable to pass to CGIs in the form of: key "value" where key is the variable "value" is the content of the variable.

For example,

cgi_env { CBLOG_PATH "/var/db/cblog/" }
cgi_env {
  VAR1 "value1"
  VAR2 "value2"
  # not use here
  #VAR3 "value3"
}
    

cgi_map ⟨list of key value⟩

List of url mapping that will in fact execute the given CGI in the form of: pattern path/url/to/the/cgi. pattern is a glob pattern.

For example,

cgi_map { /cblog/* /cblog.cgi /debug/* /cgi/printenv.sh }
    

listen on ⟨...⟩ port ⟨port⟩

The listen on directive take a interface, hostname, ipv4 or ipv6 param. port is optionnal (http by default). Multiple directives are authorized. Be careful, without listen directive, mohawk(8). will listen on all interfaces port http.

For example,

listen on em0
listen on localhost port 2222
listen on 172.16.0.80
listen on 2001:dead:beef::1 port dns
    

reset ⟨option⟩

Reset a option. The resettables options are:

• authentication
• auth_blacklistd
• auth_path
• auth_patterns
• blacklist_patterns
• cgi_env
• cgi_map
• cgi_patterns
• charset
• dirlist_css_url
• email_admin
• index_names
• mohawk_name
• no_auth_patterns
• no_cgi_maps
• no_log_patterns
• grant_access
• status_url

EXAMPLES

mime_type { html text/html txt text/plain }

vhost default {
  rootdir /tmp
  dirlist on
}

Complex configuration: chroot, listen on some interfaces, some addresses, black hole default vhost, authentication, cgi:

chroot /var/www/chroot
user www-data
mime_type { html text/html txt text/plain }

# no HTTP 1.0 client
vhost default {
  # chroot is defined, we need /var/www/chroot/var/empty
  rootdir /var/empty
}

# example.com
vhost *.example.com {
  # em0 is the public interface
  listen on em0 port 8080
  # vr0 is the local interface
  listen on vr0

  # chroot is defined and it's not default vhost
  # a request http://www.example.com/index.html
  # become /var/www/chroot/srv/example.com/www.example.com/index.html
  rootdir /srv/example.com/

  #authentication off
  #cgi_expose_mohawk_version
  #dirlist off

  # we listen on public interface port 8080, a proxy is present
  x_forwarded_for on

  # no authentication
  #auth_path
  charset latin1

  dirlist_css_url /css/dir.css

  maxage 3600
  mohawk_name "Mohawk rulez !!!"

  # we don't activate any status url
  # some informations may be sensible
  #status_url

  # no authentication
  #auth_patterns { }

  #no cgi
  #cgi_patterns { }

  # usual settings
  index_names { index.html index.htm default.html }

  # no authentication
  #no_auth_patterns { }

  # no cgi
  #no_cgi_maps { }

  # we log all
  #no_log_patterns { }

  # no restriction
  #grant_access { }

  # no cgi_env
  #cgi_env { }

  # no cgi_map
  #cgi_map { }
}

vhost secure.example.com {
  # add some listen
  listen on secure.example.com
  listen on 127.0.0.1 port 8888

  # /var/www/chroot/classified/www/secure.example.com/
  rootdir /classified/www

  # activate authentication
  authentication on

  # auth path
  # we can shared .htpasswd
  # /var/www/chroot/classified/authentication/.htpasswd
  auth_path /classified/authentication/

  no_auth_patterns { /css/* /img/* /js/* }

  # don't log some stuff, same as no_auth_patterns
  no_log_patterns { /css/* /img/* /js/* }
}

vhost secret.example.com clone secure.example.com {
  # listen only on lo0
  reset listen
  listen on lo0

  # keep roodir, /var/www/chroot/classified/www/secret.example.com

  # don't share .htpasswd
  auth_path /classified/secret.example.com/

  # all request require authentication
  reset no_auth_patterns
  auth_patterns { * }

  cgi_expose_mohawk_version off
  cgi_patterns { *.cgi *.pl }
  reset index_names
  index_names { crack.cgi buteforce.pl }

  reset no_cgi_maps
  cgi_map {
    /download/* /analyze.pl
    /upload/*   /add_virus.cgi
  }
  cgi_env {
    DATABASE "postgresql:admin:Haxxor ftw"
  }

  grant_access { 127.0.0.0/8 }
  mohawk_name ""
  # we log all
  reset no_log_patterns
}

AUTHORS