Cherokee Comprehensive Guide - Installation, Configuration, and Security Hardening

Cherokee Web Server Guide

Table of Contents

1. Introduction to Cherokee
2. Installation
3. Cherokee Admin Interface
4. Basic Configuration
5. Virtual Servers
6. Rules and Handlers
7. SSL/TLS Configuration
8. Authentication
9. Rewrite Rules
10. Load Balancing
11. Performance Optimization
12. Logging and Monitoring
13. Security Hardening
14. Troubleshooting
15. Additional Resources

Introduction to Cherokee

Key features of Cherokee include:

• User-friendly web interface: Eliminates the need to manually edit configuration files
• High performance: Built to handle high-traffic loads efficiently
• Flexibility: Support for multiple technologies and configurations
• Security features: Built-in protection mechanisms
• Load balancing: Advanced load balancing capabilities for high availability
• Reverse proxy functionality: Proxying requests to backend application servers
• Support for multiple programming languages: PHP, Python, Ruby, Node.js, and more
• TLS/SSL support: Secure communication with OpenSSL
• Low memory footprint: Efficient resource usage
• IPv6 support: Ready for the next generation of internet addressing

Installation

Installation on Debian/Ubuntu

# Update package lists
sudo apt update

# Install Cherokee and its admin interface
sudo apt install cherokee cherokee-admin

# Start Cherokee service
sudo systemctl start cherokee

# Enable Cherokee to start on boot
sudo systemctl enable cherokee

# Check service status
sudo systemctl status cherokee

Installation on CentOS/RHEL

# Install EPEL repository for Cherokee packages
sudo yum install epel-release

# Install Cherokee and its admin interface
sudo yum install cherokee cherokee-admin

# Start Cherokee service
sudo systemctl start cherokee

# Enable Cherokee to start on boot
sudo systemctl enable cherokee

# Check service status
sudo systemctl status cherokee

Installation from Source

# Install dependencies
sudo apt install build-essential libssl-dev libpcre3-dev

# Download source code
wget https://github.com/cherokee/webserver/archive/master.zip
unzip master.zip
cd webserver-master

# Configure and build
./autogen.sh
./configure
make
sudo make install

# Create systemd service file
sudo nano /etc/systemd/system/cherokee.service

Add the following to the systemd service file:

[Unit]
Description=Cherokee Web Server
After=network.target

[Service]
Type=forking
ExecStart=/usr/local/sbin/cherokee -d
ExecStop=/usr/local/sbin/cherokee-admin -c

[Install]
WantedBy=multi-user.target

Then enable and start the service:

sudo systemctl daemon-reload
sudo systemctl start cherokee
sudo systemctl enable cherokee

Installation with Docker

# Pull the Cherokee Docker image
docker pull cherokee/cherokee

# Run Cherokee container
docker run -d --name cherokee-server -p 80:80 -p 443:443 cherokee/cherokee

# For persistent configuration, mount a volume
docker run -d --name cherokee-server -p 80:80 -p 443:443 \
  -v /path/to/config:/etc/cherokee \
  cherokee/cherokee

Cherokee Admin Interface

Cherokee’s web-based administration interface is one of its most distinctive features. To start the admin interface:

# Start the Cherokee admin interface
sudo cherokee-admin

# Or specify a custom port and bind address
sudo cherokee-admin -b 192.168.1.100 -p 9090

When you run this command, Cherokee-admin will output a one-time URL with an authentication token. For example:

Cherokee Web Server 1.2.104 (Mar  8 2016): Listening on port ALL:9090, TLS disabled
Login:
  User:              admin
  One-time Password: admin_B1LXQhKR

Web Interface:
  URL:               http://localhost:9090/

Access this URL in your browser to configure Cherokee. The admin interface is organized into several sections:

1. Status: Overview of server status and logs
2. General: Basic server settings
3. vServers: Virtual servers configuration
4. Sources: Content source definitions
5. Behavior: Rules and handlers for request handling
6. Advanced: Advanced settings and modules

Basic Configuration

Server Configuration

In the “General” section of the admin interface, you can configure:

1. Network: Binding ports and addresses
   • Default port: 80
   • Default TLS/SSL port: 443
   • Bind to specific IP addresses or all available addresses
2. System Behavior:
   • Server timeout
   • Keep-alive timeout
   • Server user and group
   • Server tokens (showing or hiding server information)
3. I/O Cache:
   • Enable/disable file cache
   • Maximum file size to cache
   • Cache expiration time
4. Icons:
   • Default icon set for directory listings

Here’s an equivalent of what the configuration would look like in the Cherokee configuration file (/etc/cherokee/cherokee.conf):

server!bind!1!port = 80
server!bind!2!port = 443
server!bind!2!tls = 1
server!timeout = 15
server!keepalive = 5
server!user = www-data
server!group = www-data
server!pid_file = /var/run/cherokee.pid
server!server_tokens = minimal
server!cryptor = libssl

Default Virtual Server

Cherokee starts with a default virtual server listening on all IP addresses. You can modify this or create additional virtual servers for different domains. In the default server, you can set:

1. Document Root: The base directory for serving files

vserver!1!document_root = /var/www/html

1. Directory Indexes: Default files to look for when a directory is requested

vserver!1!directory_index = index.html,index.htm,index.php

1. Error Handlers: Custom error pages

vserver!1!error_handler = error_redir
vserver!1!error_handler!404!show = 0
vserver!1!error_handler!404!url = /404.html

Virtual Servers

Virtual servers allow you to host multiple websites on a single Cherokee instance.

Name-based Virtual Hosting

To add a new virtual server in the admin interface:

1. Go to the “vServers” tab
2. Click “Add new virtual server”
3. Enter the server details:
   • Name: A descriptive name (e.g., “example.com”)
   • Document Root: The directory containing the website files (e.g., /var/www/example.com)
   • Match: “Domain name”
   • Domains: Enter the domain names (e.g., example.com, www.example.com)

This creates a configuration similar to:

vserver!2!nick = example.com
vserver!2!document_root = /var/www/example.com
vserver!2!match = domain
vserver!2!match!domain!1 = example.com
vserver!2!match!domain!2 = www.example.com
vserver!2!directory_index = index.html,index.htm,index.php
vserver!2!error_handler = error_redir

IP-based Virtual Hosting

For IP-based virtual hosting:

1. Go to the “vServers” tab
2. Click “Add new virtual server”
3. Enter the server details:
   • Name: A descriptive name
   • Document Root: The directory containing website files
   • Match: “IP Address”
   • Address: Enter the specific IP address

This creates a configuration similar to:

vserver!3!nick = ip_based_site
vserver!3!document_root = /var/www/ip_site
vserver!3!match = ip
vserver!3!match!ip = 192.168.1.10

Port-based Virtual Hosting

For port-based virtual hosting:

1. First, add the port binding in “General” → “Network”
2. Then create a virtual server that matches this port:
   • Match: “Port Number”
   • Port: Enter the port number (e.g., 8080)

vserver!4!nick = custom_port_site
vserver!4!document_root = /var/www/port_site
vserver!4!match = port
vserver!4!match!port = 8080

Rules and Handlers

Cherokee uses rules and handlers to define how different requests are processed.

Default Rules

Each virtual server has a default rule that applies when no other rules match. To modify it:

1. Go to the “vServers” tab
2. Select your virtual server
3. Click “Default” in the “Behavior” section
4. Set the handler (e.g., “Static Content”)

vserver!1!rule!1!match = default
vserver!1!rule!1!handler = file

Directory Rules

To create a rule for a specific directory:

1. In your virtual server, go to “Behavior” → “Add New Rule”
2. Set “Type” to “Directory”
3. Enter the directory path (e.g., /images)
4. Choose a handler (e.g., “Static Content” or “List & Send”)

vserver!1!rule!10!match = directory
vserver!1!rule!10!match!directory = /images
vserver!1!rule!10!handler = file

Extension Rules

For handling specific file extensions:

1. In your virtual server, go to “Behavior” → “Add New Rule”
2. Set “Type” to “Extensions”
3. Enter the extensions (e.g., php,php5)
4. Choose a handler (e.g., “PHP Interpreter”)

vserver!1!rule!20!match = extensions
vserver!1!rule!20!match!extensions = php,php5
vserver!1!rule!20!handler = fcgi
vserver!1!rule!20!handler!balancer = round_robin
vserver!1!rule!20!handler!balancer!source!1 = sockect
vserver!1!rule!20!handler!balancer!source!1!host = 127.0.0.1:9000

Common Handlers

Cherokee supports various handlers for different content types:

1. Static Content (file): Serves static files

   handler = file
   

2. List & Send (dirlist): Displays directory listings and serves files

   handler = dirlist
   

3. FastCGI (fcgi): Processes dynamic content via the FastCGI protocol

   handler = fcgi
   handler!balancer = round_robin
   handler!balancer!source!1 = socket
   handler!balancer!source!1!host = 127.0.0.1:9000
   

4. uWSGI (uwsgi): Processes Python WSGI applications

   handler = uwsgi
   handler!balancer = round_robin
   handler!balancer!source!1 = socket
   handler!balancer!source!1!host = 127.0.0.1:8080
   

5. CGI (cgi): Executes CGI scripts

   handler = cgi
   

6. Reverse Proxy (proxy): Forwards requests to another server

   handler = proxy
   handler!balancer = round_robin
   handler!balancer!source!1 = 127.0.0.1:8080
   

7. Redirect (redir): Redirects requests to another URL

   handler = redir
   handler!rewrite!1!show = 1
   handler!rewrite!1!regex = ^/(.*)$
   handler!rewrite!1!substring = https://example.com/$1
   

SSL/TLS Configuration

Enabling SSL/TLS

To enable SSL/TLS in Cherokee:

1. Go to “General” → “Network”
2. Ensure you have a binding for port 443
3. Enable TLS for this binding

server!bind!2!port = 443
server!bind!2!tls = 1

Certificate Configuration

To configure certificates:

1. Go to your virtual server
2. Click on “Security” → “TLS”
3. Enter the paths to your certificate files:
   • Certificate: Path to your SSL certificate (e.g., /etc/cherokee/ssl/example.com.crt)
   • Certificate key: Path to your private key (e.g., /etc/cherokee/ssl/example.com.key)
   • Certificate CA: Path to your CA certificate chain (if needed)

vserver!2!ssl_certificate_file = /etc/cherokee/ssl/example.com.crt
vserver!2!ssl_certificate_key_file = /etc/cherokee/ssl/example.com.key
vserver!2!ssl_ca_list_file = /etc/cherokee/ssl/ca-chain.crt

SSL/TLS Security Settings

For enhanced security:

1. In the virtual server’s “Security” → “TLS” section
2. Configure:
   • TLS version: Select which TLS versions to support
   • Cipher suite: Define allowed ciphers

vserver!2!ssl_protocols = TLSv1.2,TLSv1.3
vserver!2!ssl_cipher_server_preference = 1
vserver!2!ssl_ciphers = HIGH:!aNULL:!MD5:!RC4

HTTP to HTTPS Redirection

To redirect HTTP traffic to HTTPS:

1. Go to your HTTP virtual server
2. Add a new rule with:
   • Type: “Default”
   • Handler: “Redirection”
   • Type of Redirection: “External”
   • Regular Expression: ^/(.*)$
   • Substitution: https://example.com/$1

vserver!1!rule!1!match = default
vserver!1!rule!1!handler = redir
vserver!1!rule!1!handler!rewrite!1!show = 1
vserver!1!rule!1!handler!rewrite!1!regex = ^/(.*)$
vserver!1!rule!1!handler!rewrite!1!substring = https://example.com/$1

Authentication

Cherokee supports various authentication methods to protect content.

Basic Authentication

To set up basic authentication:

1. Go to your virtual server and select a rule (or create a new one)
2. Click on “Security” → “Authentication”
3. Enable authentication with:
   • Method: “Basic”
   • Realm: A description (e.g., “Restricted Area”)
   • Users: Add users and their passwords

vserver!1!rule!30!match = directory
vserver!1!rule!30!match!directory = /protected
vserver!1!rule!30!handler = file
vserver!1!rule!30!auth = basic
vserver!1!rule!30!auth!methods = basic
vserver!1!rule!30!auth!realm = Restricted Area
vserver!1!rule!30!auth!users!1!password = password1
vserver!1!rule!30!auth!users!1!user = user1

Digest Authentication

For digest authentication, which is more secure than basic:

1. Configure similar to basic authentication but select “Digest” as the method

vserver!1!rule!30!auth!methods = digest

PAM Authentication

To authenticate against the system’s PAM:

1. Select “PAM” as the authentication method
2. Configure the PAM service (e.g., “system-auth”)

vserver!1!rule!30!auth!methods = pam
vserver!1!rule!30!auth!pam!service = system-auth

LDAP Authentication

For LDAP authentication:

1. Select “LDAP” as the authentication method
2. Configure LDAP settings:
   • Server: LDAP server address
   • Base DN: Base distinguished name for searches
   • Bind DN: DN for binding to the LDAP server
   • Bind Password: Password for binding

vserver!1!rule!30!auth!methods = ldap
vserver!1!rule!30!auth!ldap!server = ldap://ldap.example.com:389
vserver!1!rule!30!auth!ldap!base_dn = ou=users,dc=example,dc=com
vserver!1!rule!30!auth!ldap!bind_dn = cn=admin,dc=example,dc=com
vserver!1!rule!30!auth!ldap!bind_pwd = adminpassword

Rewrite Rules

Rewrite rules allow you to modify URLs internally or redirect users.

Internal Rewrites

For internal rewrites that don’t change the URL in the browser:

1. Go to your virtual server and select a rule
2. Choose the “Static Content” handler
3. Click “Handler Options” → “URL Rewriting”
4. Add a rewrite rule:
   • Regular Expression: Pattern to match (e.g., ^/products/([0-9]+)$)
   • Substitution: Where to rewrite it (e.g., /product.php?id=$1)

vserver!1!rule!40!match = request
vserver!1!rule!40!match!request = ^/products/([0-9]+)$
vserver!1!rule!40!handler = file
vserver!1!rule!40!handler!document_root = /var/www/html
vserver!1!rule!40!internal_rewrite!1!regex = ^/products/([0-9]+)$
vserver!1!rule!40!internal_rewrite!1!substring = /product.php?id=$1

External Redirects

For external redirects that change the URL in the browser:

1. Go to your virtual server and add a new rule
2. Set the handler to “Redirection”
3. Configure the redirection:
   • Type: “External”
   • Regular Expression: Pattern to match
   • Substitution: Destination URL

vserver!1!rule!50!match = directory
vserver!1!rule!50!match!directory = /old-products
vserver!1!rule!50!handler = redir
vserver!1!rule!50!handler!rewrite!1!show = 1
vserver!1!rule!50!handler!rewrite!1!regex = ^/old-products/(.*)$
vserver!1!rule!50!handler!rewrite!1!substring = /products/$1

Common URL Rewriting Patterns

1. Removing .php extension:

   regex = ^/([^.]+)$
   substring = /$1.php
   

2. Canonical domain redirection (www to non-www):

   regex = ^/(.*)$
   substring = https://example.com/$1
   

3. Pretty URLs for blog posts:

   regex = ^/blog/([^/]+)$
   substring = /blog.php?slug=$1
   

Load Balancing

Cherokee provides load balancing capabilities to distribute traffic across multiple backend servers.

Setting Up Load Balancing

To configure load balancing:

1. Go to your virtual server and add a new rule
2. Set the handler to “Reverse Proxy” or “FastCGI”
3. In “Handler Options” → “Load Balancing”:
   • Choose a balancing type (e.g., “Round Robin”)
   • Add information sources (backend servers)

vserver!1!rule!60!match = directory
vserver!1!rule!60!match!directory = /app
vserver!1!rule!60!handler = proxy
vserver!1!rule!60!handler!balancer = round_robin
vserver!1!rule!60!handler!balancer!source!1 = 192.168.1.10:8080
vserver!1!rule!60!handler!balancer!source!2 = 192.168.1.11:8080

Load Balancing Methods

Cherokee supports several load balancing methods:

1. Round Robin: Distributes requests sequentially across servers

   handler!balancer = round_robin
   

2. IP Hash: Routes requests based on client IP address (session stickiness)

   handler!balancer = ip_hash
   

3. Least Connections: Sends requests to the server with the fewest active connections

   handler!balancer = leastconn
   

4. First Alive: Uses the first responsive server in the list

   handler!balancer = failover
   

Health Checks

To ensure only healthy servers receive traffic:

1. In the load balancer configuration, enable health checks:
   • Check Type: HTTP or TCP
   • Check URI: Path to check (e.g., /health.php)
   • Check Interval: How often to check in seconds

vserver!1!rule!60!handler!balancer!active_checks = 1
vserver!1!rule!60!handler!balancer!check_interval = 10
vserver!1!rule!60!handler!balancer!check_type = http
vserver!1!rule!60!handler!balancer!check_uri = /health.php

Performance Optimization

Cherokee is designed to be fast, but you can further optimize its performance.

I/O Cache Configuration

The I/O cache improves performance by caching file data:

1. Go to “General” → “I/O Cache”
2. Configure:
   • Enable/disable caching
   • Maximum file size to cache
   • Minimum file size to cache
   • Cache expiration time

server!io_cache = 1
server!io_cache!max_file_size = 10M
server!io_cache!min_file_size = 1K
server!io_cache!max_file_avl = 1M

Connection Handling

Optimizing connection settings:

1. Go to “General” → “System Behavior”
2. Configure:
   • Server timeout: Time to keep inactive connections open
   • Keep-alive timeout: Time to keep inactive persistent connections open
   • Keep-alive max requests: Maximum requests per connection

server!timeout = 15
server!keepalive = 5
server!keepalive_max_requests = 500

Enabling Gzip Compression

To reduce bandwidth and improve load times:

1. Go to “General” → “Advanced”
2. In the “Encoding” section, enable Gzip compression
3. Set compression level (1-9, where 9 is highest compression but more CPU intensive)

server!encoder!gzip!allow = 1
server!encoder!gzip!compression_level = 6

Thread Configuration

For high-traffic sites, adjust the thread settings:

1. Go to “General” → “Advanced”
2. In the “Network & Connections” section, configure:
   • Thread Number: Number of threads to use (typically one per CPU core)
   • Thread Policy: How to assign connections to threads

server!thread_number = 4
server!thread_policy = fifo

Logging and Monitoring

Proper logging and monitoring are essential for maintaining a healthy web server.

Access Logs

To configure access logs:

1. Go to “General” → “Advanced”
2. In the “Logging” section, set:
   • Access log: Path to the access log file
   • Log format: Format for log entries

vserver!1!logger = combined
vserver!1!access_log = /var/log/cherokee/access.log

Standard log formats include:

• combined: Apache-compatible combined log format
• ncsa: Common Log Format (CLF)
• custom: Custom log format

For a custom log format:

vserver!1!logger = custom
vserver!1!logger!access = %h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"

Error Logs

To configure error logs:

1. Go to “General” → “Advanced”
2. In the “Logging” section, set:
   • Error log: Path to the error log file
   • Log level: Verbosity of error logging

server!error_log = /var/log/cherokee/error.log
server!error_writer!type = stderr
server!error_writer!filename = /var/log/cherokee/error.log

Log Rotation

Cherokee supports log rotation to prevent logs from growing too large:

1. Go to “General” → “Advanced”
2. In the “Logging” section, enable log rotation:
   • Max size: Maximum log file size before rotation
   • Max files: Number of old log files to keep

server!error_writer!rotate = 1
server!error_writer!max_size = 10M
server!error_writer!backup_number = 5

Alternatively, use the system’s logrotate:

sudo nano /etc/logrotate.d/cherokee

Add the following configuration:

/var/log/cherokee/*.log {
    daily
    missingok
    rotate 7
    compress
    delaycompress
    notifempty
    create 640 www-data www-data
    sharedscripts
    postrotate
        if [ -f /var/run/cherokee.pid ]; then
            kill -USR1 `cat /var/run/cherokee.pid`
        fi
    endscript
}

Status Monitoring

Cherokee provides a status interface to monitor server performance:

1. Go to “General” → “Advanced”
2. In the “Logging” section, enable the “Server Status” handler
3. Configure access restrictions for the status page

vserver!1!rule!70!match = directory
vserver!1!rule!70!match!directory = /server-status
vserver!1!rule!70!handler = server_info
vserver!1!rule!70!auth = basic
vserver!1!rule!70!auth!methods = basic
vserver!1!rule!70!auth!realm = Cherokee Server Status
vserver!1!rule!70!auth!users!1!user = admin
vserver!1!rule!70!auth!users!1!password = secretpassword

Security Hardening

Enhancing the security of your Cherokee server is crucial for protecting your web applications and data.

Hiding Server Information

To prevent revealing server details:

1. Go to “General” → “System Behavior”
2. Set “Server Tokens” to “Minor” or “None”

server!server_tokens = none

Implementing Security Headers

Configure security headers for your virtual server:

1. Go to your virtual server
2. Add a new rule with the “Static Content” handler
3. In “Handler Options” → “Response Headers”, add:
   • X-Content-Type-Options: nosniff
   • X-Frame-Options: SAMEORIGIN
   • X-XSS-Protection: 1; mode=block
   • Content-Security-Policy: appropriate policy

vserver!1!rule!1!handler!x_content_type_options = nosniff
vserver!1!rule!1!handler!x_frame_options = SAMEORIGIN
vserver!1!rule!1!handler!x_xss_protection = 1; mode=block
vserver!1!rule!1!handler!content_security_policy = default-src 'self'; script-src 'self' https://trusted-cdn.com; img-src 'self' data:;

Restricting Access by IP

To limit access to specific IP addresses:

1. Go to your virtual server, select a rule
2. Click on “Security” → “Access Restrictions”
3. Add IP restrictions:
   • Type: “Allow From” or “Deny From”
   • IP/Mask: Specify IP addresses or ranges

vserver!1!rule!80!match = directory
vserver!1!rule!80!match!directory = /admin
vserver!1!rule!80!handler = file
vserver!1!rule!80!ip_acl = deny_all,allow
vserver!1!rule!80!ip_acl!deny_all = all
vserver!1!rule!80!ip_acl!allow!1 = 192.168.1.0/24
vserver!1!rule!80!ip_acl!allow!2 = 10.0.0.5

File Access Restrictions

To prevent access to sensitive files:

1. Add a rule that matches file patterns
2. Set the handler to “Only Matching Method” or “HTTP Error”

vserver!1!rule!90!match = extensions
vserver!1!rule!90!match!extensions = conf,sql,log,git,htaccess
vserver!1!rule!90!handler = http_error
vserver!1!rule!90!handler!error = 403

Running Cherokee as a Non-root User

To reduce privileges after binding to ports:

1. Go to “General” → “System Behavior”
2. Set:
   • Server user: Non-root user (e.g., “www-data”)
   • Server group: Non-root group (e.g., “www-data”)

server!user = www-data
server!group = www-data

Limiting Request Size

To prevent DoS attacks from large requests:

1. Go to “General” → “Advanced”
2. In the “Network & Connections” section, set:
   • Maximum body size: Limit on POST/PUT request size

server!max_post_size = 5M

Configuring Secure TLS Settings

For optimal TLS security:

1. Go to your virtual server’s “Security” → “TLS” section
2. Configure:
   • Disable older TLS versions (allow only TLS 1.2+)
   • Use secure cipher suites
   • Enable Perfect Forward Secrecy

vserver!1!ssl_protocols = TLSv1.2,TLSv1.3
vserver!1!ssl_cipher_server_preference = 1
vserver!1!ssl_ciphers = HIGH:!aNULL:!MD5:!RC4

Troubleshooting

When issues arise with your Cherokee server, these troubleshooting techniques can help.

Checking Server Status

# Check if Cherokee is running
sudo systemctl status cherokee

# Check open ports
sudo netstat -tulpn | grep cherokee

# Check process information
ps aux | grep cherokee

Viewing Logs

# Check error logs for issues
sudo tail -f /var/log/cherokee/error.log

# Check access logs for request information
sudo tail -f /var/log/cherokee/access.log

Common Issues and Solutions

1. Cherokee Won’t Start

Check for syntax errors in configuration:

cherokee-admin -d

Verify port availability:

sudo netstat -tulpn | grep :80

Check for file permission issues:

sudo chown -R www-data:www-data /var/log/cherokee

Ensure Cherokee has access to its configuration:

sudo chown -R www-data:www-data /etc/cherokee

2. 403 Forbidden Errors

Check directory and file permissions:

sudo chmod -R 755 /var/www
sudo chown -R www-data:www-data /var/www

Verify SELinux settings (if applicable):

sudo chcon -R -t httpd_sys_content_t /var/www

Review your access rules in Cherokee admin.

3. 404 Not Found Errors

Verify document root configuration:

# Check the document root in configuration
grep -r "document_root" /etc/cherokee

# Verify the directory exists
ls -la /var/www/your_site

Check your rule matching order and priorities.

4. 500 Internal Server Errors

Check for script or application errors:

# For PHP issues, check PHP error log
sudo tail -f /var/log/php-fpm/error.log

Verify permissions for script execution:

sudo chmod +x /var/www/html/cgi-bin/*.cgi

5. SSL/TLS Certificate Issues

Verify certificate file permissions:

sudo chmod 600 /etc/cherokee/ssl/*.key
sudo chmod 644 /etc/cherokee/ssl/*.crt
sudo chown www-data:www-data /etc/cherokee/ssl/*

Test your SSL configuration:

openssl s_client -connect example.com:443 -tls1_2

Enabling Debug Mode

For more detailed logging:

1. Go to “General” → “Advanced”
2. In the “Logging” section, set the error log level to “debug” or “trace”

server!error_log!level = debug

Or from the command line:

cherokee -d

Configuration Testing

To test your configuration without starting the server:

cherokee-admin -t

Backing Up and Restoring Configuration

Always back up your configuration before making changes:

# Backup
sudo cp /etc/cherokee/cherokee.conf /etc/cherokee/cherokee.conf.bak

# Restore if needed
sudo cp /etc/cherokee/cherokee.conf.bak /etc/cherokee/cherokee.conf

Additional Resources

Official Documentation

• Cherokee Project Website
• Cherokee Documentation
• Cherokee Wiki

Community Support

• Cherokee Mailing List
• GitHub Repository

Useful Tools

• cherokee-admin: Web-based administration interface
• cherokee-tweak: Command-line tool for tweaking configuration
• cherokee-worker-launcher: Tool for launching Cherokee workers

Books and Tutorials

• “Cherokee Web Server: Beginner’s Guide” by Anirban Saha
• Various online tutorials and blog posts on setting up Cherokee with different applications

Sample Configurations

Basic PHP Site

vserver!1!document_root = /var/www/html
vserver!1!directory_index = index.php,index.html

vserver!1!rule!1!match = extensions
vserver!1!rule!1!match!extensions = php
vserver!1!rule!1!handler = fcgi
vserver!1!rule!1!handler!balancer = round_robin
vserver!1!rule!1!handler!balancer!source!1 = host
vserver!1!rule!1!handler!balancer!source!1!host = 127.0.0.1:9000

vserver!1!rule!2!match = default
vserver!1!rule!2!handler = file

WordPress Installation

vserver!1!document_root = /var/www/wordpress
vserver!1!directory_index = index.php,index.html

vserver!1!rule!1!match = extensions
vserver!1!rule!1!match!extensions = php
vserver!1!rule!1!handler = fcgi
vserver!1!rule!1!handler!balancer = round_robin
vserver!1!rule!1!handler!balancer!source!1 = host
vserver!1!rule!1!handler!balancer!source!1!host = 127.0.0.1:9000

vserver!1!rule!2!match = request
vserver!1!rule!2!match!request = ^/wp-admin/
vserver!1!rule!2!handler = fcgi
vserver!1!rule!2!handler!balancer = round_robin
vserver!1!rule!2!handler!balancer!source!1 = host
vserver!1!rule!2!handler!balancer!source!1!host = 127.0.0.1:9000

vserver!1!rule!3!match = directory
vserver!1!rule!3!match!directory = /wp-content/uploads
vserver!1!rule!3!handler = file

vserver!1!rule!4!match = request
vserver!1!rule!4!match!request = ^/(wp-.+)
vserver!1!rule!4!handler = file

vserver!1!rule!5!match = default
vserver!1!rule!5!handler = file

Django Application with uWSGI

vserver!1!document_root = /var/www/django_app/static
vserver!1!directory_index = index.html

vserver!1!rule!1!match = directory
vserver!1!rule!1!match!directory = /static
vserver!1!rule!1!handler = file

vserver!1!rule!2!match = directory
vserver!1!rule!2!match!directory = /media
vserver!1!rule!2!handler = file

vserver!1!rule!3!match = default
vserver!1!rule!3!handler = uwsgi
vserver!1!rule!3!handler!balancer = round_robin
vserver!1!rule!3!handler!balancer!source!1 = socket
vserver!1!rule!3!handler!balancer!source!1!host = 127.0.0.1:8000

Security Best Practices Summary

1. Keep Cherokee Updated: Regularly update to the latest version
2. Minimal Information Exposure: Hide server tokens and version information
3. Principle of Least Privilege: Run as non-root user
4. Secure Communication: Implement TLS with strong ciphers and protocols
5. Access Control: Use authentication and IP restrictions for sensitive areas
6. Content Security: Implement security headers and CSP
7. File Protections: Prevent access to sensitive file types
8. Regular Auditing: Review logs for suspicious activity
9. Backup Configuration: Maintain backups of working configurations
10. Defense in Depth: Layer security controls for comprehensive protection

By following this guide, you should have a well-configured, secure, and optimized Cherokee web server. The combination of Cherokee’s performance-oriented design and its user-friendly administration interface makes it an excellent choice for many web hosting scenarios.