⚠️ CRITICAL WARNING: UNMAINTAINED PROJECT
Cherokee is no longer actively developed (last release: December 2013). Hardening measures can reduce risk but cannot fix unpatched vulnerabilities.
For new deployments, use modern alternatives: Nginx, Caddy, or Apache.
This guide provides hardening measures for legacy Cherokee deployments. These controls reduce risk but do not eliminate it due to the unmaintained status of the project.
┌─────────────────────────────────────────────────────────────┐
│ Internet │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Layer 1: Modern Reverse Proxy (Nginx/Caddy) │
│ - TLS 1.3 termination │
│ - Rate limiting │
│ - WAF rules │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Layer 2: Firewall Rules │
│ - Restrict ports │
│ - IP whitelisting │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Layer 3: Cherokee (Hardened) │
│ - Minimal modules │
│ - Restricted admin UI │
│ - Non-root user │
└─────────────────────────────────────────────────────────────┘
Never expose the admin UI to public networks.
# Bind admin to localhost only
cherokee-admin -b 127.0.0.1
# Or use SSH tunnel for remote access
ssh -L 9090:localhost:9090 user@server
UFW (Ubuntu/Debian):
# Default deny
sudo ufw default deny incoming
# Allow HTTP/HTTPS only from trusted networks
sudo ufw allow from 10.0.0.0/8 to any port 80 proto tcp
sudo ufw allow from 10.0.0.0/8 to any port 443 proto tcp
# Block admin UI from all
sudo ufw deny 9090/tcp
# Enable firewall
sudo ufw enable
firewalld (RHEL/CentOS):
# Remove default services
sudo firewall-cmd --permanent --remove-service=http
sudo firewall-cmd --permanent --remove-service=https
# Add restricted zones
sudo firewall-cmd --permanent --new-zone=cherokee
sudo firewall-cmd --permanent --zone=cherokee --add-port=80/tcp
sudo firewall-cmd --permanent --zone=cherokee --add-port=443/tcp
# Assign source IPs
sudo firewall-cmd --permanent --zone=cherokee --add-source=10.0.0.0/8
# Apply changes
sudo firewall-cmd --reload
Since Cherokee cannot use OpenSSL 3, place it behind a modern reverse proxy:
Nginx example:
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
location / {
proxy_pass http://127.0.0.1:8080; # Cherokee backend
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Remove default virtual host content
sudo rm -rf /var/www/html/*
# Remove sample configurations
sudo rm -f /etc/cherokee/*.sample
sudo rm -f /etc/cherokee/examples/*
Edit /etc/cherokee/cherokee.conf:
# Disable directory listing
vserver!1!rule!1!handler!list = 0
# Disable status pages
server!status = 0
# Disable unused handlers
# (Remove or comment out handler configurations you don't need)
# Configuration files
sudo chown root:root /etc/cherokee/cherokee.conf
sudo chmod 644 /etc/cherokee/cherokee.conf
# Log directory
sudo chown cherokee:adm /var/log/cherokee
sudo chmod 755 /var/log/cherokee
# Data directory
sudo chown cherokee:cherokee /var/lib/cherokee
sudo chmod 755 /var/lib/cherokee
# Disable server tokens
server!server_tokens = 0
# Custom server header
server!server_string = Server
# Create dedicated user (if not exists)
sudo useradd -r -s /usr/sbin/nologin cherokee
# Update service configuration
sudo systemctl edit cherokee
Add:
[Service]
User=cherokee
Group=cherokee
Create systemd override:
sudo systemctl edit cherokee
Add security hardening:
[Service]
# Filesystem protection
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=true
ReadWritePaths=/var/log/cherokee /var/lib/cherokee
# Network restrictions
RestrictAddressFamilies=AF_INET AF_INET6
# Capability restrictions
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=
# System call filtering
SystemCallArchitectures=native
SystemCallFilter=@system-service
# Memory protection
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
# Restrict privileges
NoNewPrivileges=true
RestrictSUIDSGID=true
[Service]
# CPU and memory limits
CPUQuota=50%
MemoryLimit=512M
# File descriptor limits
LimitNOFILE=65535
LimitNPROC=64
# Core dumps
LimitCORE=0
# For source builds, monitor upstream
cd /usr/local/src/cherokee
git pull
make clean
make
sudo make install
sudo systemctl restart cherokee
⚠️ Note: Official releases stopped in 2013. Source builds may fail on modern systems.
# Maximum request size
server!max_request_size = 10485760 # 10MB
# Maximum header size
server!max_header_size = 8192
# Request rate limiting
server!limit!reqs_per_second = 100
server!limit!burst = 200
# Connection timeouts
server!timeout = 30
server!keepalive = 1
server!keepalive_max_requests = 50
server!keepalive_timeout = 5
Add via Cherokee configuration or reverse proxy:
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()
# Allow only necessary methods
vserver!1!rule!10!match = method!GET|HEAD|POST
# Access log
server!log!filename = /var/log/cherokee/access.log
server!log!format = combined
# Error log
server!error_log!filename = /var/log/cherokee/error.log
server!error_log!level = warn
# /etc/logrotate.d/cherokee
/var/log/cherokee/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 0640 cherokee adm
postrotate
systemctl reload cherokee
endscript
}
Forward logs to central logging system (rsyslog, ELK, etc.):
# /etc/rsyslog.d/cherokee.conf
:programname, isequal, "cherokee" /var/log/central/cherokee.log
# Validate configuration syntax
cherokee -t -f /etc/cherokee/cherokee.conf
# Check running user
ps aux | grep cherokee
# Check open ports
sudo netstat -tlnp | grep cherokee
# Check file permissions
ls -la /etc/cherokee/
ls -la /var/log/cherokee/
# Check systemd hardening
systemctl show cherokee | grep -E "Protect|Private|Restrict"
# Port scan (from external host)
nmap -sV -sC SERVER_IP
# SSL test (if TLS enabled)
testssl.sh SERVER_IP:443