⚠️ CRITICAL SECURITY WARNING
Cherokee is unmaintained since December 2013 and has known unresolved security vulnerabilities:
- OpenSSL 3 incompatibility - Cannot use modern TLS libraries
- No security patches - Vulnerabilities discovered since 2014 are unpatched
- CVE-2020-10108 - DoS vulnerability in versions 0.4.27-1.2.104 (unpatched)
- Deprecated dependencies - Python 2.7 (EOL 2020), outdated crypto libraries
Recommendation: Do not use Cherokee for new deployments or in production environments exposed to the internet. Use Nginx, Caddy, or Apache instead.
| Risk Factor | Status | Impact |
|---|---|---|
| Project Status | ❌ Unmaintained (10+ years) | Critical |
| Security Patches | ❌ None since 2013 | Critical |
| TLS/SSL Support | ⚠️ OpenSSL 1.x only (EOL) | High |
| Known CVEs | ⚠️ At least 1 unpatched DoS | Medium |
| Dependency Status | ❌ Python 2.7 (EOL) | High |
If you must run Cherokee (legacy/historical use only), implement these minimum security controls:
# UFW firewall rules
sudo ufw default deny incoming
sudo ufw allow from 10.0.0.0/8 to any port 80 proto tcp
sudo ufw allow from 10.0.0.0/8 to any port 443 proto tcp
sudo ufw deny 9090/tcp # Block admin UI
cherokee-admin -b 127.0.0.1# SSH tunnel for admin access
ssh -L 9090:localhost:9090 user@server
# Then access via: http://localhost:9090
Since Cherokee cannot use OpenSSL 3, terminate TLS at a reverse proxy:
Internet → [Nginx/Caddy with TLS 1.3] → [Cherokee (HTTP only)]
This provides:
# Create dedicated user
sudo useradd -r -s /usr/sbin/nologin cherokee
# Set ownership
sudo chown -R cherokee:cherokee /var/lib/cherokee
sudo chown -R cherokee:adm /var/log/cherokee
Reduce attack surface by disabling unnecessary features:
Configure request rate limits to prevent abuse:
# In cherokee.conf
server!limit!reqs_per_second = 100
server!limit!burst = 200
# Limit request body size
server!max_request_size = 10485760 # 10MB
# Reduce timeout values
server!timeout = 30
server!keepalive_timeout = 5
Restrict access by IP:
# Allow only trusted networks
vserver!1!rule!10!match = ip!192.168.1.0/24
vserver!1!rule!10!handler = file
# Access log
server!log!filename = /var/log/cherokee/access.log
server!log!format = combined
# Error log
server!error_log!filename = /var/log/cherokee/error.log
server!error_log!level = warn
Forward logs to central logging system:
# rsyslog configuration
cat >> /etc/rsyslog.d/cherokee.conf << EOF
:programname, isequal, "cherokee" /var/log/central/cherokee.log
EOF
Set up alerts for:
| CVE | Description | Status |
|---|---|---|
| CVE-2020-10108 | DoS via malformed requests | ❌ Unpatched |
| OpenSSL issues | Multiple TLS vulnerabilities | ❌ Cannot patch (requires OpenSSL 3) |
| Python 2.7 issues | Multiple Python vulnerabilities | ❌ Cannot patch (EOL) |
⚠️ Warning: Running unmaintained software may violate compliance requirements.
| Standard | Impact |
|---|---|
| PCI DSS | Likely non-compliant (Requirement 6.2) |
| HIPAA | May violate security rule |
| SOC 2 | Control deficiencies expected |
| GDPR | Potential Article 32 violations |
For compliance audits, see Ansible for Auditors.
See Cherokee Hardening for server-specific hardening details.