Consider using dedicated WSGI app to run Python apps instead of Apache2

[heartsucker]

All the web (Tor) facing services that comprise SecureDrop should be run by a separate process than the webserver. This would allow us to use AppArmor to completely separate out the responsibilities and permissions of Tor, the webserver, and the application itself. Breaching Tor won't get you to the app files (as is already true), but further, breaching Apache2 won't get you to access to anything except the config files.

Effectively, the webserver would just be a proxy that sets headers, and at this point we could also evaluate which server (Apach2, Nginx, Lighthttpd) is the most secure and has the best performance.

Gunincorn would be the WSGI app of choice, and it could be wrapped in an Upstart / Systemd script easily. Gunicorn can also bind to Unix sockets which would allow to use AppArmor to specify that only the webserver and SecureDrop processes could talk to the socket. If I remember right, Apache doesn't play nice with sockets which would necessitate a change of webserver.

Related: #1261

[heartsucker]

Just kidding, more reading says that support for Unix sockets was added in Apache 2.4.7. Link.

However, the rest of this still stands.

[psivesely]

We've talked briefly about this internally. It should be noted that Apache still buffers requests and replies (including plaintext submissions), and that OSSEC monitors that app files are not modified. Even if you just compromise Apache, you should still be able to spy on and modify all requests and responses.

I believe it is standard that TLS (which only The Intercept uses at the moment, but hopefully in the future will be better supported for .onions) is handled by the web server, however, from some brief research it seems like you may be able to handle that from Gunicorn and use nginx (which Gunicorn recommends) as a proxy server. Don't quote me on this, but it may be the case that if you do this nginx would only be able to observe TLS traffic.

I think there is still a lot more consideration that needs to go into this, but to me this seems like this idea represents a minor security improvement (if you can't ensure the web server only sees TLS traffic), and a moderate improvement (if you can ensure the web server only sees TLS traffic).

I also think there are also a number of unrelated reasons to prefer nginx over Apache. Another server I find interesting is caddy, but I don't know if it's been tested and audited enough to be a viable candidate for the SecureDrop platform.

[zenmonkeykstop]

Relevant to #5084 - moving to Gunicorn or similar should allow for the apparmor rules there to be applied.