"Fabio Pietrosanti (naif) - lists" lists@infosecurity.ch writes:
GlobaLeaks embedd a webserver based on Twisted framework, integrate txtorcon for automatic generation of onion address and also LetsEncrypt to have HTTPS (on the internet-side, if required), everything apparmored, debian packaged, etc
[..]
Do you think it would be useful to get a 1-cmdline install self-contained software like GlobaLeaks, disabling the "whistleblowing" functionalities, leaving all of the rest in-place as a static, hardened webserver for .onion, with mutiple-site and a web-admin interface?
I think Twisted-web is a great choice of web-server for these use-cases: there's "txacme" for fully automated Let's Encrypt (obviously, that doesn't work for .onion), a long-tested production-ready Web-server that does WSGI so can "front" any popular Python framework, is easy to set up and of course txtorcon that can automate .onion setup (v3 support is on master if anyone wants to play with that). It's all written in a relatively-safer high-level language but still can handle pretty massive throughput -- e.g. 175k HTTP reqs/sec on one core under PyPy and 12+Gb/s on 40 cores with dynamic (but short) content; see this repo for benchmarks:
https://github.com/crossbario/crossbar-examples/tree/master/benchmark/web
Probably the *most* useful (IMO) with somewhat less work involved would be a HOWTO-style guide: the basic setup, and then "bonus" sections for things like "WSGI" or "reverse-proxy to my actual applcation" and links for how to harden your actual machine setup along with common pitfalls (e.g. accidentally listening on 0.0.0.0 instead of 127.0.0.1 etc). That said, some kind of stripped-down SecureDrop might also work nicely :)
There's already really a "1-click install" version the above for static files on Debian, as mentioned in txtorcon documentation:
sudo apt-get install --install-suggests python-txtorcon twistd web --port "onion:80" --path ~/public_html
That gives you a high-quality Twisted web server on a (new) .onion domain serving static files from ~/public_html (you can include the keys in the "onion:" endpoint-string for persistent .onions).
Cheers,