How to manually start and re-start Apache with mod_wsgi powering a password protected Python WSGI app?

Question

I'm working on a project where I have to meet some regulatory requirements that require at least 3 out of 5 authorized users to start a backend web service that handles very sensitive information using pre-assigned passwords.

Right now, the prototype has been approved and is running using Python's wsgiref.simple_server(), which I have programmed to manually prompt for the passwords. Now that the prototype has been approved, I have to migrate the web application to a production environment where I will need to run it behind Apache and mod_wsgi.

I have two questions:

1. Right now, I use a thin Python wrapper around expect to programmatically allow for remote password entry. How do I get Apache to prompt me for a password before starting? Will this have to be in the app.wsgi script that's executed by mod_wsgi? How would that work since Apache daemonizes, and thus, has no stdin!

2. Will I have to worry about some type of code reload? Apache probably has some maximum number of requests before it kills and restarts another worker process, but, would this require a password prompt as well?

Any help here would be appreciated.

Answer 1

HTTP/Digest authentication via modwsgi as the access provider should work for your situation. There is extensive documentation on this at the modwsgi site.

Using HTTP auth is a more generally-accepted way to authenticate compared to expect and stdin.

As for the code reload, as long as you don't set a maximum-requests value, you want have to worry about restarts. With HTTP auth, restarts shouldn't actually matter anyway.

Answer 2

A user will be able to reload the wsgi processes (hence updating the code that apache serves) by touching the .wsgi file. (i.e touch /path/to/file.wsgi)

You could secure that part of it by using linux permissions and sudo to require them to enter their own system password.