I want to secure my traffic using TLS; however gunicorn requires me to give the unprivileged worker processes read access to the TLS server key.
@cochiseruhulessin ? Only the user launching gunicorn normally need it. How can I reproduce it?
@benoitc take a keyfile, like the one in examples, and remove read permissions to others (chmod o-r server.key) then start gunicorn like so:
chmod o-r server.key
sudo /path/to/gunicorn --certfile server.crt --keyfile server.key --user nobody --group nogroup echo:app
Trying to make a request will cause gunicorn to error with:
Traceback (most recent call last):
File "/home/tilgovi/src/gunicorn/gunicorn/workers/sync.py", line 131, in handle
File "/usr/lib/python2.7/ssl.py", line 933, in wrap_socket
File "/usr/lib/python2.7/ssl.py", line 544, in __init__
IOError: [Errno 13] Permission denied
Unfortunately, I think we cannot fix this until we drop python 2.6 support. In python 2.6, from what I read in the source, the certfile and keyfile are not accessed until a connection is accepted. Python 2.7 added SSLContext, which can read and hold the certfile and keyfile when the socket is wrapped with ssl.wrap_socket.