i am using WEBrick (without Rails) for a low-utilization HTTPS server,
and i found a bad RDoc recipe for production use of privileged ports:
http://ruby-doc.org/stdlib-2.0.0/libdoc/webrick/rdoc/WEBrick.html#label-Dropping+Permissions
to repeat the recipe outline:
- listen on port 80 (HTTP) using WEBrick::Utils#create_listeners
- drop privileges
- create WEBrick server with :DoNotListen attribute
- replace the server socket with the result of step 1.
the first line of this recipe suggests that HTTPS just requires changing
to port 443 in step 1. but that does not work in practice, because
WEBrick::Utils#create_listeners does not grok SSL, and the result is a
WEBrick server on port 443 but speaking plaintext:
% sudo ruby https_recipe.rb
[2013-09-28 …] INFO WEBrick 1.3.1
[2013-09-28 …] INFO ruby 2.0.0 (2013-06-27) [x86_64-darwin12.5.0]
[2013-09-28 …] INFO WEBrick::HTTPServer#start: pid=46504 port=443
notice the lack of openssl certificate spew before the last line.
i am not familiar enough with raw openssl to offer a proper fix that
maintains the principle of least privileges, but a working alternative
recipe for HTTPS would be:
- create WEBrick server with :Port = 443
- drop privileges