sourCEntral - mobile manpages

pdf

HITCH

NAME

Hitch − high performance TLS proxy

SYNOPSIS

hitch [OPTIONS] [PEM]

DESCRIPTION

Hitch is a network proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to some backend. It's designed to handle 10s of thousands of connections efficiently on multicore machines.

Hitch has very few features −− it's designed to be paired with an intelligent backend like Varnish Cache. It maintains a strict 1:1 connection pattern with this backend handler so that the backend can dictate throttling behavior, maximum connection behavior, availability of service, etc.

The only required argument is a path to a PEM file that contains the certificate (or a chain of certificates) and private key. It should also contain DH parameter if you wish to use Diffie−Hellman cipher suites.

COMMAND LINE ARGUMENTS

−−config=FILE

Load configuration from specified file. See hitch.conf(5) for details.

−−tls

All TLS versions, no SSLv3 (deprecated). See config file setting tls−protos.

−−ssl

enable SSLv3 (deprecated). See config file setting tls−protos.

−c

−−ciphers=SUITE

Sets allowed ciphers (Default: "")

−e

−−ssl−engine=NAME

Sets OpenSSL engine (Default: "")

−O

−−prefer−server−ciphers

Prefer server list order

−−client

Enable client proxy mode

−b

−−backend=[HOST]:PORT Backend [connect] (default is "[127.0.0.1]:8000")

−f

−−frontend=[HOST]:PORT[+CERT] Frontend [bind] (default is "[*]:8443") (Note: brackets are mandatory in endpoint specifiers.)

−n

−−workers=NUM

Number of worker processes (Default: 1)

−B

−−backlog=NUM

Set listen backlog size (Default: 100)

−k

−−keepalive=SECS

TCP keepalive on client socket (Default: 3600)

−r

−−chroot=DIR

Sets chroot directory (Default: "")

−u

−−user=USER

Set uid/gid after binding the socket (Default: "")

−g

−−group=GROUP

Set gid after binding the socket (Default: "")

−q

−−quiet

Be quiet; emit only error messages

−s

−−syslog

Send log message to syslog in addition to stderr/stdout

−−syslog−facility=FACILITY

Syslog facility to use (Default: "daemon")

−−daemon

Fork into background and become a daemon; this also sets the −−quiet option (Default: off)

−−write−ip

Write 1 octet with the IP family followed by the IP address in 4 (IPv4) or 16 (IPv6) octets little−endian to backend before the actual data (Default: off)

−−write−proxy−v1

Write HaProxy's PROXY v1 (IPv4 or IPv6) protocol line before actual data (Default: off)

−−write−proxy−v2

Write HaProxy's PROXY v2 binary (IPv4 or IPv6) protocol line before actual data (Default: off)

−−write−proxy

Equivalent to −−write−proxy−v2. For PROXY version 1 use −−write−proxy−v1 explicitly

−−proxy−proxy

Proxy HaProxy's PROXY (IPv4 or IPv6) protocol line before actual data (PROXY v1 only) (Default: off)

−−alpn−protos=LIST

Sets the protocols for ALPN/NPN negotiation, given by a comma separated list. If this is not set explicitly, ALPN/NPN will not be used. Requires OpenSSL 1.0.1 for NPN and OpenSSL 1.0.2 for ALPN.

−−sni−nomatch−abort

Abort handshake when client submits an unrecognized SNI server name (Default: off)

−−ocsp−dir=DIR

Set OCSP staple cache directory This enables automated retrieval and stapling of OCSP responses (Default: "")

−t

−−test

Test configuration and exit

−p

−−pidfile=FILE

PID file

−V

−−version

Print program version and exit

−h

−−help

This help message

HISTORY

Hitch was originally called stud and was written by Jamie Turner at Bump.com.

pdf