1STUD(8)                   BSD System Manager's Manual                  STUD(8)
2

NAME

4     stud — The Scalable TLS Unwrapping Daemon
5

SYNOPSIS

7     stud [--tls] [--ssl] [-c ciphers] [-e engine] [-b host,port]
8          [-f host,port] [-n cores] [-B backlog] [-C cache] [-r path]
9          [-u username] [-qs] [--write-ip] [--write-proxy] certificate.pem
10

DESCRIPTION

12     stud is a network proxy that terminates TLS/SSL connections and forwards
13     the unencrypted traffic to some backend.  It's designed to handle 10s of
14     thousands of connections efficiently on multicore machines.
15
16     stud has very few features -- it's designed to be paired with an intelli‐
17     gent backend like haproxy or nginx.  It maintains a strict 1:1 connection
18     pattern with this backend handler so that the backend can dictate throt‐
19     tling behavior, maxmium connection behavior, availability of service,
20     etc.
21
22     The only required argument is a path to a PEM file that contains the cer‐
23     tificate (or a chain of certificates) and private key. It should also
24     contain DH parameter if you wish to use Diffie-Hellman cipher suites.
25
26     The options are as follows:
27
28     --tls   Use TLSv1 (default).
29
30     --ssl   Use only SSLv3 and no TLSv1.
31
32     -c ciphers
33             Set allowed ciphers using the same format as openssl ciphers.
34             For example, you can use RSA:!COMPLEMENTOFALL.
35
36     -e engine
37             Specify an OpenSSL engine by its unique ID. The engine will be
38             used by default for all algorithms.  The keyword auto can be used
39             to load all available engines.
40
41     -b host,port
42             Define backend. Default is 127.0.0.1,8000.  Incoming connections
43             will be unwrapped and sent to this IP and port.
44
45     -f host,port
46             Define frontend. Default is *,8443.  Incoming connections will be
47             accepted to this IP and port and will be sent to the backend
48             defined above.
49
50     -n cores
51             Use cores worker processes. Default is 1.
52
53     -B backlog
54             Set listen backlog size. Default is 100.
55
56     -C cache
57             Set shared cache size in sessions. By default, no shared cache is
58             used.
59
60     -r path
61             Chroot to the given path. By default, no chroot is done.
62
63     -u username
64             Set GID/UID after binding the socket. By default, no privilege is
65             dropped.
66
67     -q      Be quiet. Only emit error messages.
68
69     -s      Send messages to syslog in addition to stderr and stdout.
70
71     --syslog-facility facility
72             Syslog facility to use. Default is daemon.
73
74     --write-ip
75             Write 1 octet with the IP family followed by the IP address in 4
76             (IPv4) or 16 (IPv6) octets little-endian to backend before the
77             actual data.
78
79     --write-proxy
80             Write HaProxy's PROXY (IPv4 or IPv6) protocol line before actual
81             data.
82

SEE ALSO

84     ciphers(1SSL), dhparam(1SSL), haproxy(1)
85

AUTHORS

87     stud was originally written by Jamie Turner (@jamwt) and is maintained by
88     the Bump server team.  It currently provides server-side TLS termination
89     for over 40 million Bump users.
90
91BSD                              June 20, 2019                             BSD
Impressum