1HITCH(8)                                                              HITCH(8)
2
3
4

NAME

6       Hitch - high performance TLS proxy
7

SYNOPSIS

9       hitch [OPTIONS] [PEM]
10

DESCRIPTION

12       Hitch  is  a network proxy that terminates TLS/SSL connections and for‐
13       wards the unencrypted traffic to some backend. It's designed to  handle
14       10s of thousands of connections efficiently on multicore machines.
15
16       Hitch  has  very  few  features  --  it's designed to be paired with an
17       intelligent backend like Varnish Cache. It maintains a strict 1:1  con‐
18       nection  pattern with this backend handler so that the backend can dic‐
19       tate throttling behavior, maximum connection behavior, availability  of
20       service, etc.
21
22       The  only  required  argument is a path to a PEM file that contains the
23       certificate (or a chain of certificates) and  private  key.  It  should
24       also  contain  DH  parameter  if  you wish to use Diffie-Hellman cipher
25       suites.
26

COMMAND LINE ARGUMENTS

28          --config=FILE
29                 Load configuration from specified file. See hitch.conf(5) for
30                 details.
31
32          --tls  All TLS versions, no SSLv3 (deprecated). See config file set‐
33                 ting tls-protos.
34
35          --ssl  enable SSLv3 (deprecated). See config file  setting  tls-pro‐
36                 tos.
37
38          -c
39
40                 --ciphers=SUITE
41                        Sets allowed ciphers (Default: "")
42
43          -e
44
45                 --ssl-engine=NAME
46                        Sets OpenSSL engine (Default: "")
47
48          -O
49
50                 --prefer-server-ciphers
51                        Prefer server list order
52
53          --client
54                 Enable client proxy mode
55
56          -b     --backend=[HOST]:PORT       Backend   [connect]  (default  is
57                 "[127.0.0.1]:8000") The -b argument  can  also  take  a  UNIX
58                 domain socket path E.g. --backend="/path/to/sock"
59
60          -f     --frontend=[HOST]:PORT[+CERT]     Frontend [bind] (default is
61                 "[*]:8443") (Note: brackets are mandatory in endpoint  speci‐
62                 fiers.)
63
64          -n
65
66                 --workers=NUM
67                        Number of worker processes (Default: 1)
68
69          -B
70
71                 --backlog=NUM
72                        Set listen backlog size (Default: 100)
73
74          -k
75
76                 --keepalive=SECS
77                        TCP keepalive on client socket (Default: 3600)
78
79          -R
80
81                 --backendrefresh=SECS
82                        Periodic backend IP lookup, 0 to disable (Default: 0)
83
84          -r
85
86                 --chroot=DIR
87                        Sets chroot directory (Default: "")
88
89          -u
90
91                 --user=USER
92                        Set uid/gid after binding the socket (Default: "")
93
94          -g
95
96                 --group=GROUP
97                        Set gid after binding the socket (Default: "")
98
99          -q
100
101                 --quiet
102                        Be  quiet;  emit  only  error  messages (deprecated in
103                        favor of log-level)
104
105          -L
106
107                 --log-level=NUM
108                        Log level. 0=silence, 1=err, 2=info/debug
109
110          -s
111
112                 --syslog
113                        Send log message to syslog in addition to  stderr/std‐
114                        out
115
116          --syslog-facility=FACILITY
117                 Syslog facility to use (Default: "daemon")
118
119          --daemon
120                 Fork  into background and become a daemon; this also sets the
121                 --quiet option (Default: off)
122
123          --write-ip
124                 Write 1 octet with the IP family followed by the  IP  address
125                 in  4  (IPv4)  or  16  (IPv6) octets little-endian to backend
126                 before the actual data (Default: off)
127
128          --write-proxy-v1
129                 Write HaProxy's PROXY v1 (IPv4 or IPv6) protocol line  before
130                 actual data (Default: off)
131
132          --write-proxy-v2
133                 Write HaProxy's PROXY v2 binary (IPv4 or IPv6)  protocol line
134                 before actual data (Default: off)
135
136          --write-proxy
137                 Equivalent to  --write-proxy-v2.  For  PROXY  version  1  use
138                 --write-proxy-v1 explicitly
139
140          --proxy-proxy
141                 Proxy  HaProxy's  PROXY  (IPv4  or IPv6) protocol line before
142                 actual data (PROXY v1 only) (Default: off)
143
144          --alpn-protos=LIST
145                 Sets the protocols for ALPN/NPN negotiation, given by a comma
146                 separated  list. If this is not set explicitly, ALPN/NPN will
147                 not be used. Requires OpenSSL 1.0.1 for NPN and OpenSSL 1.0.2
148                 for ALPN.
149
150          --sni-nomatch-abort
151                 Abort  handshake  when  client  submits  an  unrecognized SNI
152                 server name (Default: off)
153
154          --ocsp-dir=DIR
155                 Set  OCSP  staple  cache  directory  This  enables  automated
156                 retrieval and stapling of OCSP responses (Default: "")
157
158          -t
159
160                 --test Test configuration and exit
161
162          -p
163
164                 --pidfile=FILE
165                        PID file
166
167          -V
168
169                 --version
170                        Print program version and exit
171
172          -h
173
174                 --help This help message
175

HISTORY

177       Hitch  was  originally  called  stud and was written by Jamie Turner at
178       Bump.com.
179
180
181
182
183                                                                      HITCH(8)
Impressum