1HITCH(8) HITCH(8)
2
6 Hitch - high performance TLS proxy
7
9 hitch [OPTIONS] [PEM]
10
12 Hitch is a network proxy that terminates TLS/SSL connections and for‐
13 wards the unencrypted traffic to some backend. It's designed to handle
14 10s of thousands of connections efficiently on multicore machines.
15 Hitch has very few features -- it's designed to be paired with an
17 intelligent backend like Varnish Cache. It maintains a strict 1:1 con‐
18 nection pattern with this backend handler so that the backend can dic‐
19 tate throttling behavior, maximum connection behavior, availability of
20 service, etc.
21 The only required argument is a path to a PEM file that contains the
23 certificate (or a chain of certificates) and private key. It should
24 also contain DH parameter if you wish to use Diffie-Hellman cipher
25 suites.
26
28 --config=FILE
29 Load configuration from specified file. See hitch.conf(5) for
30 details.
31 --tls All TLS versions, no SSLv3 (deprecated). See config file set‐
33 ting tls-protos.
34 --ssl enable SSLv3 (deprecated). See config file setting tls-pro‐
36 tos.
37 -c
39 --ciphers=SUITE
41 Sets allowed ciphers (Default: "")
42 -e
44 --ssl-engine=NAME
46 Sets OpenSSL engine (Default: "")
47 -O
49 --prefer-server-ciphers
51 Prefer server list order
52 --client
54 Enable client proxy mode
55 -b --backend=[HOST]:PORT Backend [connect] (default is
57 "[127.0.0.1]:8000") The -b argument can also take a UNIX
58 domain socket path E.g. --backend="/path/to/sock"
59 -f --frontend=[HOST]:PORT[+CERT] Frontend [bind] (default is
61 "[*]:8443") (Note: brackets are mandatory in endpoint speci‐
62 fiers.)
63 -n
65 --workers=NUM
67 Number of worker processes (Default: 1)
68 -B
70 --backlog=NUM
72 Set listen backlog size (Default: 100)
73 -k
75 --keepalive=SECS
77 TCP keepalive on client socket (Default: 3600)
78 -R
80 --backendrefresh=SECS
82 Periodic backend IP lookup, 0 to disable (Default: 0)
83 -r
85 --chroot=DIR
87 Sets chroot directory (Default: "")
88 -u
90 --user=USER
92 Set uid/gid after binding the socket (Default: "")
93 -g
95 --group=GROUP
97 Set gid after binding the socket (Default: "")
98 -q
100 --quiet
102 Be quiet; emit only error messages (deprecated in
103 favor of log-level)
104 -L
106 --log-level=NUM
108 Log level. 0=silence, 1=err, 2=info/debug
109 -s
111 --syslog
113 Send log message to syslog in addition to stderr/std‐
114 out
115 --syslog-facility=FACILITY
117 Syslog facility to use (Default: "daemon")
118 --daemon
120 Fork into background and become a daemon; this also sets the
121 --quiet option (Default: off)
122 --write-ip
124 Write 1 octet with the IP family followed by the IP address
125 in 4 (IPv4) or 16 (IPv6) octets little-endian to backend
126 before the actual data (Default: off)
127 --write-proxy-v1
129 Write HaProxy's PROXY v1 (IPv4 or IPv6) protocol line before
130 actual data (Default: off)
131 --write-proxy-v2
133 Write HaProxy's PROXY v2 binary (IPv4 or IPv6) protocol line
134 before actual data (Default: off)
135 --write-proxy
137 Equivalent to --write-proxy-v2. For PROXY version 1 use
138 --write-proxy-v1 explicitly
139 --proxy-proxy
141 Proxy HaProxy's PROXY (IPv4 or IPv6) protocol line before
142 actual data (PROXY v1 only) (Default: off)
143 --alpn-protos=LIST
145 Sets the protocols for ALPN/NPN negotiation, given by a comma
146 separated list. If this is not set explicitly, ALPN/NPN will
147 not be used. Requires OpenSSL 1.0.1 for NPN and OpenSSL 1.0.2
148 for ALPN.
149 --sni-nomatch-abort
151 Abort handshake when client submits an unrecognized SNI
152 server name (Default: off)
153 --ocsp-dir=DIR
155 Set OCSP staple cache directory This enables automated
156 retrieval and stapling of OCSP responses (Default: "")
157 -t
159 --test Test configuration and exit
161 -p
163 --pidfile=FILE
165 PID file
166 -V
168 --version
170 Print program version and exit
171 -h
173 --help This help message
175
177 Hitch was originally called stud and was written by Jamie Turner at
178 Bump.com.
179 HITCH(8)