1HITCH(8) HITCH(8)
2
6 Hitch - high performance TLS proxy
7
9 hitch [OPTIONS] [PEM]
10
12 Hitch is a network proxy that terminates TLS/SSL connections and for‐
13 wards the unencrypted traffic to some backend. It's designed to handle
14 10s of thousands of connections efficiently on multicore machines.
15 Hitch has very few features -- it's designed to be paired with an
17 intelligent backend like Varnish Cache. It maintains a strict 1:1 con‐
18 nection pattern with this backend handler so that the backend can dic‐
19 tate throttling behavior, maximum connection behavior, availability of
20 service, etc.
21 The only required argument is a path to a PEM file that contains the
23 certificate (or a chain of certificates) and private key. It should
24 also contain DH parameter if you wish to use Diffie-Hellman cipher
25 suites.
26
28 --config=FILE
29 Load configuration from specified file. See hitch.conf(5) for
30 details.
31 --tls All TLS versions, no SSLv3 (deprecated). See config file set‐
33 ting tls-protos.
34 --ssl enable SSLv3 (deprecated). See config file setting tls-pro‐
36 tos.
37 -c
39 --ciphers=SUITE
41 Sets allowed ciphers (Default: "")
42 -e
44 --ssl-engine=NAME
46 Sets OpenSSL engine (Default: "")
47 -O
49 --prefer-server-ciphers
51 Prefer server list order
52 --client
54 Enable client proxy mode
55 -b --backend=[HOST]:PORT Backend [connect] (default is
57 "[127.0.0.1]:8000") The -b argument can also take a UNIX
58 domain socket path E.g. --backend="/path/to/sock"
59 -f --frontend=[HOST]:PORT[+CERT] Frontend [bind] (default is
61 "[*]:8443") (Note: brackets are mandatory in endpoint speci‐
62 fiers.)
63 -n
65 --workers=NUM
67 Number of worker processes (Default: 1)
68 -B
70 --backlog=NUM
72 Set listen backlog size (Default: 100)
73 -k
75 --keepalive=SECS
77 TCP keepalive on client socket (Default: 3600)
78 -R
80 --backendrefresh=SECS
82 Periodic backend IP lookup, 0 to disable (Default: 0)
83 -r
85 --chroot=DIR
87 Sets chroot directory (Default: "")
88 -u
90 --user=USER
92 Set uid/gid after binding the socket (Default: "")
93 -g
95 --group=GROUP
97 Set gid after binding the socket (Default: "")
98 -q
100 --quiet
102 Be quiet; emit only error messages (deprecated in
103 favor of log-level)
104 -L
106 --log-level=NUM
108 Log level. 0=silence, 1=err, 2=info/debug
109 --log-filename=FILE
111 Send log message to a logfile instead of stderr/stdout
112 -s
114 --syslog
116 Send log message to syslog in addition to stderr/std‐
117 out
118 --syslog-facility=FACILITY
120 Syslog facility to use (Default: "daemon")
121 --daemon
123 Fork into background and become a daemon; this also sets the
124 --quiet option (Default: off)
125 --write-ip
127 Write 1 octet with the IP family followed by the IP address
128 in 4 (IPv4) or 16 (IPv6) octets little-endian to backend
129 before the actual data (Default: off)
130 --write-proxy-v1
132 Write HaProxy's PROXY v1 (IPv4 or IPv6) protocol line before
133 actual data (Default: off)
134 --write-proxy-v2
136 Write HaProxy's PROXY v2 binary (IPv4 or IPv6) protocol line
137 before actual data (Default: off)
138 --write-proxy
140 Equivalent to --write-proxy-v2. For PROXY version 1 use
141 --write-proxy-v1 explicitly
142 --proxy-proxy
144 Proxy HaProxy's PROXY (IPv4 or IPv6) protocol line before
145 actual data (PROXY v1 only) (Default: off)
146 --alpn-protos=LIST
148 Sets the protocols for ALPN/NPN negotiation, given by a comma
149 separated list. If this is not set explicitly, ALPN/NPN will
150 not be used. Requires OpenSSL 1.0.1 for NPN and OpenSSL 1.0.2
151 for ALPN.
152 --sni-nomatch-abort
154 Abort handshake when client submits an unrecognized SNI
155 server name (Default: off)
156 --ocsp-dir=DIR
158 Set OCSP staple cache directory This enables automated
159 retrieval and stapling of OCSP responses (Default: "")
160 -t
162 --test Test configuration and exit
164 -p
166 --pidfile=FILE
168 PID file
169 -V
171 --version
173 Print program version and exit
174 -h
176 --help This help message
178
180 Hitch was originally called stud and was written by Jamie Turner at
181 Bump.com.
182 HITCH(8)