1STUD(8) BSD System Manager's Manual STUD(8)
2
4 stud — The Scalable TLS Unwrapping Daemon
5
7 stud [--tls] [--ssl] [-c ciphers] [-e engine] [-b host,port]
8 [-f host,port] [-n cores] [-B backlog] [-C cache] [-r path]
9 [-u username] [-qs] [--write-ip] [--write-proxy] certificate.pem
10
12 stud is a network proxy that terminates TLS/SSL connections and forwards
13 the unencrypted traffic to some backend. It's designed to handle 10s of
14 thousands of connections efficiently on multicore machines.
15
16 stud has very few features -- it's designed to be paired with an intelli‐
17 gent backend like haproxy or nginx. It maintains a strict 1:1 connection
18 pattern with this backend handler so that the backend can dictate throt‐
19 tling behavior, maxmium connection behavior, availability of service,
20 etc.
21
22 The only required argument is a path to a PEM file that contains the cer‐
23 tificate (or a chain of certificates) and private key. It should also
24 contain DH parameter if you wish to use Diffie-Hellman cipher suites.
25
26 The options are as follows:
27
28 --tls Use TLSv1 (default).
29
30 --ssl Use only SSLv3 and no TLSv1.
31
32 -c ciphers
33 Set allowed ciphers using the same format as openssl ciphers.
34 For example, you can use RSA:!COMPLEMENTOFALL.
35
36 -e engine
37 Specify an OpenSSL engine by its unique ID. The engine will be
38 used by default for all algorithms. The keyword auto can be used
39 to load all available engines.
40
41 -b host,port
42 Define backend. Default is 127.0.0.1,8000. Incoming connections
43 will be unwrapped and sent to this IP and port.
44
45 -f host,port
46 Define frontend. Default is *,8443. Incoming connections will be
47 accepted to this IP and port and will be sent to the backend
48 defined above.
49
50 -n cores
51 Use cores worker processes. Default is 1.
52
53 -B backlog
54 Set listen backlog size. Default is 100.
55
56 -C cache
57 Set shared cache size in sessions. By default, no shared cache is
58 used.
59
60 -r path
61 Chroot to the given path. By default, no chroot is done.
62
63 -u username
64 Set GID/UID after binding the socket. By default, no privilege is
65 dropped.
66
67 -q Be quiet. Only emit error messages.
68
69 -s Send messages to syslog in addition to stderr and stdout.
70
71 --syslog-facility facility
72 Syslog facility to use. Default is daemon.
73
74 --write-ip
75 Write 1 octet with the IP family followed by the IP address in 4
76 (IPv4) or 16 (IPv6) octets little-endian to backend before the
77 actual data.
78
79 --write-proxy
80 Write HaProxy's PROXY (IPv4 or IPv6) protocol line before actual
81 data.
82
84 ciphers(1SSL), dhparam(1SSL), haproxy(1)
85
87 stud was originally written by Jamie Turner (@jamwt) and is maintained by
88 the Bump server team. It currently provides server-side TLS termination
89 for over 40 million Bump users.
90
91BSD June 20, 2019 BSD