1HITCH(8)                                                              HITCH(8)
2
3
4

NAME

6       Hitch - high performance TLS proxy
7

SYNOPSIS

9       hitch [OPTIONS] [PEM]
10

DESCRIPTION

12       Hitch  is  a network proxy that terminates TLS/SSL connections and for‐
13       wards the unencrypted traffic to some backend. It's designed to  handle
14       10s of thousands of connections efficiently on multicore machines.
15
16       Hitch  has  very few features -- it's designed to be paired with an in‐
17       telligent backend like Varnish Cache. It maintains a strict 1:1 connec‐
18       tion  pattern with this backend handler so that the backend can dictate
19       throttling behavior, maximum connection behavior, availability of  ser‐
20       vice, etc.
21
22       The  only  required  argument is a path to a PEM file that contains the
23       certificate (or a chain of certificates) and  private  key.  It  should
24       also  contain  DH  parameter  if  you wish to use Diffie-Hellman cipher
25       suites.
26

COMMAND LINE ARGUMENTS

28   --config=FILE
29       Load configuration from specified file.  See hitch.conf(5) for details.
30
31   --tls-protos=LIST
32       Specifies which SSL/TLS protocols to use.  Available tokens are  SSLv3,
33       TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3. (Default "TLSv1.2 TLSv1.3")
34
35   -c --ciphers=SUITE
36       Sets      allowed      ciphers     (Default:     "EECDH+AESGCM:EDH+AES‐
37       GCM:AES256+EECDH:AES256+EDH")
38
39   -e --ssl-engine=NAME
40       Sets OpenSSL engine (Default: "")
41
42   -O --prefer-server-ciphers[=on|off]
43       Prefer server list order (Default: "off")
44
45   --client
46       Enable client proxy mode
47
48   -b --backend=[HOST]:PORT
49       Backend endpoint (default is "[127.0.0.1]:8000") The  -b  argument  can
50       also take a UNIX domain socket path E.g. --backend="/path/to/sock"
51
52   -f --frontend=[HOST]:PORT[+CERT]
53       Frontend  listen  endpoint  (default is "[*]:8443") (Note: brackets are
54       mandatory in endpoint specifiers.)
55
56   -n --workers=NUM
57       Number of worker processes (Default: 1)
58
59   -B --backlog=NUM
60       Set listen backlog size (Default: 100)
61
62   -k --keepalive=SECS
63       TCP keepalive on client socket (Default: 3600)
64
65   -R --backend-refresh=SECS
66       Periodic backend IP lookup, 0 to disable (Default: 0)
67
68   --enable-tcp-fastopen[=on|off]
69       Enable client-side TCP Fast Open. (Default: off)
70
71   -r --chroot=DIR
72       Sets chroot directory (Default: "")
73
74   -u --user=USER
75       Set uid/gid after binding the socket (Default: "")
76
77   -g --group=GROUP
78       Set gid after binding the socket (Default: "")
79
80   -q --quiet[=on|off]
81       Be quiet; emit only error messages (deprecated, use 'log-level')
82
83   -L --log-level=NUM
84       Log level. 0=silence, 1=err, 2=info/debug (Default: 1)
85
86   -l --log-filename=FILE
87       Send log message to a logfile instead of stderr/stdout
88
89   -s --syslog[=on|off]
90       Send log message to syslog in addition to stderr/stdout
91
92   --syslog-facility=FACILITY
93       Syslog facility to use (Default: "daemon")
94
95   --daemon[=on|off]
96       Fork into background and become a daemon (Default: off)
97
98   --write-ip[=on|off]
99       Write 1 octet with the IP family followed by the IP address in 4 (IPv4)
100       or  16  (IPv6)  octets  little-endian to backend before the actual data
101       (Default: off)
102
103   --write-proxy-v1[=on|off]
104       Write HAProxy's PROXY v1 (IPv4 or IPv6)  protocol  line  before  actual
105       data (Default: off)
106
107   --write-proxy-v2[=on|off]
108       Write HAProxy's PROXY v2 binary (IPv4 or IPv6) protocol line before ac‐
109       tual data (Default: off)
110
111   --write-proxy[=on|off]
112       Equivalent   to   --write-proxy-v2.   For   PROXY   version    1    use
113       --write-proxy-v1 explicitly
114
115   --proxy-proxy[=on|off]
116       Proxy  HAProxy's  PROXY  (IPv4  or  IPv6)  protocol  before actual data
117       (PROXYv1 and PROXYv2) (Default: off)
118
119   --sni-nomatch-abort[=on|off]
120       Abort handshake when client submits an  unrecognized  SNI  server  name
121       (Default: off)
122
123   --alpn-protos=LIST
124       Sets  the  protocols  for  ALPN/NPN  negotiation, provided as a list of
125       comma-separated tokens.
126
127   --ocsp-dir=DIR
128       Set OCSP staple cache directory This enables  automated  retrieval  and
129       stapling of OCSP responses (Default: "/var/lib/hitch/")
130
131   -t --test
132       Test configuration and exit
133
134   -p --pidfile=FILE
135       PID file
136
137   -V --version
138       Print program version and exit
139
140   -h --help
141       This help message
142

HISTORY

144       Hitch  was  originally  called  stud and was written by Jamie Turner at
145       Bump.com.
146
147
148
149
150                                                                      HITCH(8)
Impressum