table of contents
HITCH(8) | System Manager's Manual | HITCH(8) |
NAME¶
Hitch - high performance TLS proxy
SYNOPSIS¶
hitch [OPTIONS] [PEM]
DESCRIPTION¶
Hitch is a network proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to some backend. It's designed to handle 10s of thousands of connections efficiently on multicore machines.
Hitch has very few features -- it's designed to be paired with an intelligent backend like Varnish Cache. It maintains a strict 1:1 connection pattern with this backend handler so that the backend can dictate throttling behavior, maximum connection behavior, availability of service, etc.
The only required argument is a path to a PEM file that contains the certificate (or a chain of certificates) and private key. It should also contain DH parameter if you wish to use Diffie-Hellman cipher suites.
COMMAND LINE ARGUMENTS¶
--config=FILE¶
Load configuration from specified file. See hitch.conf(5) for details.
--tls-protos=LIST¶
Specifies which SSL/TLS protocols to use. Available tokens are SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3. (Default "TLSv1.2 TLSv1.3")
-c --ciphers=SUITE¶
Sets allowed ciphers (Default: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH")
-e --ssl-engine=NAME¶
Sets OpenSSL engine (Default: "")
-O --prefer-server-ciphers[=on|off]¶
Prefer server list order (Default: "off")
--client¶
Enable client proxy mode
-b --backend=[HOST]:PORT¶
Backend endpoint (default is "[127.0.0.1]:8000") The -b argument can also take a UNIX domain socket path E.g. --backend="/path/to/sock"
-f --frontend=[HOST]:PORT[+CERT]¶
Frontend listen endpoint (default is "[*]:8443") (Note: brackets are mandatory in endpoint specifiers.)
-n --workers=NUM¶
Number of worker processes (Default: 1)
-B --backlog=NUM¶
Set listen backlog size (Default: 100)
-k --keepalive=SECS¶
TCP keepalive on client socket (Default: 3600)
-R --backend-refresh=SECS¶
Periodic backend IP lookup, 0 to disable (Default: 0)
--enable-tcp-fastopen[=on|off]¶
Enable client-side TCP Fast Open. (Default: off)
-r --chroot=DIR¶
Sets chroot directory (Default: "")
-u --user=USER¶
Set uid/gid after binding the socket (Default: "")
-g --group=GROUP¶
Set gid after binding the socket (Default: "")
-q --quiet[=on|off]¶
Be quiet; emit only error messages (deprecated, use 'log-level')
-L --log-level=NUM¶
Log level. 0=silence, 1=err, 2=info/debug (Default: 1)
-l --log-filename=FILE¶
Send log message to a logfile instead of stderr/stdout
-s --syslog[=on|off]¶
Send log message to syslog in addition to stderr/stdout
--syslog-facility=FACILITY¶
Syslog facility to use (Default: "daemon")
--daemon[=on|off]¶
Fork into background and become a daemon (Default: off)
--write-ip[=on|off]¶
Write 1 octet with the IP family followed by the IP address in 4 (IPv4) or 16 (IPv6) octets little-endian to backend before the actual data (Default: off)
--write-proxy-v1[=on|off]¶
Write HAProxy's PROXY v1 (IPv4 or IPv6) protocol line before actual data (Default: off)
--write-proxy-v2[=on|off]¶
Write HAProxy's PROXY v2 binary (IPv4 or IPv6) protocol line before actual data (Default: off)
--write-proxy[=on|off]¶
Equivalent to --write-proxy-v2. For PROXY version 1 use --write-proxy-v1 explicitly
--proxy-proxy[=on|off]¶
Proxy HAProxy's PROXY (IPv4 or IPv6) protocol before actual data (PROXYv1 and PROXYv2) (Default: off)
--sni-nomatch-abort[=on|off]¶
Abort handshake when client submits an unrecognized SNI server name (Default: off)
--alpn-protos=LIST¶
Sets the protocols for ALPN/NPN negotiation, provided as a list of comma-separated tokens.
--ocsp-dir=DIR¶
Set OCSP staple cache directory This enables automated retrieval and stapling of OCSP responses (Default: "/var/lib/hitch/")
-t --test¶
Test configuration and exit
-p --pidfile=FILE¶
PID file
-V --version¶
Print program version and exit
-h --help¶
This help message
HISTORY¶
Hitch was originally called stud and was written by Jamie Turner at Bump.com.