Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
HITCH(8)							      HITCH(8)

NAME
       Hitch - high performance	TLS proxy

SYNOPSIS
       hitch [OPTIONS] [PEM]

DESCRIPTION
       Hitch  is  a network proxy that terminates TLS/SSL connections and for-
       wards the unencrypted traffic to	some backend. It's designed to	handle
       10s of thousands	of connections efficiently on multicore	machines.

       Hitch  has  very	few features --	it's designed to be paired with	an in-
       telligent backend like Varnish Cache. It	maintains a strict 1:1 connec-
       tion pattern with this backend handler so that the backend can  dictate
       throttling  behavior, maximum connection	behavior, availability of ser-
       vice, etc.

       The only	required argument is a path to a PEM file  that	 contains  the
       certificate  (or	 a  chain  of certificates) and	private	key. It	should
       also contain DH parameter if you	 wish  to  use	Diffie-Hellman	cipher
       suites.

COMMAND	LINE ARGUMENTS
   --config=FILE
       Load configuration from specified file.	See hitch.conf(5) for details.

   --tls-protos=LIST
       Specifies  which	SSL/TLS	protocols to use.  Available tokens are	SSLv3,
       TLSv1.0,	TLSv1.1, TLSv1.2 and TLSv1.3. (Default "TLSv1.2	TLSv1.3")

   -c --ciphers=SUITE
       Sets	allowed	    ciphers	 (Default:	"EECDH+AESGCM:EDH+AES-
       GCM:AES256+EECDH:AES256+EDH")

   -e --ssl-engine=NAME
       Sets OpenSSL engine (Default: "")

   -O --prefer-server-ciphers[=on|off]
       Prefer server list order	(Default: "off")

   --client
       Enable client proxy mode

   -b --backend=[HOST]:PORT
       Backend	endpoint  (default  is "[127.0.0.1]:8000") The -b argument can
       also take a UNIX	domain socket path E.g.	--backend="/path/to/sock"

       If --chroot is also specified, the UNIX domain socket path will	be  at
       runtime resolved	from within the	chroot,	and must be specified with the
       path it is accessible from within the chroot. I.e. for a	/run/hitch ch-
       root  and  a  /run/hitch/sock UNIX domain socket, configure the backend
       argument	as /sock.

   -f --frontend=[HOST]:PORT[+CERT]
       Frontend	listen endpoint	(default is "[*]:8443")	 (Note:	 brackets  are
       mandatory in endpoint specifiers.)

   -n --workers=NUM|auto
       Number  of  worker  processes  (Default:	 1) Using auto value creates 1
       worker per CPU core.

   -B --backlog=NUM
       Set listen backlog size (Default: 100)

   -k --keepalive=SECS
       TCP keepalive on	client socket (Default:	3600)

   -R --backend-refresh=SECS
       Periodic	backend	IP lookup, 0 to	disable	(Default: 0)

   --enable-tcp-fastopen[=on|off]
       Enable client-side TCP Fast Open. (Default: off)

   -r --chroot=DIR
       Sets chroot directory (Default: "")

   -u --user=USER
       Set uid/gid after binding the socket (Default: "")

   -g --group=GROUP
       Set gid after binding the socket	(Default: "")

   -q --quiet[=on|off]
       Be quiet; emit only error messages (deprecated, use 'log-level')

   -L --log-level=NUM
       Log level. 0=silence, 1=err, 2=info/debug (Default: 1)

   -l --log-filename=FILE
       Send log	message	to a logfile instead of	stderr/stdout

   -s --syslog[=on|off]
       Send log	message	to syslog in addition to stderr/stdout

   --syslog-facility=FACILITY
       Syslog facility to use (Default:	"daemon")

   --daemon[=on|off]
       Fork into background and	become a daemon	(Default: off)

   --write-ip[=on|off]
       Write 1 octet with the IP family	followed by the	IP address in 4	(IPv4)
       or 16 (IPv6) octets little-endian to backend  before  the  actual  data
       (Default: off)

   --write-proxy-v1[=on|off]
       Write  HAProxy's	 PROXY	v1  (IPv4 or IPv6) protocol line before	actual
       data (Default: off)

   --write-proxy-v2[=on|off]
       Write HAProxy's PROXY v2	binary (IPv4 or	IPv6) protocol line before ac-
       tual data (Default: off)

   --write-proxy[=on|off]
       Equivalent   to	 --write-proxy-v2.   For   PROXY   version    1	   use
       --write-proxy-v1	explicitly

   --proxy-proxy[=on|off]
       Proxy  HAProxy's	 PROXY	(IPv4  or  IPv6)  protocol  before actual data
       (PROXYv1	and PROXYv2) (Default: off)

   --sni-nomatch-abort[=on|off]
       Abort handshake when client submits an  unrecognized  SNI  server  name
       (Default: off)

   --alpn-protos=LIST
       Sets  the  protocols  for  ALPN/NPN  negotiation, provided as a list of
       comma-separated tokens.

   --ocsp-dir=DIR
       Set OCSP	staple cache directory This enables  automated	retrieval  and
       stapling	of OCSP	responses (Default: "/var/lib/hitch/")

   --backend-connect-timeout=SECS
       Backend connect timeout.

   --ssl-handshake-timeout=SECS
       TLS handshake timeout.

   -t --test
       Test configuration and exit

   -p --pidfile=FILE
       PID file

   -V --version
       Print program version and exit

   -h --help
       This help message

HISTORY
       Hitch  was  originally  called  stud and	was written by Jamie Turner at
       Bump.com.

								      HITCH(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=hitch&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>

home | help