.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "HITCH" 8 "" ""
.SH NAME
Hitch \- high performance TLS proxy
.SH SYNOPSIS
.sp
hitch [OPTIONS] [PEM]
.SH DESCRIPTION
.sp
Hitch is a network proxy that terminates TLS/SSL connections and forwards the
unencrypted traffic to some backend. It\(aqs designed to handle 10s of thousands of
connections efficiently on multicore machines.
.sp
Hitch has very few features \-\- it\(aqs designed to be paired with an intelligent
backend like Varnish Cache. It maintains a strict 1:1 connection pattern
with this backend handler so that the backend can dictate throttling behavior,
maximum connection behavior, availability of service, etc.
.sp
The only required argument is a path to a PEM file that contains the certificate
(or a chain of certificates) and private key. It should also contain
DH parameter if you wish to use Diffie\-Hellman cipher suites.
.SH COMMAND LINE ARGUMENTS
.SS \fB\-\-config=FILE\fP
.sp
Load configuration from specified file.  See \fIhitch.conf(5)\fP for
details.
.SS \fB\-\-tls\-protos=LIST\fP
.sp
Specifies which SSL/TLS protocols to use.  Available tokens are
\fBSSLv3\fP, \fBTLSv1.0\fP, \fBTLSv1.1\fP, \fBTLSv1.2\fP and
\fBTLSv1.3\fP\&. (Default \(dqTLSv1.2 TLSv1.3\(dq)
.SS \fB\-c  \-\-ciphers=SUITE\fP
.sp
Sets allowed ciphers (Default:
\(dqEECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\(dq)
.SS \fB\-e  \-\-ssl\-engine=NAME\fP
.sp
Sets OpenSSL engine (Default: \(dq\(dq)
.SS \fB\-O  \-\-prefer\-server\-ciphers[=on|off]\fP
.sp
Prefer server list order (Default: \(dqoff\(dq)
.SS \fB\-\-client\fP
.sp
Enable client proxy mode
.SS \fB\-b  \-\-backend=[HOST]:PORT\fP
.sp
Backend endpoint (default is \(dq[127.0.0.1]:8000\(dq) The \-b argument can
also take a UNIX domain socket path E.g. \-\-backend=\(dq/path/to/sock\(dq
.SS \fB\-f  \-\-frontend=[HOST]:PORT[+CERT]\fP
.sp
Frontend listen endpoint (default is \(dq[*]:8443\(dq) (Note: brackets are
mandatory in endpoint specifiers.)
.SS \fB\-n  \-\-workers=NUM\fP
.sp
Number of worker processes (Default: 1)
.SS \fB\-B  \-\-backlog=NUM\fP
.sp
Set listen backlog size (Default: 100)
.SS \fB\-k  \-\-keepalive=SECS\fP
.sp
TCP keepalive on client socket (Default: 3600)
.SS \fB\-R  \-\-backend\-refresh=SECS\fP
.sp
Periodic backend IP lookup, 0 to disable (Default: 0)
.SS \fB\-\-enable\-tcp\-fastopen[=on|off]\fP
.sp
Enable client\-side TCP Fast Open. (Default: off)
.SS \fB\-r  \-\-chroot=DIR\fP
.sp
Sets chroot directory (Default: \(dq\(dq)
.SS \fB\-u  \-\-user=USER\fP
.sp
Set uid/gid after binding the socket (Default: \(dq\(dq)
.SS \fB\-g  \-\-group=GROUP\fP
.sp
Set gid after binding the socket (Default: \(dq\(dq)
.SS \fB\-q  \-\-quiet[=on|off]\fP
.sp
Be quiet; emit only error messages (deprecated, use \(aqlog\-level\(aq)
.SS \fB\-L  \-\-log\-level=NUM\fP
.sp
Log level. 0=silence, 1=err, 2=info/debug (Default: 1)
.SS \fB\-l  \-\-log\-filename=FILE\fP
.sp
Send log message to a logfile instead of stderr/stdout
.SS \fB\-s  \-\-syslog[=on|off]\fP
.sp
Send log message to syslog in addition to stderr/stdout
.SS \fB\-\-syslog\-facility=FACILITY\fP
.sp
Syslog facility to use (Default: \(dqdaemon\(dq)
.SS \fB\-\-daemon[=on|off]\fP
.sp
Fork into background and become a daemon (Default: off)
.SS \fB\-\-write\-ip[=on|off]\fP
.sp
Write 1 octet with the IP family followed by the IP address in 4
(IPv4) or 16 (IPv6) octets little\-endian to backend before the actual
data (Default: off)
.SS \fB\-\-write\-proxy\-v1[=on|off]\fP
.sp
Write HAProxy\(aqs PROXY v1 (IPv4 or IPv6) protocol line before actual
data (Default: off)
.SS \fB\-\-write\-proxy\-v2[=on|off]\fP
.sp
Write HAProxy\(aqs PROXY v2 binary (IPv4 or IPv6) protocol line before
actual data (Default: off)
.SS \fB\-\-write\-proxy[=on|off]\fP
.sp
Equivalent to \-\-write\-proxy\-v2. For PROXY version 1
use \-\-write\-proxy\-v1 explicitly
.SS \fB\-\-proxy\-proxy[=on|off]\fP
.sp
Proxy HAProxy\(aqs PROXY (IPv4 or IPv6) protocol before actual data
(PROXYv1 and PROXYv2) (Default: off)
.SS \fB\-\-sni\-nomatch\-abort[=on|off]\fP
.sp
Abort handshake when client submits an unrecognized SNI server name
(Default: off)
.SS \fB\-\-alpn\-protos=LIST\fP
.sp
Sets the protocols for ALPN/NPN negotiation, provided as a list of
comma\-separated tokens.
.SS \fB\-\-ocsp\-dir=DIR\fP
.sp
Set OCSP staple cache directory This enables automated retrieval and
stapling of OCSP responses (Default: \(dq/var/lib/hitch/\(dq)
.SS \fB\-t  \-\-test\fP
.sp
Test configuration and exit
.SS \fB\-p  \-\-pidfile=FILE\fP
.sp
PID file
.SS \fB\-V  \-\-version\fP
.sp
Print program version and exit
.SS \fB\-h  \-\-help\fP
.sp
This help message
.SH HISTORY
.sp
Hitch was originally called stud and was written by Jamie Turner at Bump.com.
.\" Generated by docutils manpage writer.
.