NAME¶
stud —
The Scalable TLS Unwrapping
Daemon
SYNOPSIS¶
stud |
[--tls]
[--ssl]
[-c
ciphers]
[-b
host,port]
[-f
host,port]
[-n cores]
[-r path]
[-u
username]
[--write-ip]
[--write-proxy]
certificate.pem |
DESCRIPTION¶
stud is a network proxy that terminates TLS/SSL connections
and forwards the unencrypted traffic to some backend. It's designed to handle
10s of thousands of connections efficiently on multicore machines.
stud has very few features -- it's designed to be paired with
an intelligent backend like haproxy or nginx. It maintains a strict 1:1
connection pattern with this backend handler so that the backend can dictate
throttling behavior, maxmium connection behavior, availability of service,
etc.
The only required argument is a path to a PEM file that contains the certificate
(or a chain of certificates) and private key. It should also contain DH
parameter if you wish to use Diffie-Hellman cipher suites.
The options are as follows:
- --tls
- Use TLSv1 (default).
- --ssl
- Use only SSLv3 and no TLSv1.
- -c
ciphers
- Set allowed ciphers using the same format as
openssl ciphers. For example, you can use
RSA:!COMPLEMENTOFALL.
- -b
host,port
- Define backend. Default is
127.0.0.1,8000. Incoming connections will be
unwrapped and sent to this IP and port.
- -f
host,port
- Define frontend. Default is *,8443.
Incoming connections will be accepted to this IP and port and will be sent
to the backend defined above.
- -n
cores
- Use cores worker processes. Default
is 1.
- -r
path
- Chroot to the given path. By default, no chroot is
done.
- -u
username
- Set GID/UID after binding the socket. By default, no
privilege is dropped.
- --write-ip
- Write 1 octet with the IP family followed by the IP address
in 4 (IPv4) or 16 (IPv6) octets little-endian to backend before the actual
data.
- --write-proxy
- Write HaProxy's PROXY (IPv4 or IPv6) protocol line before
actual data.
SEE ALSO¶
ciphers(1SSL),
dhparam(1SSL),
haproxy(1)
AUTHORS¶
stud was originally written by Jamie Turner (@jamwt) and is
maintained by the Bump server team. It currently provides server-side TLS
termination for over 40 million Bump users.