Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  STUD (8)


stud - The Scalable TLS Unwrapping Daemon


See Also


stud [--tls] [--ssl] [-c ciphers] [-e engine] [-b host,port] [-f host,port] [-n cores] [-B backlog] [-C cache] [-r path] [-u username] [-qs] [--write-ip] [--write-proxy] [--write-xff] certificate.pem


stud is a network proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to some backend. It’s designed to handle 10s of thousands of connections efficiently on multicore machines.

stud has very few features -- it’s designed to be paired with an intelligent backend like haproxy or nginx. It maintains a strict 1:1 connection pattern with this backend handler so that the backend can dictate throttling behavior, maxmium connection behavior, availability of service, etc.

The only required argument is a path to a PEM file that contains the certificate (or a chain of certificates) and private key. It should also contain DH parameter if you wish to use Diffie-Hellman cipher suites.

The options are as follows:
--tls Use TLSv1 (default).
--ssl Use only SSLv3 and no TLSv1.
-c ciphers
  Set allowed ciphers using the same format as openssl ciphers. For example, you can use RSA:!COMPLEMENTOFALL.
-e engine
  Specify an OpenSSL engine by its unique ID. The engine will be used by default for all algorithms. The keyword auto can be used to load all available engines.
-b host,port
  Define backend. Default is,8000. Incoming connections will be unwrapped and sent to this IP and port.
-f host,port
  Define frontend. Default is *,8443. Incoming connections will be accepted to this IP and port and will be sent to the backend defined above.
-n cores
  Use cores worker processes. Default is 1.
-B backlog
  Set listen backlog size. Default is 100.
-C cache
  Set shared cache size in sessions. By default, no shared cache is used.
-r path
  Chroot to the given path. By default, no chroot is done.
-u username
  Set GID/UID after binding the socket. By default, no privilege is dropped.
-q Be quiet. Only emit error messages.
-s Send messages to syslog in addition to stderr and stdout.
--syslog-facility facility
  Syslog facility to use. Default is daemon.
  Write 1 octet with the IP family followed by the IP address in 4 (IPv4) or 16 (IPv6) octets little-endian to backend before the actual data.
  Write HaProxy’s PROXY (IPv4 or IPv6) protocol line before actual data.
  Write X-Forwarded-For header before actual data.


ciphers(1SSL), dhparam(1SSL), haproxy(1)


stud was originally written by Jamie Turner (@jamwt) and is maintained by the Bump server team. It currently provides server-side TLS termination for over 40 million Bump users.
Search for    or go to Top of page |  Section 8 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.