GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  STUD (8)

NAME

stud - The Scalable TLS Unwrapping Daemon

CONTENTS

Synopsis
Description
See Also
Authors

SYNOPSIS

stud [--tls] [--ssl] [-c ciphers] [-e engine] [-b host,port] [-f host,port] [-n cores] [-B backlog] [-C cache] [-r path] [-u username] [-qs] [--write-ip] [--write-proxy] [--write-xff] certificate.pem

DESCRIPTION

stud is a network proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to some backend. It’s designed to handle 10s of thousands of connections efficiently on multicore machines.

stud has very few features -- it’s designed to be paired with an intelligent backend like haproxy or nginx. It maintains a strict 1:1 connection pattern with this backend handler so that the backend can dictate throttling behavior, maxmium connection behavior, availability of service, etc.

The only required argument is a path to a PEM file that contains the certificate (or a chain of certificates) and private key. It should also contain DH parameter if you wish to use Diffie-Hellman cipher suites.

The options are as follows:
--tls Use TLSv1 (default).
--ssl Use only SSLv3 and no TLSv1.
-c ciphers
  Set allowed ciphers using the same format as openssl ciphers. For example, you can use RSA:!COMPLEMENTOFALL.
-e engine
  Specify an OpenSSL engine by its unique ID. The engine will be used by default for all algorithms. The keyword auto can be used to load all available engines.
-b host,port
  Define backend. Default is 127.0.0.1,8000. Incoming connections will be unwrapped and sent to this IP and port.
-f host,port
  Define frontend. Default is *,8443. Incoming connections will be accepted to this IP and port and will be sent to the backend defined above.
-n cores
  Use cores worker processes. Default is 1.
-B backlog
  Set listen backlog size. Default is 100.
-C cache
  Set shared cache size in sessions. By default, no shared cache is used.
-r path
  Chroot to the given path. By default, no chroot is done.
-u username
  Set GID/UID after binding the socket. By default, no privilege is dropped.
-q Be quiet. Only emit error messages.
-s Send messages to syslog in addition to stderr and stdout.
--syslog-facility facility
  Syslog facility to use. Default is daemon.
--write-ip
  Write 1 octet with the IP family followed by the IP address in 4 (IPv4) or 16 (IPv6) octets little-endian to backend before the actual data.
--write-proxy
  Write HaProxy’s PROXY (IPv4 or IPv6) protocol line before actual data.
--write-xff
  Write X-Forwarded-For header before actual data.

SEE ALSO

ciphers(1SSL), dhparam(1SSL), haproxy(1)

AUTHORS

stud was originally written by Jamie Turner (@jamwt) and is maintained by the Bump server team. It currently provides server-side TLS termination for over 40 million Bump users.
Search for    or go to Top of page |  Section 8 |  Main Index


Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.