Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Hitch - high performance TLS proxy

hitch [OPTIONS] [PEM]

Hitch is a network proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to some backend. It's designed to handle 10s of thousands of connections efficiently on multicore machines.
Hitch has very few features -- it's designed to be paired with an intelligent backend like Varnish Cache. It maintains a strict 1:1 connection pattern with this backend handler so that the backend can dictate throttling behavior, maximum connection behavior, availability of service, etc.
The only required argument is a path to a PEM file that contains the certificate (or a chain of certificates) and private key. It should also contain DH parameter if you wish to use Diffie-Hellman cipher suites.

Load configuration from specified file. See hitch.conf(5) for details.
All TLS versions, no SSLv3 (deprecated). See config file setting tls-protos.
enable SSLv3 (deprecated). See config file setting tls-protos.
Sets allowed ciphers (Default: "")

Sets OpenSSL engine (Default: "")

Prefer server list order

Enable client proxy mode
--backend=[HOST]:PORT Backend [connect] (default is "[]:8000") The -b argument can also take a UNIX domain socket path E.g. --backend="/path/to/sock"
--frontend=[HOST]:PORT[+CERT] Frontend [bind] (default is "[*]:8443") (Note: brackets are mandatory in endpoint specifiers.)
Number of worker processes (Default: 1)

Set listen backlog size (Default: 100)

TCP keepalive on client socket (Default: 3600)

Periodic backend IP lookup, 0 to disable (Default: 0)

Sets chroot directory (Default: "")

Set uid/gid after binding the socket (Default: "")

Set gid after binding the socket (Default: "")

Be quiet; emit only error messages (deprecated in favor of log-level)

Log level. 0=silence, 1=err, 2=info/debug

Send log message to syslog in addition to stderr/stdout

Syslog facility to use (Default: "daemon")
Fork into background and become a daemon; this also sets the --quiet option (Default: off)
Write 1 octet with the IP family followed by the IP address in 4 (IPv4) or 16 (IPv6) octets little-endian to backend before the actual data (Default: off)
Write HaProxy's PROXY v1 (IPv4 or IPv6) protocol line before actual data (Default: off)
Write HaProxy's PROXY v2 binary (IPv4 or IPv6) protocol line before actual data (Default: off)
Equivalent to --write-proxy-v2. For PROXY version 1 use --write-proxy-v1 explicitly
Proxy HaProxy's PROXY (IPv4 or IPv6) protocol line before actual data (PROXY v1 only) (Default: off)
Sets the protocols for ALPN/NPN negotiation, given by a comma separated list. If this is not set explicitly, ALPN/NPN will not be used. Requires OpenSSL 1.0.1 for NPN and OpenSSL 1.0.2 for ALPN.
Abort handshake when client submits an unrecognized SNI server name (Default: off)
Set OCSP staple cache directory This enables automated retrieval and stapling of OCSP responses (Default: "")
Test configuration and exit

PID file

Print program version and exit

This help message

Hitch was originally called stud and was written by Jamie Turner at

Search for    or go to Top of page |  Section 8 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.