.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "HITCH" 8 "" "" ""
.SH NAME
Hitch \- high performance TLS proxy
.SH SYNOPSIS
.sp
hitch [OPTIONS] [PEM]
.SH DESCRIPTION
.sp
Hitch is a network proxy that terminates TLS/SSL connections and forwards the
unencrypted traffic to some backend. It\(aqs designed to handle 10s of thousands of
connections efficiently on multicore machines.
.sp
Hitch has very few features \-\- it\(aqs designed to be paired with an intelligent
backend like Varnish Cache. It maintains a strict 1:1 connection pattern
with this backend handler so that the backend can dictate throttling behavior,
maximum connection behavior, availability of service, etc.
.sp
The only required argument is a path to a PEM file that contains the certificate
(or a chain of certificates) and private key. It should also contain
DH parameter if you wish to use Diffie\-Hellman cipher suites.
.SH COMMAND LINE ARGUMENTS
.SS \fB\-\-config=FILE\fP
.sp
Load configuration from specified file.  See \fIhitch.conf(5)\fP for
details.
.SS \fB\-\-tls\-protos=LIST\fP
.sp
Specifies which SSL/TLS protocols to use.  Available tokens are
\fBSSLv3\fP, \fBTLSv1.0\fP, \fBTLSv1.1\fP, \fBTLSv1.2\fP and
\fBTLSv1.3\fP\&. (Default \(dqTLSv1.2 TLSv1.3\(dq)
.SS \fB\-c  \-\-ciphers=SUITE\fP
.sp
Sets allowed ciphers (Default:
\(dqEECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\(dq)
.SS \fB\-e  \-\-ssl\-engine=NAME\fP
.sp
Sets OpenSSL engine (Default: \(dq\(dq)
.SS \fB\-O  \-\-prefer\-server\-ciphers[=on|off]\fP
.sp
Prefer server list order (Default: \(dqoff\(dq)
.SS \fB\-\-client\fP
.sp
Enable client proxy mode
.SS \fB\-b  \-\-backend=[HOST]:PORT\fP
.sp
Backend endpoint (default is \(dq[127.0.0.1]:8000\(dq) The \-b argument can
also take a UNIX domain socket path E.g. \-\-backend=\(dq/path/to/sock\(dq
.sp
If \fB\-\-chroot\fP is also specified, the UNIX domain socket path will be
at runtime resolved from within the chroot, and must be specified with
the path it is accessible from within the chroot. I.e. for a
\fB/run/hitch\fP chroot and a \fB/run/hitch/sock\fP UNIX domain socket,
configure the backend argument as \fB/sock\fP\&.
.SS \fB\-f  \-\-frontend=[HOST]:PORT[+CERT]\fP
.sp
Frontend listen endpoint (default is \(dq[*]:8443\(dq) (Note: brackets are
mandatory in endpoint specifiers.)
.SS \fB\-n  \-\-workers=NUM|auto\fP
.sp
Number of worker processes (Default: 1)
Using auto value creates 1 worker per CPU core.
.SS \fB\-B  \-\-backlog=NUM\fP
.sp
Set listen backlog size (Default: 100)
.SS \fB\-k  \-\-keepalive=SECS\fP
.sp
TCP keepalive on client socket (Default: 3600)
.SS \fB\-R  \-\-backend\-refresh=SECS\fP
.sp
Periodic backend IP lookup, 0 to disable (Default: 0)
.SS \fB\-\-enable\-tcp\-fastopen[=on|off]\fP
.sp
Enable client\-side TCP Fast Open. (Default: off)
.SS \fB\-r  \-\-chroot=DIR\fP
.sp
Sets chroot directory (Default: \(dq\(dq)
.SS \fB\-u  \-\-user=USER\fP
.sp
Set uid/gid after binding the socket (Default: \(dq\(dq)
.SS \fB\-g  \-\-group=GROUP\fP
.sp
Set gid after binding the socket (Default: \(dq\(dq)
.SS \fB\-q  \-\-quiet[=on|off]\fP
.sp
Be quiet; emit only error messages (deprecated, use \(aqlog\-level\(aq)
.SS \fB\-L  \-\-log\-level=NUM\fP
.sp
Log level. 0=silence, 1=err, 2=info/debug (Default: 1)
.SS \fB\-l  \-\-log\-filename=FILE\fP
.sp
Send log message to a logfile instead of stderr/stdout
.SS \fB\-s  \-\-syslog[=on|off]\fP
.sp
Send log message to syslog in addition to stderr/stdout
.SS \fB\-\-syslog\-facility=FACILITY\fP
.sp
Syslog facility to use (Default: \(dqdaemon\(dq)
.SS \fB\-\-daemon[=on|off]\fP
.sp
Fork into background and become a daemon (Default: off)
.SS \fB\-\-write\-ip[=on|off]\fP
.sp
Write 1 octet with the IP family followed by the IP address in 4
(IPv4) or 16 (IPv6) octets little\-endian to backend before the actual
data (Default: off)
.SS \fB\-\-write\-proxy\-v1[=on|off]\fP
.sp
Write HAProxy\(aqs PROXY v1 (IPv4 or IPv6) protocol line before actual
data (Default: off)
.SS \fB\-\-write\-proxy\-v2[=on|off]\fP
.sp
Write HAProxy\(aqs PROXY v2 binary (IPv4 or IPv6) protocol line before
actual data (Default: off)
.SS \fB\-\-write\-proxy[=on|off]\fP
.sp
Equivalent to \-\-write\-proxy\-v2. For PROXY version 1
use \-\-write\-proxy\-v1 explicitly
.SS \fB\-\-proxy\-proxy[=on|off]\fP
.sp
Proxy HAProxy\(aqs PROXY (IPv4 or IPv6) protocol before actual data
(PROXYv1 and PROXYv2) (Default: off)
.SS \fB\-\-sni\-nomatch\-abort[=on|off]\fP
.sp
Abort handshake when client submits an unrecognized SNI server name
(Default: off)
.SS \fB\-\-alpn\-protos=LIST\fP
.sp
Sets the protocols for ALPN/NPN negotiation, provided as a list of
comma\-separated tokens.
.SS \fB\-\-ocsp\-dir=DIR\fP
.sp
Set OCSP staple cache directory This enables automated retrieval and
stapling of OCSP responses (Default: \(dq/var/lib/hitch/\(dq)
.SS \fB\-\-backend\-connect\-timeout=SECS\fP
.sp
Backend connect timeout.
.SS \fB\-\-ssl\-handshake\-timeout=SECS\fP
.sp
TLS handshake timeout.
.SS \fB\-t  \-\-test\fP
.sp
Test configuration and exit
.SS \fB\-p  \-\-pidfile=FILE\fP
.sp
PID file
.SS \fB\-V  \-\-version\fP
.sp
Print program version and exit
.SS \fB\-h  \-\-help\fP
.sp
This help message
.SH HISTORY
.sp
Hitch was originally called stud and was written by Jamie Turner at Bump.com.
.\" Generated by docutils manpage writer.
.