Initial commit
This commit is contained in:
WatermelonModders
+129
@@ -0,0 +1,129 @@
|
||||
.\" Copyright (c) 2011 Vincent Bernat <bernat@luffy.cx>
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without modification, are
|
||||
.\" permitted provided that the following conditions are met:
|
||||
.\"
|
||||
.\" 1. Redistributions of source code must retain the above copyright notice, this list of
|
||||
.\" conditions and the following disclaimer.
|
||||
.\"
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright notice, this list
|
||||
.\" of conditions and the following disclaimer in the documentation and/or other materials
|
||||
.\" provided with the distribution.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY BUMP TECHNOLOGIES, INC. ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
.\" WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
|
||||
.\" FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BUMP TECHNOLOGIES, INC. OR
|
||||
.\" CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
|
||||
.\" ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
||||
.\" NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
||||
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" The views and conclusions contained in the software and documentation are those of the
|
||||
.\" authors and should not be interpreted as representing official policies, either expressed
|
||||
.\" or implied, of Bump Technologies, Inc.
|
||||
.\"
|
||||
.Dd $Mdocdate: September 23 2011 $
|
||||
.Dt STUD 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm stud
|
||||
.Nd The Scalable TLS Unwrapping Daemon
|
||||
.Sh SYNOPSIS
|
||||
.Nm
|
||||
.Op Fl -tls
|
||||
.Op Fl -ssl
|
||||
.Op Fl c Ar ciphers
|
||||
.Op Fl e Ar engine
|
||||
.Op Fl b Ar host,port
|
||||
.Op Fl f Ar host,port
|
||||
.Op Fl n Ar cores
|
||||
.Op Fl B Ar backlog
|
||||
.Op Fl C Ar cache
|
||||
.Op Fl r Ar path
|
||||
.Op Fl u Ar username
|
||||
.Op Fl qs
|
||||
.Op Fl -write-ip
|
||||
.Op Fl -write-proxy
|
||||
.Ar certificate.pem
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
is a network proxy that terminates TLS/SSL connections and forwards the
|
||||
unencrypted traffic to some backend. It's designed to handle 10s of thousands of
|
||||
connections efficiently on multicore machines.
|
||||
.Pp
|
||||
.Nm
|
||||
has very few features -- it's designed to be paired with an intelligent
|
||||
backend like haproxy or nginx. It maintains a strict 1:1 connection pattern
|
||||
with this backend handler so that the backend can dictate throttling behavior,
|
||||
maxmium connection behavior, availability of service, etc.
|
||||
.Pp
|
||||
The only required argument is a path to a PEM file that contains the certificate
|
||||
(or a chain of certificates) and private key. It should also contain
|
||||
DH parameter if you wish to use Diffie-Hellman cipher suites.
|
||||
.Pp
|
||||
The options are as follows:
|
||||
.Bl -tag -width Ds
|
||||
.It Fl -tls
|
||||
Use TLSv1 (default).
|
||||
.It Fl -ssl
|
||||
Use only SSLv3 and no TLSv1.
|
||||
.It Fl c Ar ciphers
|
||||
Set allowed ciphers using the same format as
|
||||
.Ic openssl ciphers .
|
||||
For example, you can use
|
||||
.Ar RSA:!COMPLEMENTOFALL .
|
||||
.It Fl e Ar engine
|
||||
Specify an OpenSSL engine by its unique ID. The engine will be used by
|
||||
default for all algorithms. The keyword
|
||||
.Ar auto
|
||||
can be used to load all available engines.
|
||||
.It Fl b Ar host,port
|
||||
Define backend. Default is
|
||||
.Ar 127.0.0.1,8000 .
|
||||
Incoming connections will be unwrapped and sent to this IP and port.
|
||||
.It Fl f Ar host,port
|
||||
Define frontend. Default is
|
||||
.Ar *,8443 .
|
||||
Incoming connections will be accepted to this IP and port and will be
|
||||
sent to the backend defined above.
|
||||
.It Fl n Ar cores
|
||||
Use
|
||||
.Ar cores
|
||||
worker processes. Default is 1.
|
||||
.It Fl B Ar backlog
|
||||
Set listen backlog size. Default is 100.
|
||||
.It Fl C Ar cache
|
||||
Set shared cache size in sessions. By default, no shared cache is used.
|
||||
.It Fl r Ar path
|
||||
Chroot to the given path. By default, no chroot is done.
|
||||
.It Fl u Ar username
|
||||
Set GID/UID after binding the socket. By default, no privilege is dropped.
|
||||
.It Fl q
|
||||
Be quiet. Only emit error messages.
|
||||
.It Fl s
|
||||
Send messages to syslog in addition to
|
||||
.Em stderr
|
||||
and
|
||||
.Em stdout .
|
||||
.It Fl -syslog-facility Ar facility
|
||||
Syslog facility to use. Default is
|
||||
.Ar daemon .
|
||||
.It Fl -write-ip
|
||||
Write 1 octet with the IP family followed by the IP address in 4
|
||||
(IPv4) or 16 (IPv6) octets little-endian to backend before the actual
|
||||
data.
|
||||
.It Fl -write-proxy
|
||||
Write HaProxy's PROXY (IPv4 or IPv6) protocol line
|
||||
before actual data.
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ciphers 1SSL ,
|
||||
.Xr dhparam 1SSL ,
|
||||
.Xr haproxy 1
|
||||
.Sh AUTHORS
|
||||
.Nm
|
||||
was originally written by Jamie Turner (@jamwt) and is maintained by
|
||||
the Bump server team. It currently provides server-side TLS
|
||||
termination for over 40 million Bump users.
|
||||
Reference in New Issue
Block a user