WatermelonModders
130 lines
4.5 KiB
Plaintext
130 lines
4.5 KiB
Plaintext
.\" Copyright (c) 2011 Vincent Bernat <bernat@luffy.cx>
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without modification, are
|
|
.\" permitted provided that the following conditions are met:
|
|
.\"
|
|
.\" 1. Redistributions of source code must retain the above copyright notice, this list of
|
|
.\" conditions and the following disclaimer.
|
|
.\"
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright notice, this list
|
|
.\" of conditions and the following disclaimer in the documentation and/or other materials
|
|
.\" provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY BUMP TECHNOLOGIES, INC. ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
.\" WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
|
|
.\" FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BUMP TECHNOLOGIES, INC. OR
|
|
.\" CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
|
|
.\" ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
.\" NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
|
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.\" The views and conclusions contained in the software and documentation are those of the
|
|
.\" authors and should not be interpreted as representing official policies, either expressed
|
|
.\" or implied, of Bump Technologies, Inc.
|
|
.\"
|
|
.Dd $Mdocdate: September 23 2011 $
|
|
.Dt STUD 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm stud
|
|
.Nd The Scalable TLS Unwrapping Daemon
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl -tls
|
|
.Op Fl -ssl
|
|
.Op Fl c Ar ciphers
|
|
.Op Fl e Ar engine
|
|
.Op Fl b Ar host,port
|
|
.Op Fl f Ar host,port
|
|
.Op Fl n Ar cores
|
|
.Op Fl B Ar backlog
|
|
.Op Fl C Ar cache
|
|
.Op Fl r Ar path
|
|
.Op Fl u Ar username
|
|
.Op Fl qs
|
|
.Op Fl -write-ip
|
|
.Op Fl -write-proxy
|
|
.Ar certificate.pem
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is a network proxy that terminates TLS/SSL connections and forwards the
|
|
unencrypted traffic to some backend. It's designed to handle 10s of thousands of
|
|
connections efficiently on multicore machines.
|
|
.Pp
|
|
.Nm
|
|
has very few features -- it's designed to be paired with an intelligent
|
|
backend like haproxy or nginx. It maintains a strict 1:1 connection pattern
|
|
with this backend handler so that the backend can dictate throttling behavior,
|
|
maxmium connection behavior, availability of service, etc.
|
|
.Pp
|
|
The only required argument is a path to a PEM file that contains the certificate
|
|
(or a chain of certificates) and private key. It should also contain
|
|
DH parameter if you wish to use Diffie-Hellman cipher suites.
|
|
.Pp
|
|
The options are as follows:
|
|
.Bl -tag -width Ds
|
|
.It Fl -tls
|
|
Use TLSv1 (default).
|
|
.It Fl -ssl
|
|
Use only SSLv3 and no TLSv1.
|
|
.It Fl c Ar ciphers
|
|
Set allowed ciphers using the same format as
|
|
.Ic openssl ciphers .
|
|
For example, you can use
|
|
.Ar RSA:!COMPLEMENTOFALL .
|
|
.It Fl e Ar engine
|
|
Specify an OpenSSL engine by its unique ID. The engine will be used by
|
|
default for all algorithms. The keyword
|
|
.Ar auto
|
|
can be used to load all available engines.
|
|
.It Fl b Ar host,port
|
|
Define backend. Default is
|
|
.Ar 127.0.0.1,8000 .
|
|
Incoming connections will be unwrapped and sent to this IP and port.
|
|
.It Fl f Ar host,port
|
|
Define frontend. Default is
|
|
.Ar *,8443 .
|
|
Incoming connections will be accepted to this IP and port and will be
|
|
sent to the backend defined above.
|
|
.It Fl n Ar cores
|
|
Use
|
|
.Ar cores
|
|
worker processes. Default is 1.
|
|
.It Fl B Ar backlog
|
|
Set listen backlog size. Default is 100.
|
|
.It Fl C Ar cache
|
|
Set shared cache size in sessions. By default, no shared cache is used.
|
|
.It Fl r Ar path
|
|
Chroot to the given path. By default, no chroot is done.
|
|
.It Fl u Ar username
|
|
Set GID/UID after binding the socket. By default, no privilege is dropped.
|
|
.It Fl q
|
|
Be quiet. Only emit error messages.
|
|
.It Fl s
|
|
Send messages to syslog in addition to
|
|
.Em stderr
|
|
and
|
|
.Em stdout .
|
|
.It Fl -syslog-facility Ar facility
|
|
Syslog facility to use. Default is
|
|
.Ar daemon .
|
|
.It Fl -write-ip
|
|
Write 1 octet with the IP family followed by the IP address in 4
|
|
(IPv4) or 16 (IPv6) octets little-endian to backend before the actual
|
|
data.
|
|
.It Fl -write-proxy
|
|
Write HaProxy's PROXY (IPv4 or IPv6) protocol line
|
|
before actual data.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr ciphers 1SSL ,
|
|
.Xr dhparam 1SSL ,
|
|
.Xr haproxy 1
|
|
.Sh AUTHORS
|
|
.Nm
|
|
was originally written by Jamie Turner (@jamwt) and is maintained by
|
|
the Bump server team. It currently provides server-side TLS
|
|
termination for over 40 million Bump users.
|