is a libev-based high performance SSL/TLS proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to some backend.
| hitch.conf.5 (hitch-1.5.2) | : | hitch.conf.5 (hitch-1.6.0) |
|---|
| | |
| skipping to change at line 58 | | skipping to change at line 58 |
|---|
| backlog = <number> | | backlog = <number> |
| Listen backlog size | | Listen backlog size |
| | |
| chroot = <string> | | chroot = <string> |
| Chroot directory | | Chroot directory |
| | |
| ciphers = ... | | ciphers = ... |
| List of ciphers to use in the secure communication. Refer to the OpenS
SL documentation for a complete | | List of ciphers to use in the secure communication. Refer to the OpenS
SL documentation for a complete |
| list of supported ciphers. | | list of supported ciphers. |
| | |
|
| If not specified, OpenSSL will allow all ciphers. System administrators a | | Each cipher in the list must be separated by a colon (:), in order of pr |
| re advised to either only sup- | | eference. See ciphers(1) for |
| port strong ciphers (as in the example file below) or to pay close a | | further description of the format. |
| ttention to security advisories | | |
| | If not specified, OpenSSL will allow all ciphers. System administrators |
| | are advised to either only sup- |
| | port strong ciphers (as in the example file below) or to pay close atte |
| | ntion to security advisories |
| related OpenSSL's ciphers. | | related OpenSSL's ciphers. |
| | |
|
| | This option applies to TLSv1.2 and below. For TLSv1.3, see ciphersuites. |
| | |
| | This option is also available in frontend blocks. |
| | |
| | ciphersuites = <string> |
| | Specifies available ciphersuites for TLSv1.3. Similar to ciphers, entries |
| | must be separated by colon (:) |
| | and sorted in order of preference. |
| | |
| | This option is also available in frontend blocks. |
| | |
| | client-verify = required|optional|none |
| | Configures client certificate validation. The setting must be one of none |
| | , required or optional. |
| | |
| | The default setting is client-verify = none, in which case Hitch will not |
| | send a certificate request to |
| | the client. |
| | |
| | If client-verify = require is configured, Hitch will only permit connec |
| | tions that present a valid cer- |
| | tificate. The certificate will be verified using the certificate provided |
| | in the client-verify-ca param- |
| | eter. |
| | |
| | If optional, Hitch will send certificate requests, but still permit conne |
| | ctions that do not present one. |
| | |
| | For settings optional and required, we also require that the client-verif |
| | y-ca is configured. |
| | |
| | This option is also available in frontend blocks. If specified in a front |
| | end block, the client verifica- |
| | tion setting will only apply to the pem-file records for that particular |
| | frontend. |
| | |
| | client-verify-ca = <string> |
| | Specifies a file containing the certificates of the CAs that will be used |
| | to verify a client certifi- |
| | cate. |
| | |
| | For multiple CAs, this file can be a concatenation of multiple pem-fil |
| | es for the relevant certificate |
| | authorities. |
| | |
| This option is also available in frontend blocks. | | This option is also available in frontend blocks. |
| | |
| daemon = on|off | | daemon = on|off |
| Run as daemon. Default is off. | | Run as daemon. Default is off. |
| | |
| frontend = ... | | frontend = ... |
| This specifies the port and interface (the listen endpoint) that Hitch bi
nds to when listening for con- | | This specifies the port and interface (the listen endpoint) that Hitch bi
nds to when listening for con- |
| nections. It is possible define several frontends, and Hitch will bind
to several ports and/or several | | nections. It is possible define several frontends, and Hitch will bind
to several ports and/or several |
| interfaces. | | interfaces. |
| | |
| | |
| skipping to change at line 138 | | skipping to change at line 175 |
|---|
| | |
| ocsp-verify-staple = on|off | | ocsp-verify-staple = on|off |
| If set, OCSP responses will be verified against the certificate after ret
rieval. | | If set, OCSP responses will be verified against the certificate after ret
rieval. |
| | |
| Default is off. | | Default is off. |
| | |
| pem-file = <string> | | pem-file = <string> |
| Specify a SSL x509 certificate file. Server Name Indication (SNI) is sup
ported by using one certificate | | Specify a SSL x509 certificate file. Server Name Indication (SNI) is sup
ported by using one certificate |
| file per SNI name. | | file per SNI name. |
| | |
|
| Certificates are used in the order they are listed; the last certificate | | A file suitable for Hitch is a concatenation of a private key and a corre |
| listed will be used if none of | | sponding certificate or cer- |
| the others match. | | |
| | | |
| A file suitable for Hitch is a concatenation of a private key and a co | | |
| rresponding certificate or cer- | | |
| tificate chain. | | tificate chain. |
| | |
| At least one PEM file is needed for Hitch to start, but it can be supplie
d on the command line. | | At least one PEM file is needed for Hitch to start, but it can be supplie
d on the command line. |
| | |
|
| | Certificates are used in the order they are listed; the last certificate |
| | listed will be used if none of |
| | the others match. |
| | |
| | In the event that we have multiple certificates that provide the same SN |
| | I string, an error will be |
| | logged. The last loaded certificate will in that case take precendence. |
| | |
| | For partial overlap in names, e.g. if one certificate provides "w |
| | ww.example.com" and another one |
| | "*.example.com", the most specific match will always take precendence at |
| | SNI lookup. |
| | |
| This option is also available in a frontend declaration, to make a certif
icate only available for a spe- | | This option is also available in a frontend declaration, to make a certif
icate only available for a spe- |
| cific listen endpoint. | | cific listen endpoint. |
| | |
| private-key = <string> | | private-key = <string> |
| If set, the private key is read from specified location, not from the cer
t file. | | If set, the private key is read from specified location, not from the cer
t file. |
| | |
| pem-file = { | | pem-file = { |
| cert = "mycert.pem" | | cert = "mycert.pem" |
| private-key = "myprivate.key" | | private-key = "myprivate.key" |
| } | | } |
| | |
| skipping to change at line 213 | | skipping to change at line 256 |
|---|
| The SSL/TLS protocols to be used. This is an unquoted list of tokens.
Available tokens are SSLv3, | | The SSL/TLS protocols to be used. This is an unquoted list of tokens.
Available tokens are SSLv3, |
| TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3. | | TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3. |
| | |
| The default is TLSv1.2 and TLSv1.3. | | The default is TLSv1.2 and TLSv1.3. |
| | |
| There are two deprecated options, ssl= and tls=, that also select proto
cols. If "ssl=on" is used, then | | There are two deprecated options, ssl= and tls=, that also select proto
cols. If "ssl=on" is used, then |
| all protocols are selected. This is known to be insecure, and is strongly
discouraged. If "tls=on" is | | all protocols are selected. This is known to be insecure, and is strongly
discouraged. If "tls=on" is |
| used, the three TLS protocol versions will be used. Turning on SSLv3 a
nd TLSv1.0 is not recommended - | | used, the three TLS protocol versions will be used. Turning on SSLv3 a
nd TLSv1.0 is not recommended - |
| support for these protocols are only kept for backwards compatibility. | | support for these protocols are only kept for backwards compatibility. |
| | |
|
| | The availability of protocol versions depend on OpenSSL version and syste |
| | m configuration. In particular |
| | for TLS 1.3, openssl 1.1.1 or later is required. |
| | |
| | For supporting legacy protocol versions you may also need to lower t |
| | he MinProtocol property in your |
| | OpenSSL configuration (typically /etc/ssl/openssl.cnf). |
| | |
| This option is also available in frontend blocks. | | This option is also available in frontend blocks. |
| | |
|
| | ecdh-curve = <string> |
| | Sets the list of supported TLS curves. A special value of auto will leave |
| | it up to OpenSSL to automati- |
| | cally pick the most appropriate curve for a client. |
| | |
| | ecdh-curve = "X25519:prime256v1:secp384r1" |
| | |
| sni-nomatch-abort = on|off | | sni-nomatch-abort = on|off |
| Abort handshake when the client submits an unrecognized SNI server name. | | Abort handshake when the client submits an unrecognized SNI server name. |
| | |
| This option is also available in a frontend declaration. | | This option is also available in a frontend declaration. |
| | |
| ssl-engine = <string> | | ssl-engine = <string> |
|
| Set the SSL engine. This is used with SSL accelerator cards. See the Ope
nSSL documentation for legal | | Set the SSL engine. This is used with SSL accelerator cards. See the
OpenSSL documentation for legal |
| values. | | values. |
| | |
| syslog = on|off | | syslog = on|off |
| Send messages to syslog. Default is off. | | Send messages to syslog. Default is off. |
| | |
| syslog-facility = <string> | | syslog-facility = <string> |
| Set the syslog facility. Default is "daemon". | | Set the syslog facility. Default is "daemon". |
| | |
| user = <string> | | user = <string> |
|
| User to run as. If Hitch is started as root, it will insist on chang
ing to a user with lower rights | | User to run as. If Hitch is started as root, it will insist on changing t
o a user with lower rights |
| after binding to sockets. | | after binding to sockets. |
| | |
| workers = <number> | | workers = <number> |
| Number of worker processes. One per CPU core is recommended. | | Number of worker processes. One per CPU core is recommended. |
| | |
| write-ip = on|off | | write-ip = on|off |
| Report the client ip to the backend by writing IP before sending data. | | Report the client ip to the backend by writing IP before sending data. |
| | |
|
| This option is mutually exclusive with each of the options write
-proxy-v2, write-proxy-v1 and | | This option is mutually exclusive with each of the options writ
e-proxy-v2, write-proxy-v1 and |
| proxy-proxy. | | proxy-proxy. |
| | |
| Default is off. | | Default is off. |
| | |
| write-proxy-v1 = on|off | | write-proxy-v1 = on|off |
| Report client address using the PROXY protocol. | | Report client address using the PROXY protocol. |
| | |
| This option is mutually exclusive with option write-proxy-v2, write-ip an
d proxy-proxy. | | This option is mutually exclusive with option write-proxy-v2, write-ip an
d proxy-proxy. |
| | |
| Default is off. | | Default is off. |
| | |
| write-proxy-v2 = on|off | | write-proxy-v2 = on|off |
| Report client address using PROXY v2 protocol. | | Report client address using PROXY v2 protocol. |
| | |
| This option is mutually exclusive with option write-ip, write-proxy-v1 an
d proxy-proxy. | | This option is mutually exclusive with option write-ip, write-proxy-v1 an
d proxy-proxy. |
| | |
| Default is off. | | Default is off. |
| | |
| proxy-tlv = on|off | | proxy-tlv = on|off |
|
| Report the chosen cipher and protocol as part of the PROXYv2 header. | | Report extra information as part of the PROXYv2 header. |
| | |
| | Currently the following will be transmitted when proxy-tlv is enabled: |
| | |
| | · Cipher |
| | |
| | · Protocol version |
| | |
| | · Client certificate verification result |
| | |
| | · Whether the client transmitted a certificate as part |
| | of this connection/session |
| | (PP2_CLIENT_CERT_CONN, PP2_CLIENT_CERT_SESS) |
| | |
| Default is on. | | Default is on. |
| | |
| tcp-fastopen = on|off | | tcp-fastopen = on|off |
| Enable TCP Fast Open. | | Enable TCP Fast Open. |
| | |
| Default is off. | | Default is off. |
| | |
| EXAMPLE | | EXAMPLE |
| The following file shows the syntax needed to get started with: | | The following file shows the syntax needed to get started with: |
| | | |
| End of changes. 10 change blocks. |
|---|
| 14 lines changed or deleted | | 99 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 