"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "hitch.conf.5" between
hitch-1.5.2.tar.gz and hitch-1.6.0.tar.gz

About: Hitch is a libev-based high performance SSL/TLS proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to some backend.

hitch.conf.5  (hitch-1.5.2):hitch.conf.5  (hitch-1.6.0)
skipping to change at line 58 skipping to change at line 58
backlog = <number> backlog = <number>
Listen backlog size Listen backlog size
chroot = <string> chroot = <string>
Chroot directory Chroot directory
ciphers = ... ciphers = ...
List of ciphers to use in the secure communication. Refer to the OpenS SL documentation for a complete List of ciphers to use in the secure communication. Refer to the OpenS SL documentation for a complete
list of supported ciphers. list of supported ciphers.
If not specified, OpenSSL will allow all ciphers. System administrators a Each cipher in the list must be separated by a colon (:), in order of pr
re advised to either only sup- eference. See ciphers(1) for
port strong ciphers (as in the example file below) or to pay close a further description of the format.
ttention to security advisories
If not specified, OpenSSL will allow all ciphers. System administrators
are advised to either only sup-
port strong ciphers (as in the example file below) or to pay close atte
ntion to security advisories
related OpenSSL's ciphers. related OpenSSL's ciphers.
This option applies to TLSv1.2 and below. For TLSv1.3, see ciphersuites.
This option is also available in frontend blocks.
ciphersuites = <string>
Specifies available ciphersuites for TLSv1.3. Similar to ciphers, entries
must be separated by colon (:)
and sorted in order of preference.
This option is also available in frontend blocks.
client-verify = required|optional|none
Configures client certificate validation. The setting must be one of none
, required or optional.
The default setting is client-verify = none, in which case Hitch will not
send a certificate request to
the client.
If client-verify = require is configured, Hitch will only permit connec
tions that present a valid cer-
tificate. The certificate will be verified using the certificate provided
in the client-verify-ca param-
eter.
If optional, Hitch will send certificate requests, but still permit conne
ctions that do not present one.
For settings optional and required, we also require that the client-verif
y-ca is configured.
This option is also available in frontend blocks. If specified in a front
end block, the client verifica-
tion setting will only apply to the pem-file records for that particular
frontend.
client-verify-ca = <string>
Specifies a file containing the certificates of the CAs that will be used
to verify a client certifi-
cate.
For multiple CAs, this file can be a concatenation of multiple pem-fil
es for the relevant certificate
authorities.
This option is also available in frontend blocks. This option is also available in frontend blocks.
daemon = on|off daemon = on|off
Run as daemon. Default is off. Run as daemon. Default is off.
frontend = ... frontend = ...
This specifies the port and interface (the listen endpoint) that Hitch bi nds to when listening for con- This specifies the port and interface (the listen endpoint) that Hitch bi nds to when listening for con-
nections. It is possible define several frontends, and Hitch will bind to several ports and/or several nections. It is possible define several frontends, and Hitch will bind to several ports and/or several
interfaces. interfaces.
skipping to change at line 138 skipping to change at line 175
ocsp-verify-staple = on|off ocsp-verify-staple = on|off
If set, OCSP responses will be verified against the certificate after ret rieval. If set, OCSP responses will be verified against the certificate after ret rieval.
Default is off. Default is off.
pem-file = <string> pem-file = <string>
Specify a SSL x509 certificate file. Server Name Indication (SNI) is sup ported by using one certificate Specify a SSL x509 certificate file. Server Name Indication (SNI) is sup ported by using one certificate
file per SNI name. file per SNI name.
Certificates are used in the order they are listed; the last certificate A file suitable for Hitch is a concatenation of a private key and a corre
listed will be used if none of sponding certificate or cer-
the others match.
A file suitable for Hitch is a concatenation of a private key and a co
rresponding certificate or cer-
tificate chain. tificate chain.
At least one PEM file is needed for Hitch to start, but it can be supplie d on the command line. At least one PEM file is needed for Hitch to start, but it can be supplie d on the command line.
Certificates are used in the order they are listed; the last certificate
listed will be used if none of
the others match.
In the event that we have multiple certificates that provide the same SN
I string, an error will be
logged. The last loaded certificate will in that case take precendence.
For partial overlap in names, e.g. if one certificate provides "w
ww.example.com" and another one
"*.example.com", the most specific match will always take precendence at
SNI lookup.
This option is also available in a frontend declaration, to make a certif icate only available for a spe- This option is also available in a frontend declaration, to make a certif icate only available for a spe-
cific listen endpoint. cific listen endpoint.
private-key = <string> private-key = <string>
If set, the private key is read from specified location, not from the cer t file. If set, the private key is read from specified location, not from the cer t file.
pem-file = { pem-file = {
cert = "mycert.pem" cert = "mycert.pem"
private-key = "myprivate.key" private-key = "myprivate.key"
} }
skipping to change at line 213 skipping to change at line 256
The SSL/TLS protocols to be used. This is an unquoted list of tokens. Available tokens are SSLv3, The SSL/TLS protocols to be used. This is an unquoted list of tokens. Available tokens are SSLv3,
TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3. TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3.
The default is TLSv1.2 and TLSv1.3. The default is TLSv1.2 and TLSv1.3.
There are two deprecated options, ssl= and tls=, that also select proto cols. If "ssl=on" is used, then There are two deprecated options, ssl= and tls=, that also select proto cols. If "ssl=on" is used, then
all protocols are selected. This is known to be insecure, and is strongly discouraged. If "tls=on" is all protocols are selected. This is known to be insecure, and is strongly discouraged. If "tls=on" is
used, the three TLS protocol versions will be used. Turning on SSLv3 a nd TLSv1.0 is not recommended - used, the three TLS protocol versions will be used. Turning on SSLv3 a nd TLSv1.0 is not recommended -
support for these protocols are only kept for backwards compatibility. support for these protocols are only kept for backwards compatibility.
The availability of protocol versions depend on OpenSSL version and syste
m configuration. In particular
for TLS 1.3, openssl 1.1.1 or later is required.
For supporting legacy protocol versions you may also need to lower t
he MinProtocol property in your
OpenSSL configuration (typically /etc/ssl/openssl.cnf).
This option is also available in frontend blocks. This option is also available in frontend blocks.
ecdh-curve = <string>
Sets the list of supported TLS curves. A special value of auto will leave
it up to OpenSSL to automati-
cally pick the most appropriate curve for a client.
ecdh-curve = "X25519:prime256v1:secp384r1"
sni-nomatch-abort = on|off sni-nomatch-abort = on|off
Abort handshake when the client submits an unrecognized SNI server name. Abort handshake when the client submits an unrecognized SNI server name.
This option is also available in a frontend declaration. This option is also available in a frontend declaration.
ssl-engine = <string> ssl-engine = <string>
Set the SSL engine. This is used with SSL accelerator cards. See the Ope nSSL documentation for legal Set the SSL engine. This is used with SSL accelerator cards. See the OpenSSL documentation for legal
values. values.
syslog = on|off syslog = on|off
Send messages to syslog. Default is off. Send messages to syslog. Default is off.
syslog-facility = <string> syslog-facility = <string>
Set the syslog facility. Default is "daemon". Set the syslog facility. Default is "daemon".
user = <string> user = <string>
User to run as. If Hitch is started as root, it will insist on chang ing to a user with lower rights User to run as. If Hitch is started as root, it will insist on changing t o a user with lower rights
after binding to sockets. after binding to sockets.
workers = <number> workers = <number>
Number of worker processes. One per CPU core is recommended. Number of worker processes. One per CPU core is recommended.
write-ip = on|off write-ip = on|off
Report the client ip to the backend by writing IP before sending data. Report the client ip to the backend by writing IP before sending data.
This option is mutually exclusive with each of the options write -proxy-v2, write-proxy-v1 and This option is mutually exclusive with each of the options writ e-proxy-v2, write-proxy-v1 and
proxy-proxy. proxy-proxy.
Default is off. Default is off.
write-proxy-v1 = on|off write-proxy-v1 = on|off
Report client address using the PROXY protocol. Report client address using the PROXY protocol.
This option is mutually exclusive with option write-proxy-v2, write-ip an d proxy-proxy. This option is mutually exclusive with option write-proxy-v2, write-ip an d proxy-proxy.
Default is off. Default is off.
write-proxy-v2 = on|off write-proxy-v2 = on|off
Report client address using PROXY v2 protocol. Report client address using PROXY v2 protocol.
This option is mutually exclusive with option write-ip, write-proxy-v1 an d proxy-proxy. This option is mutually exclusive with option write-ip, write-proxy-v1 an d proxy-proxy.
Default is off. Default is off.
proxy-tlv = on|off proxy-tlv = on|off
Report the chosen cipher and protocol as part of the PROXYv2 header. Report extra information as part of the PROXYv2 header.
Currently the following will be transmitted when proxy-tlv is enabled:
· Cipher
· Protocol version
· Client certificate verification result
· Whether the client transmitted a certificate as part
of this connection/session
(PP2_CLIENT_CERT_CONN, PP2_CLIENT_CERT_SESS)
Default is on. Default is on.
tcp-fastopen = on|off tcp-fastopen = on|off
Enable TCP Fast Open. Enable TCP Fast Open.
Default is off. Default is off.
EXAMPLE EXAMPLE
The following file shows the syntax needed to get started with: The following file shows the syntax needed to get started with:
 End of changes. 10 change blocks. 
14 lines changed or deleted 99 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)