"Fossies" - the Fresh Open Source Software Archive

Member "stud-0.3/stud.8" (2 Nov 2011, 4511 Bytes) of package /linux/privat/old/stud-0.3.tar.gz:

Caution: As a special service "Fossies" has tried to format the requested manual source page into HTML format but links to other man pages may be missing or even erroneous. Alternatively you can here view or download the uninterpreted manual source code. A member file download can also be achieved by clicking within a package contents listing on the according byte size field.

STUD(8) BSD System Manager’s Manual STUD(8)


stud — The Scalable TLS Unwrapping Daemon


stud [−-tls] [−-ssl] [−c ciphers] [−e engine] [−b host,port] [−f host,port] [−n cores] [−B backlog] [−C cache] [−r path] [−u username] [−qs] [−-write-ip] [−-write-proxy] certificate.pem


stud is a network proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to some backend. It’s designed to handle 10s of thousands of connections efficiently on multicore machines.

stud has very few features -- it’s designed to be paired with an intelligent backend like haproxy or nginx. It maintains a strict 1:1 connection pattern with this backend handler so that the backend can dictate throttling behavior, maxmium connection behavior, availability of service, etc.

The only required argument is a path to a PEM file that contains the certificate (or a chain of certificates) and private key. It should also contain DH parameter if you wish to use Diffie-Hellman cipher suites.

The options are as follows:


Use TLSv1 (default).


Use only SSLv3 and no TLSv1.

−c ciphers

Set allowed ciphers using the same format as openssl ciphers. For example, you can use RSA:!COMPLEMENTOFALL.

−e engine

Specify an OpenSSL engine by its unique ID. The engine will be used by default for all algorithms. The keyword auto can be used to load all available engines.

−b host,port

Define backend. Default is,8000. Incoming connections will be unwrapped and sent to this IP and port.

−f host,port

Define frontend. Default is *,8443. Incoming connections will be accepted to this IP and port and will be sent to the backend defined above.

−n cores

Use cores worker processes. Default is 1.

−B backlog

Set listen backlog size. Default is 100.

−C cache

Set shared cache size in sessions. By default, no shared cache is used.

−r path

Chroot to the given path. By default, no chroot is done.

−u username

Set GID/UID after binding the socket. By default, no privilege is dropped.


Be quiet. Only emit error messages.


Send messages to syslog in addition to stderr and stdout.


Write 1 octet with the IP family followed by the IP address in 4 (IPv4) or 16 (IPv6) octets little-endian to backend before the actual data.


Write HaProxy’s PROXY (IPv4 or IPv6) protocol line before actual data.


ciphers(1SSL), dhparam(1SSL), haproxy(1)


stud was originally written by Jamie Turner (@jamwt) and is maintained by the Bump server team. It currently provides server-side TLS termination for over 40 million Bump users.

BSD September 23, 2011 BSD