stud man page
stud — The Scalable TLS Unwrapping Daemon
|stud|| [--tls] [--ssl] [-c |
stud is a network proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to some backend. It's designed to handle 10s of thousands of connections efficiently on multicore machines.
stud has very few features -- it's designed to be paired with an intelligent backend like haproxy or nginx. It maintains a strict 1:1 connection pattern with this backend handler so that the backend can dictate throttling behavior, maxmium connection behavior, availability of service, etc.
The only required argument is a path to a PEM file that contains the certificate (or a chain of certificates) and private key. It should also contain DH parameter if you wish to use Diffie-Hellman cipher suites.
The options are as follows:
Use TLSv1 (default).
Use only SSLv3 and no TLSv1.
Set allowed ciphers using the same format as
openssl ciphers. For example, you can use
Specify an OpenSSL engine by its unique ID. The engine will be used by default for all algorithms. The keyword
autocan be used to load all available engines.
Define backend. Default is
127.0.0.1,8000. Incoming connections will be unwrapped and sent to this IP and port.
Define frontend. Default is
*,8443. Incoming connections will be accepted to this IP and port and will be sent to the backend defined above.
coresworker processes. Default is 1.
Set listen backlog size. Default is 100.
Set shared cache size in sessions. By default, no shared cache is used.
Chroot to the given path. By default, no chroot is done.
Set GID/UID after binding the socket. By default, no privilege is dropped.
Be quiet. Only emit error messages.
Send messages to syslog in addition to stderr and stdout.
Syslog facility to use. Default is
Write 1 octet with the IP family followed by the IP address in 4 (IPv4) or 16 (IPv6) octets little-endian to backend before the actual data.
Write HaProxy's PROXY (IPv4 or IPv6) protocol line before actual data.
ciphers(1SSL), dhparam(1SSL), haproxy(1)
stud was originally written by Jamie Turner (@jamwt) and is maintained by the Bump server team. It currently provides server-side TLS termination for over 40 million Bump users.