STUD(8) BSD System Manager's Manual STUD(8)
NAME
stud -- The Scalable TLS Unwrapping Daemon
SYNOPSIS
stud [--tls] [--ssl] [-c ciphers] [-b host,port] [-f host,port] [-n cores] [-r path] [-u username] [--write-ip] [--write-proxy]
certificate.pem
DESCRIPTION
stud is a network proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to some backend. It's designed to handle
10s of thousands of connections efficiently on multicore machines.
stud has very few features -- it's designed to be paired with an intelligent backend like haproxy or nginx. It maintains a strict 1:1 con-
nection pattern with this backend handler so that the backend can dictate throttling behavior, maxmium connection behavior, availability of
service, etc.
The only required argument is a path to a PEM file that contains the certificate (or a chain of certificates) and private key. It should also
contain DH parameter if you wish to use Diffie-Hellman cipher suites.
The options are as follows:
--tls Use TLSv1 (default).
--ssl Use only SSLv3 and no TLSv1.
-c ciphers
Set allowed ciphers using the same format as openssl ciphers. For example, you can use RSA:!COMPLEMENTOFALL.
-b host,port
Define backend. Default is 127.0.0.1,8000. Incoming connections will be unwrapped and sent to this IP and port.
-f host,port
Define frontend. Default is *,8443. Incoming connections will be accepted to this IP and port and will be sent to the backend
defined above.
-n cores
Use cores worker processes. Default is 1.
-r path
Chroot to the given path. By default, no chroot is done.
-u username
Set GID/UID after binding the socket. By default, no privilege is dropped.
--write-ip
Write 1 octet with the IP family followed by the IP address in 4 (IPv4) or 16 (IPv6) octets little-endian to backend before the
actual data.
--write-proxy
Write HaProxy's PROXY (IPv4 or IPv6) protocol line before actual data.
SEE ALSO
ciphers(1SSL), dhparam(1SSL), haproxy(1)
AUTHORS
stud was originally written by Jamie Turner (@jamwt) and is maintained by the Bump server team. It currently provides server-side TLS termi-
nation for over 40 million Bump users.
BSD
September 23, 2011 BSD