SYNOPSIS

[--tls ] [--ssl ] [-c ciphers ] [-b host,port ] [-f host,port ] [-n cores ] [-r path ] [-u username ] [--write-ip ] [--write-proxy ] certificate.pem

DESCRIPTION

is a network proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to some backend. It's designed to handle 10s of thousands of connections efficiently on multicore machines.

has very few features -- it's designed to be paired with an intelligent backend like haproxy or nginx. It maintains a strict 1:1 connection pattern with this backend handler so that the backend can dictate throttling behavior, maxmium connection behavior, availability of service, etc.

The only required argument is a path to a PEM file that contains the certificate (or a chain of certificates) and private key. It should also contain DH parameter if you wish to use Diffie-Hellman cipher suites.

The options are as follows:

--tls

Use TLSv1 (default).

--ssl

Use only SSLv3 and no TLSv1.

-c ciphers

Set allowed ciphers using the same format as openssl ciphers For example, you can use RSA:!COMPLEMENTOFALL

-b host,port

Define backend. Default is 127.0.0.1,8000 Incoming connections will be unwrapped and sent to this IP and port.

-f host,port

Define frontend. Default is *,8443 Incoming connections will be accepted to this IP and port and will be sent to the backend defined above.

-n cores

Use cores worker processes. Default is 1.

-r path

Chroot to the given path. By default, no chroot is done.

-u username

Set GID/UID after binding the socket. By default, no privilege is dropped.

--write-ip

Write 1 octet with the IP family followed by the IP address in 4 (IPv4) or 16 (IPv6) octets little-endian to backend before the actual data.

--write-proxy

Write HaProxy's PROXY (IPv4 or IPv6) protocol line before actual data.

AUTHORS

was originally written by Jamie Turner (@jamwt) and is maintained by the Bump server team. It currently provides server-side TLS termination for over 40 million Bump users.