HITCH.CONF(5) - Linux man page online | File formats

Configuration file for Hitch.



Hitch.conf - Configuration file for Hitch


hitch.conf is the configuration file for hitch(8). The configuration file is loaded using the Hitch option --config=, and can thus have different names and can exist in different locations. Almost all options available in hitch.conf can be specified or overridden in the command line of Hitch, as described in hitch(8). The Hitch configuration file consists of a series of option assignments. Some options (pem-file, frontend) can be be set several times, and the effect is that multiple certifi‐ cate files and "listening frontends" are defined. Other options can only be assigned once. The hash mark, or pound sign ("#"), is used as a "comment" character. You can use it to annotate your config file. All text after the comment character to the end of the line is ignored. Empty lines are ignored.


Options can either be in the top level of the configuration file (global scope), or inside a frontend block. Options inside a frontend block only affect the frontend, while options in the top level sets defaults for all frontends. Unless otherwise noted below, options can only be used in the top level. alpn-protos = <protocol-list> Comma separated list of protocols supported by the backend in a quoted string. The list is used select protocols when the client supports Next Protocol Negotiation (NPN) or Applica‐ tion-Layer Protocol Negotiation (ALPN). If Hitch is compiled against a OpenSSL version that does not support ALPN, only NPN will be used to select a protocol. The result of the NPN/ALPN negotiation will be communicated to the backend if and only if write-proxy-v2 or proxy-proxy is used. For HTTP/2 to work with modern browsers, ALPN nego‐ tiation is required. backend = [HOST]:PORT The host and port Hitch connects to when receiving a connection. Only a single backend is supported. backlog = <number> Listen backlog size chroot = <string> Chroot directory ciphers = ... List of ciphers to use in the secure communication. Refer to the OpenSSL documentation for a complete list of supported ciphers. If not specified, OpenSSL will allow all ciphers. System administrators are adviced to either only support strong ciphers (as in the example file below) or to pay close atten‐ tion to security advisories related OpenSSL's ciphers. This option is also available in frontend blocks. daemon = on|off Run as daemon. Default is off. frontend = ... This specifies the port and interface (the listen endpoint) that Hitch binds to when lis‐ tening for connections. It is possible define several frontends, and Hitch will bind to several ports and/or several interfaces. If "*" is used as the host, then Hitch will bind on all interfaces for the given port. A frontend can be specified either in a single line: frontend = "[HOST]:PORT[+CERT]" Or in a frontend block: frontend = { host = "HOST" port = "PORT" <other frontend options> } group = <string> If given, Hitch will change to this group after binding to listen sockets. keepalive = <number> Number of seconds a TCP socket is kept alive ocsp-dir = <string> Directory where Hitch will store and read OCSP responses for stapling. Default is "/var/lib/hitch/". Directory must be readable and writable for the configured Hitch user, or automatic retrieval and updating of OCSP responses will not take place. If you have a manually pre-loaded OCSP staple, an alternative pem-file syntax can be used for stapling: pem-file = { cert = "mycert.pem" ocsp-resp-file = "ocsp-resp.der" } ocsp-connect-tmo = <number> OCSP fetch connect timeout. This does normally not need to be changed. Default is 4.0 seconds. ocsp-resp-tmo = <number> OCSP fetch response timeout. This does normally not need to be changed. Default is 10 seconds. ocsp-verify-staple = on|off If set, OCSP responses will be verified against the certificate after retrieval. Default is off. pem-file = <string> Specify a SSL x509 certificate file. Server Name Indication (SNI) is supported by using one certificate file per SNI name. Certificates are used in the order they are listed; the last certificate listed will be used if none of the others match. A file suitable for Hitch is a concatenation of a private key and a corresponding certifi‐ cate or certificate chain. At least one PEM file is needed for Hitch to start, but it can be supplied on the command line. This option is also available in a frontend declaration, to make a certificate only avail‐ able for a specific listen endpoint. prefer-server-ciphers = on|off Turns on or off enforcement of the cipher ordering set in Hitch. This option is also available in frontend blocks. Default is off. proxy-proxy = on|off Proxy an existing PROXY protocol header through this request. At the moment this is equiv‐ alent to write-proxy-v2. This option is mutually exclusive with option write-proxy-v2, write-ip and write-proxy-v1. Default is off. quiet = on|off If quiet is turned on, only error messages will be shown. tls-protos = ... The SSL/TLS protocols to be used. This is an unquoted list of tokens. Available tokens are SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2. The default is TLSv1.1 and TLSv1.2. There are two deprecated options, ssl= and tls=, that also select protocols. If "ssl=on" is used, then all protocols are selected. This is known to be insecure, and is strongly discouraged. If "tls=on" is used, the three TLS protocol versions will be used. Turning on SSLv3 and TLSv1.0 is not recommended - support for these protocols are only kept for back‐ wards compatibility. This option is also available in frontend blocks. sni-nomatch-abort = on|off Abort handshake when the client submits an unrecognized SNI server name. This option is also available in a frontend declaration. ssl-engine = <string> Set the SSL engine. This is used with SSL accelerator cards. See the OpenSSL documentation for legal values. syslog = on|off Send messages to syslog. Default is off. syslog-facility = <string> Set the syslog facility. Default is "daemon". user = <string> User to run as. If Hitch is started as root, it will insist on changing to a user with lower rights after binding to sockets. workers = <number> Number of worker processes. One per CPU core is recommended. write-ip = on|off Report the client ip to the backend by writing IP before sending data. This option is mutually exclusive with each of the options write-proxy-v2, write-proxy-v1 and proxy-proxy. Default is off. write-proxy-v1 = on|off Report client address using the PROXY protocol. This option is mutually exclusive with option write-proxy-v2, write-ip and proxy-proxy. Default is off. write-proxy-v2 = on|off Report client address using PROXY v2 protocol. This option is mutually exclusive with option write-ip, write-proxy-v1 and proxy-proxy. Default is off.


The following file shows the syntax needed to get started with: frontend = { host = "*" port = "443" } backend = "[]:6086" # 6086 is the default Varnish PROXY port. workers = 4 # number of CPU cores daemon = on user = "nobody" group = "nogroup" # Enable to let clients negotiate HTTP/2 with ALPN. (default off) # alpn-protos = "http/2, http/1.1" # run Varnish as backend over PROXY; varnishd -a :80 -a localhost:6086,PROXY .. write-proxy-v2 = on # Write PROXY header


This manual was written by Pål Hermunn Johansen <>
This manual Reference Other manuals
hitch.conf(5) referred by hitch(8)
refer to hitch(8)
Download raw manual
Index № 5 (+2141)
Go top