hitch 1.6.1

hitch is a network proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to some backend. It's designed to handle 10s of thousands of connections efficiently on multicore machines.

Tags internet proxy-server tls
License BSDL-2
State stable

Recent Releases

1.6.102 Sep 2020 13:05 minor feature: Build with OpenSSL-without-NPN/ALPN . Plug cci in. . Update templates. . a struct padding in the PROXYv2 code. . Test39: be slightly more precise. . Prepare for 1.6.1.
1.6.026 Jun 2020 03:16 minor feature: Skip test 23 when OpenSSL is compiled without SSLv3 . Make two variants of the session resumption test. . Fail the configure step if lex/yacc are missing. . Mark sni_names as extern in hitch.h. . Add autoconf rule for checking TLSv1.3 availability. . Add a 'ciphersuites' setting for configuring TLSv1.3 ciphersuites. . Implement 'ecdh-curve' setting. . a very tiny memleak. . Initialize the logging bits prior to running a config test. . Override log-level for config test. . Replace hand-written daemonize() with daemon(3). . Mention --log-filename in manual. . Set default log-level to 1. . Let the user know if logging is not configured. . Add client certificate support. . Allow client-verify/client-verify-ca in frontend blocks. . Prep for 1.6.0-beta1. . Add a few client certificate PROXYv2 properties. . PROXY client cert doc/changelog. . Prepare for 1.6.0 beta2. . Ensure we always set a session id context. . Prepare for 1.6.0 beta3. . Expand doc on SNI matching and name collisions. . man: Escape star interpreted as an emphase. . More doc : tls-protos. . typo. . Update configuration.md for #185. . Update docs/configuration.md. . Add a -delay option to the s_client test driver. . Have test cases use the s_client -delay setting where needed. . test: Simplify and document `s_client -delay`. . Prepare for 1.6.0.
1.5.127 Nov 2019 16:45 minor feature: Don't exit with an error for -h and -V options . Make sure we have sess_.txt in test06. . Polish. . TCP Fast Open Support. . Enable TFO at configure but disable by default during cmdline cfg file. . Be gentle with systems that don't support TFO. . TFO polish. . More TFO polish. . Polish timeout handling. . Add FreeBSD conditional for ifindex. . Homework for later. . Only USE_SYSCALL_FUTEX when available. . Centralize PROXY v2 definitions. . Whitespace OCD. . a likely TLS 1.3 grammar typo. . Support PROXY v2 authority TLV. . Rework the handling of optional dependencies. . Polish automake conditional. . Conditionally enable developer warnings. . Make proxyv2.h ISO C99 friendly. . Move asn_gentm code where it belongs. . Whitespace. . No data structure from queue.h in the configuration. . Constify the SSL context from SNI lookups. . Turn the TRY_SNI_MATCH macro into a function. . Perform SNI lookups with a derived key. . Make SNI lookup case-insensitive. . Don't rely on the OpenSSL version to detect ALPN. . Avoid version number checks for lock initialization. . Make shctx_get_cb static. . Prune another use of OPENSSL_VERSION_NUMBER. . Clarify warnings scope. . Check the s3 field instead of the openssl version. . Code style update. . Wrap the memcpy+memset padding pattern in a macro. . Doc, bootstrap calls configure. . Quote some commandline examples for the shell. . Stabilization of the resumption test. . frontend uniqueness check, where IP= is a NULL pointer. . Allow running workers as root, if both UID and GID are specified as r . . Remove PATH_MAX. . Remove unused function atomic_inc. . Prepare for 1.5.1.
1.5.018 Dec 2018 10:05 minor feature: the handling of the session cache option passed to configure . Kill pointless assert. . New stop_hitch test ture. . per-frontend default certificate handling. . Add argument parsing for UDS. . Teach VSA about PF_UNIX. . Rename this function. . Make Hitch backend-UDS capable. . Doc. . Add support for pem loading from directory. . Drop config_parse_cli retval arg. . pem-dir: default cert handling and other cleanup. . Add pem-dir-glob configuration setting. . Doc pem-dir/pem-dir-glob. . Add pem-dir test case. . Attempt at centralizing s_client output parsing to hitch_test.sh. . openssl1.1.1 s_client sends an SNI name by default. . NPN not available in tls1.3. . Nix comment. . const struct frontend arg. . Add support for TLS 1.3. . Add test case for TLS 1.3 client. . Add missing lexer token for TLSv1.3. . Rename so we don't have 2x test29. . Rework log level bits. . ocsp-dir reload crash. . Don't override log-level on --daemon. . Also take into account current-generation workers in handle_mgt_read. . Preliminary changelog. . Move proxy tlv append into its own function. . proxyv2: Update the length at the very end. . Add 'proxy-tlv' option. . Rename/refactor the alpn/proxy bits. . Kill stale comment. . Set SO_REUSEADDR for parse_proxy_v2. . Add proxy-tlv test case. . proxy-tlv doc. . Drop TLSv1.1 as a default protocol. . Update changes. . Redo pem-dir default cert handling. . Prepare for 1.5.0.
1.4.820 Apr 2018 13:25 minor feature: Prepare for 1.4.7 . Bad identation. . Set default locations for trusted CA certificates only where needed. . Rework the dynamic backend bits. . Whitespace nitpick. . Don't the mgt- child pipe on backend refreshes. . Drop nobody:nogroup from example config. . Override user/group for example.conf test case. . Prepare for 1.4.8.
1.4.712 Jan 2018 06:25 minor feature: Avoid C99 dependent for loop syntax . Use correct ALPN protocol identifier in manual page. . Plug file descriptor leak. . strcmp(3) usage. . Add the steps required for a commercial CA. . tests: condition and actually skip test if appropiate. . tests: Drop unneeded quotes, treat integer values. . Start a general-purpose command runner for tests. . Minor shell polish. . Use the openssl cli to find available extensions. . mv common.sh hitch_test.sh. . Code style OCD. . Move main() down in parse_proxy_v2. . Add support for session-cache in config file and as cmdline option #166. . : global backaddr is assumed to be static #84. . Logging to syslog even when set to syslog = off? #187. . Support for separate key files #65. . Random usage of config section if reduntant #192. . sending out worker_update notification. . Use pointer dereference instead of sizeof(struct). . Ensure input_line has a terminating null byte. . parameter value parsing. . Rename positive_only into non_negative for config_param_val_ int,long . . Print parsing error messages correctly. . Put network includes after kernel includes. . Hardening the shell is the first thing to do. . Run the test suite in a temp directory. . Test helper hitch_start to start Hitch as a daemon. . Print test diagnostics to stderr. . Wrap openssl s_client commands in a function. . Polish the old cfg test case. . New more reliable curl_hitch test helper. . Always use -prexit via s_client test helper. . Don't write the hitch listen address in a file. . Let the s_client helper find where to connect. . Flesh out tests with multiple listen addresses. . Polish test 06. . Make sure TEST_TMPDIR is always absolute. . Turn curl errors into automake errors. . Teach curl_hitch to skip unknown options. . Teach curl_hitch when to use the first listen address. . Listen to what curl_hitch has to say. . New hitch_pid helper to send signals. . Use hitch_hosts to check the old address in test 11. . More
1.4.502 Jun 2017 23:05 minor feature: Asterisk is not a valid node for getaddrinfo(). gettimeofday(2) needs sys/time.h. Another case of gettimeofday(2) needing sys/time.h. unchecked loop situation with shared cache enabled. Make shared cache code work with openssl 1.1. building with libressl. Set SSL_OP_SINGLE_ECDH_USE to force a fresh ECDH key pair per handshake. Merge branch 'listen_all' of https://github.com/lkarsten/hitch into l?. Clean up a few things in the previous patch. Printing invalid cmd args /once/ is sufficient. Add a link to the PROXY spec in the docs. typo in man page. Distribute and preserve lex/yacc droppings. One line per source file. Make sure to always satisfy dependencies. Enable silent rules by default. Redundant. Polish. Move the configuration parser to a static library. Need sys/filio on SunOS for FIONBIO. s/unix/local/. OpenSSL 1.1 does not require locking callbacks. Enhance system libraries detection. Separate foreign sources from hitch. Get _GNU_SOURCE as a system extension. Merge CFLAGS. Polish hitch CFLAGS. Move CFLAGS detection to autoconf. Polish. libnsl detection. Make -Wno-strict-aliasing a flag only for libev. configuration.h includes . Un-break session-cache for OpenSSL 1.1. missing include. Don't export these symbols. a couple of potential overflow situations. It turned out lib conditionals weren't needed. strcasecmp needs this. Can't claim POSIX.1-2008 yet. Can't target C99 yet. Enable and automake warnings. Code style OCD. Allow hitch to bind random ports. Move create_alpn_callback_data up. Macroize options parsing. Avoid leaking a zombie process for the OCSP child. Don't chroot(2) the management process. Avoid C99 dependent for loop syntax. Drop dead lines. build for automake 1.14. Typo in previous commit. Quote the offending line on a parsing error. Kill unused locations. make distcheck. Prepare for 1.4.5. Update changelog references.
1.4.423 Dec 2016 03:15 minor feature: Typo in TLS config warning. Remove special handling of old host format. Improve clarity. Make Hitch compatible with OpenSSL 1.1.0. Make sure we always have a sane refresh_hint set for OCSP refreshes. Force SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks on older. Changelog. Respect OPENSSL_NO_NEXTPROTONEG. 1.4.4.
1.4.318 Nov 2016 15:40 minor feature: OCSP stapling is now enabled by default. Users should create ocsp-dir (default: /var/lib/hitch/) and make it writable for the hitch user. Build error due to man page generation on FreeBSD (most likely non-Linux) has been fixed.