{"id":13523449,"url":"https://github.com/bumptech/stud","last_synced_at":"2025-09-28T21:31:24.827Z","repository":{"id":53470968,"uuid":"1877150","full_name":"bumptech/stud","owner":"bumptech","description":"The Scalable TLS Unwrapping Daemon","archived":true,"fork":false,"pushed_at":"2023-06-29T13:15:47.000Z","size":746,"stargazers_count":1427,"open_issues_count":65,"forks_count":193,"subscribers_count":66,"default_branch":"master","last_synced_at":"2024-09-27T03:24:40.921Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bumptech.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2011-06-10T17:48:30.000Z","updated_at":"2024-09-17T05:11:08.000Z","dependencies_parsed_at":"2022-09-16T15:11:43.835Z","dependency_job_id":"96b86c84-c591-4f27-ad3d-b9c494d047da","html_url":"https://github.com/bumptech/stud","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bumptech%2Fstud","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bumptech%2Fstud/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bumptech%2Fstud/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bumptech%2Fstud/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bumptech","download_url":"https://codeload.github.com/bumptech/stud/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234563152,"owners_count":18853062,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T06:01:00.207Z","updated_at":"2025-09-28T21:31:19.526Z","avatar_url":"https://github.com/bumptech.png","language":"C","funding_links":[],"categories":["C","others"],"sub_categories":[],"readme":"STATUS\n======\n\nStud is now officially abandonware, thanks for playing.\n\nRecommended alternative: https://github.com/varnish/hitch\n\nMore info: https://blog.jamwt.com/2016/03/21/stud-no-more/\n\nstud - The Scalable TLS Unwrapping Daemon\n=========================================\n\n`stud` is a network proxy that terminates TLS/SSL connections and forwards the\nunencrypted traffic to some backend.  It's designed to handle 10s of thousands of\nconnections efficiently on multicore machines.\n\nIt follows a process-per-core model; a parent process spawns N children who\neach `accept()` on a common socket to distribute connected clients among them.\nWithin each child, asynchronous socket I/O is conducted across the local\nconnections using `libev` and `OpenSSL`'s nonblocking API.  By default,\n`stud` has an overhead of ~200KB per connection--it preallocates\nsome buffer space for data in flight between frontend and backend.\n\n`stud` has very few features--it's designed to be paired with an intelligent\nbackend like haproxy or nginx.  It maintains a strict 1:1 connection pattern\nwith this backend handler so that the backend can dictate throttling behavior,\nmaxmium connection behavior, availability of service, etc.\n\n`stud` will optionally write the client IP address as the first few octets\n(depending on IPv4 or IPv6) to the backend--or provide that information\nusing HAProxy's PROXY protocol.  When used with the PROXY protocol, `stud` can\nalso transparently pass an existing PROXY header to the cleartext stream.  This\nis especially useful if a TCP proxy is used in front of `stud`.  Using either of\nthese techniques, backends who care about the client IP can still access it even\nthough `stud` itself appears to be the connected client.\n\nThanks to a contribution from Emeric at Exceliance (the folks behind HAProxy),\na special build of `stud` can be made that utilitizes shared memory to\nuse a common session cache between all child processes.  This can speed up\nlarge `stud` deployments by avoiding client renegotiation.\n\nReleases\n---------\n\nPlease be aware of the policy regarding releases, code stability, and security:\n\n * In git, the tip of the master branch should always build on Linux and\n   FreeBSD, and is likely to be as stable as any other changeset.  A\n   careful review of patches is conducted before being pushed to github.\n * Periodically, a version tag will be pushed to github for an old(er)\n   changeset--0.1, 0.2, etc.  These tags mark a particular release of\n   `stud` that has seen heavy testing and several weeks of production\n   stability.  Conservative users are advised to use a tag.\n * `stud` has an optional build that utilizes shared memory-based SSL contexts\n   and UDP peer communication to keep a session cache between many child processes\n   running on many machines.  The use of this build can dramatically speed\n   up SSL handshakes on many-core and/or clustered deployments.\n   However, it's important to acknowledge the inevitable theoretical\n   security tradeoffs associated with the use of this (substantially more\n   complex) binary.  Therefore, the deeply paranoid are advised to use\n   only the standard `stud` binary at the cost of some performance.\n\nRequirements and Limitations\n----------------------------\n\n`stud` requires:\n\n    libev \u003e= 4\n    openssl (recent, \u003e=1.0.0 recommended)\n\nStud currently works on Linux, OpenBSD, FreeBSD, and MacOSX.\nIt has been tested the most heavily on Linux/x86_64.\n\nWhile porting it to other POSIX platforms is likely trivial, it hasn't be done\nyet. Patches welcome!\n\nIf you're handling a large number of connections, you'll\nprobably want to raise `ulimit -n` before running `stud`.\nIt's very strongly recommended to not run `stud` as root; ideally, it would\nbe run as a user (\"stud\", perhaps) that does nothing but run `stud`.  Stud\nwill setuid (using -u) after binding if you need to bind to a low port (\u003c 1024).\n\nInstalling\n----------\n\nTo install `stud`:\n\n    $ make\n    $ sudo make install\n\nUsage\n-----\n\nThe only required argument is a path to a PEM file that contains the certificate\n(or a chain of certificates) and private key. If multiple certificates are\ngiven, `stud` will attempt to perform SNI (Server Name Indication) on new\nconnections, by comparing the indicated name with the names on each of the\ncertificates, in order. The first certificate that matches will be used. If none\nof the certificates matches, the last certificate will be used as the default.\n\nDetail about the entire set of options can be found by invoking `stud -h`:\n\n    CONFIGURATION:\n\n            --config=FILE      Load configuration from specified file.\n            --default-config   Prints default configuration to stdout.\n\n    ENCRYPTION METHODS:\n\n          --tls                   TLSv1 (default)\n          --ssl                   SSLv3 (implies no TLSv1)\n      -c  --ciphers=SUITE         Sets allowed ciphers (Default: \"\")\n      -e  --ssl-engine=NAME       Sets OpenSSL engine (Default: \"\")\n      -O  --prefer-server-ciphers Prefer server list order\n\n    SOCKET:\n\n      -b  --backend=HOST,PORT     Backend [connect] (default is \"[127.0.0.1]:8000\")\n      -f  --frontend=HOST,PORT    Frontend [bind] (default is \"[*]:8443\")\n\n    PERFORMANCE:\n\n      -n  --workers=NUM          Number of worker processes (Default: 1)\n      -B  --backlog=NUM          Set listen backlog size (Default: 100)\n      -k  --keepalive=SECS       TCP keepalive on client socket (Default: 3600)\n\n    SECURITY:\n\n      -r  --chroot=DIR           Sets chroot directory (Default: \"\")\n      -u  --user=USER            Set uid/gid after binding the socket (Default: \"\")\n      -g  --group=GROUP          Set gid after binding the socket (Default: \"\")\n\n    LOGGING:\n      -q  --quiet                Be quiet; emit only error messages\n      -s  --syslog               Send log message to syslog in addition to stderr/stdout\n      --syslog-facility=FACILITY Syslog facility to use (Default: \"daemon\")\n\n    OTHER OPTIONS:\n          --daemon               Fork into background and become a daemon (Default: off)\n          --write-ip             Write 1 octet with the IP family followed by the IP\n                                 address in 4 (IPv4) or 16 (IPv6) octets little-endian\n                                 to backend before the actual data\n                                 (Default: off)\n          --write-proxy          Write HaProxy's PROXY (IPv4 or IPv6) protocol line\n                                 before actual data\n                                 (Default: off)\n          --proxy-proxy          Proxy HaProxy's PROXY (IPv4 or IPv6) protocol line\n                                 before actual data\n                                 (Default: off)\n\n      -t  --test                 Test configuration and exit\n      -V  --version              Print program version and exit\n      -h  --help                 This help message\n\nConfiguration File\n------------------\n\nStud can also use a configuration file that supports all the same options as the\ncommand-line arguments. You can use `stud --default-config` to\ngenerate the default configuration on stdout; then, customize your configuration and\npass it to `stud --config=FILE`.\n\nServing HTTPS\n-------------\n\nIf you're using `stud` for HTTPS, please make sure to use the `--ssl` option!\n\n\nDiffie–Hellman\n--------------\n\nTo use DH with stud, you will need to add some bytes to your pem file:\n\n% openssl dhparam -rand - 1024 \u003e\u003e PEMFILE\n\nBe sure to set your cipher suite appropriately: -c DHE-RSA-AES256-SHA\n\nAuthors\n-------\n\n`stud` was originally written by Jamie Turner (@jamwt) and is maintained\nby the Bump (http://bu.mp) server team.  It currently (12/11) provides\nserver-side TLS termination for over 85 million Bump users.\n\nSpecial thanks to Colin Percival (@cperciva) for an early security\naudit and code review.\n\nFinally, thank you to all the stud contributors, who have taken the\nprogram from a good start to a solid project:\n\nhttps://github.com/bumptech/stud/contributors\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbumptech%2Fstud","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbumptech%2Fstud","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbumptech%2Fstud/lists"}