TLSPROXYD(8) TLSPROXYD(8)
NAME
tlsproxyd - proxying daemon for TLS
SYNOPSIS
tlsproxyd -h | [ -d ] [ -f file ] [ -p ]
DESCRIPTION
tlsproxyd accepts TCP connections from remote hosts and
negotiates SSLv2/TLS secured communications with the peer,
and proxies data from the encrypted connection to a con-
ventional TCP connection with another service, allowing
existing services to be `retrofitted' with TLS support. It
differs from other approaches, such as stunnel(8) in that
it is a long-running daemon, rather than a service run
from inetd(8). This makes it much more convenient for use
where the cryptographic key and signature are protected by
a passphrase, since it can read these from the terminal at
startup.
tlsproxyd reads its configuration, including the defini-
tions of services to proxy, from a configuration file, by
default /etc/tlsproxyd.conf.
OPTIONS
-h Print a summary of usage.
-d Do not fork to become a daemon, but stay attached
to a controlling terminal and print log messages to
standard error as well as the syslog.
-f file
Read configuration from file, instead of from
/etc/tlsproxyd.conf.
-p Do not attempt to read pass phrases from the termi-
nal, but instead fail if a pass phrase is required.
CONFIGURATION
tlsproxyd reads its configuration from a file; the name of
the file may be selected at run time using the -f option.
The configuration file consists of definitions of run-time
parameters, of proxying services, and optional comments
introduced by `#'.
PARAMETERS
Parameters are defined by statements of the form:
parameter = value
The following parameters are defined:
log-facility
The facility code under which tlsproxyd will log
diagnostic messages. Possible values are: mail,
authpriv, daemon, user, and local0 through local7
inclusive. If no value is specified, the value dae-
mon will be used. See openlog(3).
certificate
The name of a PEM file containing the certificate
to be used by tlsproxyd. Mandatory.
private-key
The name of a PEM file containing the private key
to be used. Optional; if not specified, the private
key is assumed to be in the same file as the cer-
tificate.
pid-file
The name of a file in which tlsproxyd should record
its PID. Optional; if not specified, no PID file
will be used.
max-processes
The maximum number of child processes; this is a
limit on the maximum number of concurrent proxy
connections. Mandatory.
timeout
The maximum interval in seconds between transmis-
sions by the proxied service before the connection
is automatically dropped. Optional; if not set,
defaults to 60 seconds.
user The user name or UID under which tlsproxyd will run
after it initialises. Mandatory; tlsproxyd will
refuse to run as root.
group The group name or GID under which tlsproxyd will
run after it initialises. Mandatory; tlsproxyd will
refuse to run as group 0.
PROXYING SERVICES
The syntax for a proxy service definition is:
host:port -> host:port
The left hand host and port denote an address on which
tlsproxyd will listen for incoming connections. When a
connection arrives, tlsproxyd will negotiate a secured
connection to the peer; it will then connect to the right
hand host and port and relay data between the two. In most
cases, you will want the right hand host to be either
localhost or a nearby host on a secured network.
Hosts and ports may be specified numerically or as sym-
bolic names.
SIGNALS
SIGTERM, SIGINT
Cause the daemon to exit; active connections will
continue until closed.
SIGHUP Causes the daemon to restart and reread its config-
uration file.
FILES
/etc/tlsproxyd.conf
SEE ALSO
stunnel(8), inetd(8),
http://www.ex-parrot.com/~chris/tlsproxyd/.
AUTHOR
Chris Lightfoot <chris@ex-parrot.com>
VERSION
$Id: tlsproxyd.8,v 1.5 2002/06/11 13:52:19 chris Exp $
COPYING
This program is free software; you can redistribute it
and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation;
either version 2 of the License, or (at your option) any
later version.
This program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more
details.
You should have received a copy of the GNU General Public
License along with this program; if not, write to the Free
Software Foundation, Inc., 675 Mass Ave, Cambridge, MA
02139, USA.
1