|
|
@ -101,7 +101,7 @@ Deny all OCSP requests on all proxyspecs. Equivalent to -O command line option.
|
|
|
|
\fBPassthrough BOOL\fR
|
|
|
|
\fBPassthrough BOOL\fR
|
|
|
|
Passthrough SSL connections if they cannot be split because of client cert
|
|
|
|
Passthrough SSL connections if they cannot be split because of client cert
|
|
|
|
auth or no matching cert and no CA. Equivalent to -P command line option.
|
|
|
|
auth or no matching cert and no CA. Equivalent to -P command line option.
|
|
|
|
.br
|
|
|
|
.br
|
|
|
|
Default: drop
|
|
|
|
Default: drop
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBPassSite STRING\fR
|
|
|
|
\fBPassSite STRING\fR
|
|
|
@ -115,12 +115,12 @@ allowed, one on each line.
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBDHGroupParams STRING\fR
|
|
|
|
\fBDHGroupParams STRING\fR
|
|
|
|
Use DH group params from pemfile. Equivalent to -g command line option.
|
|
|
|
Use DH group params from pemfile. Equivalent to -g command line option.
|
|
|
|
.br
|
|
|
|
.br
|
|
|
|
Default: keyfiles or auto
|
|
|
|
Default: keyfiles or auto
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBECDHCurve STRING\fR
|
|
|
|
\fBECDHCurve STRING\fR
|
|
|
|
Use ECDH named curve. Equivalent to -G command line option.
|
|
|
|
Use ECDH named curve. Equivalent to -G command line option.
|
|
|
|
.br
|
|
|
|
.br
|
|
|
|
Default: prime256v1
|
|
|
|
Default: prime256v1
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBSSLCompression BOOL\fR
|
|
|
|
\fBSSLCompression BOOL\fR
|
|
|
@ -128,22 +128,28 @@ Enable/disable SSL/TLS compression on all connections. Equivalent to -Z command
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBForceSSLProto STRING\fR
|
|
|
|
\fBForceSSLProto STRING\fR
|
|
|
|
Force SSL/TLS protocol version only. Equivalent to -r command line option.
|
|
|
|
Force SSL/TLS protocol version only. Equivalent to -r command line option.
|
|
|
|
.br
|
|
|
|
.br
|
|
|
|
Default: all
|
|
|
|
Default: all
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBDisableSSLProto STRING\fR
|
|
|
|
\fBDisableSSLProto STRING\fR
|
|
|
|
Disable SSL/TLS protocol version. Equivalent to -R command line option.
|
|
|
|
Disable SSL/TLS protocol version. Equivalent to -R command line option.
|
|
|
|
.br
|
|
|
|
.br
|
|
|
|
Default: none
|
|
|
|
Default: none
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBCiphers STRING\fR
|
|
|
|
\fBCiphers STRING\fR
|
|
|
|
Use the given OpenSSL cipher suite spec. Equivalent to -s command line option.
|
|
|
|
Use the given OpenSSL ciphers spec. Equivalent to -s command line option.
|
|
|
|
.br
|
|
|
|
.br
|
|
|
|
Default: ALL:-aNULL
|
|
|
|
Default: ALL:-aNULL
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
|
|
|
|
\fBCipherSuites STRING\fR
|
|
|
|
|
|
|
|
Use the given OpenSSL ciphersuites spec. The ciphersuites spec is for TLS 1.3.
|
|
|
|
|
|
|
|
Equivalent to -U command line option.
|
|
|
|
|
|
|
|
.br
|
|
|
|
|
|
|
|
Default: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
|
|
|
|
|
|
|
|
.TP
|
|
|
|
\fBLeafKeyRSABits NUMBER\fR
|
|
|
|
\fBLeafKeyRSABits NUMBER\fR
|
|
|
|
Leaf key RSA keysize in bits, use 1024|2048|3072|4096.
|
|
|
|
Leaf key RSA keysize in bits, use 1024|2048|3072|4096.
|
|
|
|
.br
|
|
|
|
.br
|
|
|
|
Default: 2048
|
|
|
|
Default: 2048
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBOpenSSLEngine STRING\fR
|
|
|
|
\fBOpenSSLEngine STRING\fR
|
|
|
@ -154,7 +160,7 @@ Specify default NAT engine to use. Equivalent to -e command line option.
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBUser STRING\fR
|
|
|
|
\fBUser STRING\fR
|
|
|
|
Drop privileges to user. Equivalent to -u command line option.
|
|
|
|
Drop privileges to user. Equivalent to -u command line option.
|
|
|
|
.br
|
|
|
|
.br
|
|
|
|
Default: nobody, if run as root
|
|
|
|
Default: nobody, if run as root
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBGroup STRING\fR
|
|
|
|
\fBGroup STRING\fR
|
|
|
@ -217,7 +223,7 @@ Default: 120
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBExpiredConnCheckPeriod NUMBER\fR
|
|
|
|
\fBExpiredConnCheckPeriod NUMBER\fR
|
|
|
|
Check for expired connections every this many seconds.
|
|
|
|
Check for expired connections every this many seconds.
|
|
|
|
.br
|
|
|
|
.br
|
|
|
|
Default: 10.
|
|
|
|
Default: 10.
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBLogStats BOOL\fR
|
|
|
|
\fBLogStats BOOL\fR
|
|
|
@ -227,7 +233,7 @@ Default: yes
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBStatsPeriod NUMBER\fR
|
|
|
|
\fBStatsPeriod NUMBER\fR
|
|
|
|
Log statistics every this many ExpiredConnCheckPeriod periods.
|
|
|
|
Log statistics every this many ExpiredConnCheckPeriod periods.
|
|
|
|
.br
|
|
|
|
.br
|
|
|
|
Default: 1
|
|
|
|
Default: 1
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBRemoveHTTPAcceptEncoding BOOL\fR
|
|
|
|
\fBRemoveHTTPAcceptEncoding BOOL\fR
|
|
|
@ -262,7 +268,7 @@ Path to user db file.
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBUserTimeout NUMBER\fR
|
|
|
|
\fBUserTimeout NUMBER\fR
|
|
|
|
Time users out after this many seconds of idle time.
|
|
|
|
Time users out after this many seconds of idle time.
|
|
|
|
.br
|
|
|
|
.br
|
|
|
|
Default: 300.
|
|
|
|
Default: 300.
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBUserAuthURL STRING\fR
|
|
|
|
\fBUserAuthURL STRING\fR
|
|
|
@ -275,12 +281,12 @@ Default: no
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBMaxHTTPHeaderSize NUMBER\fR
|
|
|
|
\fBMaxHTTPHeaderSize NUMBER\fR
|
|
|
|
Max HTTP header size in bytes for protocol validation.
|
|
|
|
Max HTTP header size in bytes for protocol validation.
|
|
|
|
.br
|
|
|
|
.br
|
|
|
|
Default: 8192.
|
|
|
|
Default: 8192.
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBOpenFilesLimit NUMBER\fR
|
|
|
|
\fBOpenFilesLimit NUMBER\fR
|
|
|
|
Set open files limit, use 50-10000.
|
|
|
|
Set open files limit, use 50-10000.
|
|
|
|
.br
|
|
|
|
.br
|
|
|
|
Default: System-wide limit.
|
|
|
|
Default: System-wide limit.
|
|
|
|
.TP
|
|
|
|
.TP
|
|
|
|
\fBProxySpec STRING\fR
|
|
|
|
\fBProxySpec STRING\fR
|
|
|
@ -336,6 +342,8 @@ DisableSSLProto
|
|
|
|
.br
|
|
|
|
.br
|
|
|
|
Ciphers
|
|
|
|
Ciphers
|
|
|
|
.br
|
|
|
|
.br
|
|
|
|
|
|
|
|
CipherSuites
|
|
|
|
|
|
|
|
.br
|
|
|
|
RemoveHTTPAcceptEncoding
|
|
|
|
RemoveHTTPAcceptEncoding
|
|
|
|
.br
|
|
|
|
.br
|
|
|
|
RemoveHTTPReferer
|
|
|
|
RemoveHTTPReferer
|
|
|
|