Installing and configuring Stud to serve SSL requests

Stud is a network proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to a web server of your choice. It is designed to handle tens of thousands of connections efficiently on multicore machines.

This article will help you download, compile and install stud on your box with some basic configuration options to serve SSL requests. For my examples, I’m using nginx as my HTTP server. You should be able to use Apache or any standard HTTP server as a backend.

Pre-requisites

git installed on your system (else download and unpack stud source directly from the GitHub repository).

Download and compile stud

Start by cloning stud’s git source repository.

git clone http://github.com/bumptech/stud.git  

Then compile stud from the source

cd stud  
make  
sudo make install  

That’s it. Stud installation is simple. The default install location is /usr/local/bin/stud. You should be able to run the command stud at the prompt and see it respond.

stud --v  
stud 0.3-dev  

Configuring stud

Stud comes with a default configuration built into its executable, which it outputs to stdout on request with the command line option --default-config. Let’s try that and store it into a config file that we can use later.

stud --default-config > stud.conf  

Open up stud.conf. Here goes a small explanation of the basic things to configure. For more detailed study, head to the stud GitHub repository.

• frontend: Change this to the IP address and port where you want stud to listen to, for SSL requests. Typically you would want to set the IP address configured on your network interface connected to the Internet. Remember to put the IP address within square brackets. Unless you know what you are doing, keep the port number as 443 instead of the default.

  Some example values are [*]:443, which lets stud listen on all network interfaces on port 443 and [127.0.0.1]:443, which forces stud to listen only on localhost at port 443.

• backend: The host and port number where stud should forward the unwrapped SSL requests to, which is usually your web server. The host and port combination follows the same format as the frontend configuration setting.

• pem-file: Full path to the PEM file that contains the certificates and private key. You can use a self signed certificate or a certificate you bought from a provider. For more details on how to configure your SSL certificate with stud, please read the article Configuring a PositiveSSl certificate with stud.

• workers: Number of stud worker processes you want to spawn. Typically you would want to set this to the number of CPU cores you have. You can leave it at the default.

• user and group: Tell stud to set the uid and gid after binding its sockets. I recommend running stud as user nobody and group nobody.

• daemon: Tell stud to switch to a background process after starting up. Set it to on.

Start up stud

$ stud --config=stud.conf
{core} Note: no DH parameters found in /opt/stud/certs-assembly/bundle.pem
{core} Daemonized as pid 19718.

That’s it. You now have a stud installation unwrapping SSL connections and handing over to your HTTP server. You can test it out using a browser or with openssl command line tool by using the following command (make sure you use the right IP address where you decided to listen).

openssl s_client -connect 127.0.0.1:443 -servername alexnj.com