February 1, 2022
3 min read time

Two-Minute Tech Tuesdays - Hitch

2MTT hitch

In this week’s episode of Two-Minute Tech Tuesday, we'll talk about Hitch. Hitch is an open-source TLS proxy that Varnish develops and maintains. It can be used to terminate TLS, which is especially useful if you're using Varnish Cache.



Hitch Features

Adding Hitch in front of Varnish allows you to provide an endpoint for HTTPS requests. Some features of Hitch include:

  • TCP/IP and UNIX domain sockets
  • Support for PROXY protocol versions 1 and 2
  • Multiple certificates can be loaded at once
  • Server Name Indication (SNI)
  • TLS protocols & cipher settings can be configured
  • OCSP stapling

When connecting Hitch to Varnish, you'll need to configure a certain amount of parameters, which can be done in the hitch.conf file. Here's a typical example configuration:

frontend = "[*]:443"
daemon = on
user = "hitch"
group = "hitch"
backend = "[]:8443"
pem-dir = "/etc/hitch/cert.d"
pem-dir-glob = "*.pem"
pem-file = "/etc/hitch/cert.pem"
alpn-protos = "h2, http/1.1"
write-proxy-v2 = on


Not all of the settings are there because most of the default values are sufficient. The frontend is our listening address which is bound to all network interfaces, listening on the conventional TLS port: 443. The backend represents Varnish, which is hosted locally on port 8443.


The pem-dir directive specifies the directory where certificates can be found. We will only load the files that match the glob pattern, which is .pem. Certificates can also be explicitly loaded through pem-file and this /etc/hitch/cert.pem file acts as our fallback.


Application-level protocol negotiation can also take place at the TLS level, announcing support for both HTTP/2 and HTTP/1.1. Because we want to use the PROXY protocol to relay more information about the original client connection, we'll write the PROXY v2 header.

Varnish Configuration

Varnish also needs to be configured to handle Hitch connections. We won't solely rely on port 80 for incoming connections but we will register an extra listening address hosted locally, listening on port 8443 for PROXY input.

Screen Shot 2022-01-31 at 8.05.44 PM


If you don't want to use TCP/IP, you can do it over UNIX domain sockets. But remember, it's PROXY, not regular HTTP. It serves our best interest to also enable HTTP/2 support through this runtime configuration.


If you want switch from TCP/IP to UNIX domain sockets, simply change the listening group and the backend and register the socket there.


Hitch is not strictly tied to Varnish, nor is it to HTTP, so you can use it outside of a web context. The fact that it supports the PROXY protocol also makes it easy in conjunction with other technologies, especially Varnish. If you're looking for a pure TLS proxy,
Hitch should be on top of your list.