Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
UALPN(1)			 User Commands			      UALPN(1)

       ualpn - lightweight proxying ACMEv2 tls-alpn-01 responder

       ualpn [-4|--ipv4] [-6|--ipv6] [-b|--bind	address[@port]]	[-c|--connect
       address[@port]] [-d|--daemon] [-l|--logfile file] [-m|--max-auths N]
       [-n|--num-workers N] [-p|--pidfile file]	[-P|--proxy N] [-r|--chroot
       dir] [-s|--sock path] [-S|--sock-mode mode] [-t|--terminate] [-u|--user
       user[:group]] [-v|--verbose ...]	[-V|--version] [-?|--help]

       ualpn is	a lightweight proxying ACMEv2 tls-alpn-01 challenge responder
       compliant with RFC8737 ( and
       RFC8738 (

       Depending on how	it is invoked, ualpn runs in either client or server
       mode. In	client mode ualpn connects to a	running	server mode instance
       of itself through a unix	domain socket, in order	to add or remove
       ACMEv2 authorizations. See CLIENT MODE below.

       In server mode ualpn listens for	incoming connections (by default on
       port 443, which is mandatory for	tls-alpn-01 challenges). It then
       handles any such	connection in one of two different ways:

       o   if the connection begins with a "ClientHello" TLS handshake packet
	   including a "acme-tls/1" RFC7301 Application	Level Protocol
	   Negotiation extension and a RFC6066 Server Name Indication
	   extension matching an identifier for	which it has an	authorization,
	   ualpn performs the tls-alpn-01 handshake and	closes the connection;

       o   otherwise ualpn transparently proxies the connection	to one of the
	   backend servers it is configured with. By default ualpn adds	PROXY
	   v1 headers
	   (	in
	   order to safely transport connection	information such as the
	   client's address to the backend. The	PROXY protocol is currently
	   supported by	apache,	nginx and several other	server programs.

       The event-driven	implementation is based	on libev
       ( and considerably reduces the cost of context
       switches	and memory usage. In addition on systems such as Linux
       supporting the splice() system call, ualpn is able to move network data
       without copying it to/from kernel/user address space.

       -4, --ipv4
	   Only	listen to IPv4 connections

       -6, --ipv6
	   Only	listen to IPv6 connections

       -b, --bind address[@port]
	   Enable server mode and listen to address. The address must be
	   specified in	numeric	format using the standard IPv4 or IPv6
	   notation. Optionally, a port	number can be given (default is	443).
	   This	flag can be specified multiple times to	listen to multiple IP
	   addresses. If this flag is not specified and	server mode was
	   enabled by some other option, ualpn listens to the wildcard
	   interface; otherwise	it runs	in client mode (see CLIENT MODE

       -c, --connect address[@port]
	   Enable server mode and add a	new backend. The backend address must
	   be specified	in numeric format using	the standard IPv4 or IPv6
	   notation. Optionally, a port	number can be given (default is	443).
	   This	flag can be specified multiple times to	add multiple backends.
	   This	flag must be specified at least	once in	server mode.

       -d, --daemon
	   Enable server mode and fork in the background

       -l, --logfile file
	   Log to file.	By default ualpn logs to syslog	if -d, --daemon	was
	   specified or	stderr otherwise. See also -v, --verbose

       -m, --max-auths N
	   Enable server mode and allow	managing ACMEv2	tls-alpn-01 challenges
	   for up to N different identifiers (default 100)

       -n, --num-workers N
	   Enable server mode and spawn	N worker processes (default 2) to
	   handle connections. Note that worker	processes are single threaded
	   but thanks to the event based implementation	each can handle
	   several (potentially	thousands) connections concurrently.

       -p, --pidfile file
	   Specify pidfile location (default /var/run/

       -P, --proxy N
	   Enable server mode and disable (0) or specify (1, 2)	the PROXY
	   header version (default 1). The backend server needs	to be
	   configured accordingly:

	   o   nginx:

	   o   apache:

       -r, --chroot dir
	   Enable server mode and specify a directory to chroot	to. If logging
	   to syslog it	is necessary to	ensure that a syslogd(8) socket	is
	   available at	/dev/log in the	chroot directory, otherwise ualpn will
	   not produce any log output.

       -s, --sock path
	   Specify unix	socket path (default /var/run/ualpn.sock)

       -S, --sock-mode mode
	   Enable server mode and specify socket access	permissions (default

       -t, --terminate
	   Try to terminate a running ualpn server. This is achieved by
	   looking up the process id stored by the server in the pidfile (see
	   -p, --pidfile) and signalling it to terminate.

       -u, --user user[:group]
	   Enable server mode and drop user (and optionally group) privileges
	   to those of user after binding the sockets. Also affects the
	   ownership of	the unix socket, pidfile and logfile (if any).

       -v, --verbose
	   By default ualpn only produces logs upon errors or warnings.	When
	   this	option is specified ualpn also logs notice messages. This
	   option can be specified more	than once to increase verbosity	and
	   include information (twice) or debug	(three times) messages.

       -V, --version
	   Print program version on stderr and exit.

       -?, --help
	   Print a brief usage text on stderr and exit.

       In client mode ualpn pipes stdin/stdout to/from the unix	socket of the
       running server instance of itself. The protocol is ASCII	text based,
       case sensitive, line oriented, with two commands:

       auth identifier authorization
	   The auth command instructs the running ualpn	server to handle
	   ACMEv2 tls-alpn-01 challenges for identifier, which can be a	string
	   representing	either a domain	(type dns according to RFC8555 section
	   9.7.8) or an	IP address (type ip according to RFC8738 section 6).
	   authorization must contain the base64url encoding of	the SHA-256
	   digest of the key authorization computed according to RFC8737
	   section 3 (note the uacme software executes hook scripts with the
	   correct authorization passed	as the 5th argument). Upon successful
	   invocation of the auth command ualpn	generates a self signed
	   certificate as required by the tls-alpn-01 challenge, and then uses
	   it to perform tls-alpn-01 handshakes	for the	given identifier.

       unauth identifier
	   The unauth command instructs	the running ualpn server to no longer
	   handle ACMEv2 tls-alpn-01 challenges	for identifier.

       ualpn responds to both commands with a line beginning with either "OK"
       or "ERR", followed by a space and additional error information.

       ualpn -vv -d -u nobody:nogroup -c	-S 666
	   start ualpn as a daemon, binding to the default port	443 on the
	   wildcard interface. Proxy connections to port 4443 on
	   After opening the sockets, drop the user privileges and run as
	   nobody:nogroup. Allow anyone	on the local host to access the	unix
	   socket. Also	increase the verbosity to include notice and
	   information messages.

       echo "auth DEi0apzMOdMT2DAro57oIvn-wEzPiYcAYDh2Cvjra3I"
       | ualpn
	   Instruct the	running	ualpn server to	handle ACMEv2 tls-alpn-01
	   challenges for with the given key authorization.

       echo "unauth" | ualpn
	   Instruct the	running	ualpn server to	no longer handle ACMEv2
	   tls-alpn-01 challenges for


	   Failure (syntax or usage error; configuration error;	processing
	   failure; unexpected error).

       The hook script	included in the	distribution can be used to
       automate	the certificate	issuance with uacme, provided ualpn is
       listening on port 443 of	the webserver for the domain being validated


	   if test $# -ne "$ARGS"
	       echo "Usage: $(basename "$0") method type ident token auth" 1>&2
	       exit $E_BADARGS


	   if [	"$TYPE"	!= "tls-alpn-01" ]; then
	       exit 1

	   case	"$METHOD" in
		   UALPN_OUT=$(echo "auth $IDENT $AUTH"	| ualpn)
		   if [	"x$UALPN_OUT" =	"xOK" ]; then
		       exit 0
		       exit 1
		   UALPN_OUT=$(echo "unauth $IDENT" | ualpn)
		   if [	"x$UALPN_OUT" =	"xOK" ]; then
		       exit 0
		       exit 1
		   echo	"$0: invalid method" 1>&2
		   exit	1

       If you believe you have found a bug, please create a new	issue at	with any applicable


       ualpn was written by Nicola Di Lieto

       Copyright (C) 2019-2021 Nicola Di Lieto <>

       This file is part of uacme.

       uacme is	free software: you can redistribute it and/or modify it	under
       the terms of the	GNU General Public License as published	by the Free
       Software	Foundation, either version 3 of	the License, or	(at your
       option) any later version.

       uacme is	distributed in the hope	that it	will be	useful,	but WITHOUT
       ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
       FITNESS FOR A PARTICULAR	PURPOSE. See the GNU General Public License
       for more	details.

       You should have received	a copy of the GNU General Public License along
       with this program. If not, see

ualpn 1.7.1			  11/06/2021			      UALPN(1)


Want to link to this manual page? Use this URL:

home | help