[thirdparty/systemd.git] / man / systemd-socket-proxyd.xml

<?xml version="1.0"?>
<!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1+ -->
<refentry id="systemd-socket-proxyd"
    xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>systemd-socket-proxyd</title>
    <productname>systemd</productname>
  </refentryinfo>
  <refmeta>
    <refentrytitle>systemd-socket-proxyd</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>
  <refnamediv>
    <refname>systemd-socket-proxyd</refname>
    <refpurpose>Bidirectionally proxy local sockets to another (possibly remote) socket</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
      <command>systemd-socket-proxyd</command>
      <arg choice="opt" rep="repeat"><replaceable>OPTIONS</replaceable></arg>
      <arg choice="plain"><replaceable>HOST</replaceable>:<replaceable>PORT</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>systemd-socket-proxyd</command>
      <arg choice="opt" rep="repeat"><replaceable>OPTIONS</replaceable></arg>
      <arg choice="plain"><replaceable>UNIX-DOMAIN-SOCKET-PATH</replaceable>
      </arg>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
    <para>
    <command>systemd-socket-proxyd</command> is a generic
    socket-activated network socket forwarder proxy daemon for IPv4,
    IPv6 and UNIX stream sockets. It may be used to bi-directionally
    forward traffic from a local listening socket to a local or remote
    destination socket.</para>

    <para>One use of this tool is to provide socket activation support
    for services that do not natively support socket activation. On
    behalf of the service to activate, the proxy inherits the socket
    from systemd, accepts each client connection, opens a connection
    to a configured server for each client, and then bidirectionally
    forwards data between the two.</para>
    <para>This utility's behavior is similar to
    <citerefentry project='die-net'><refentrytitle>socat</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
    The main differences for <command>systemd-socket-proxyd</command>
    are support for socket activation with
    <literal>Accept=no</literal> and an event-driven
    design that scales better with the number of
    connections.</para>
  </refsect1>
  <refsect1>
    <title>Options</title>
    <para>The following options are understood:</para>
    <variablelist>
      <xi:include href="standard-options.xml" xpointer="help" />
      <xi:include href="standard-options.xml" xpointer="version" />
      <varlistentry>
        <term><option>--connections-max=</option></term>
        <term><option>-c</option></term>

        <listitem><para>Sets the maximum number of simultaneous connections, defaults to 256.
        If the limit of concurrent connections is reached further connections will be refused.</para></listitem>
      </varlistentry>
      <varlistentry>
        <term><option>--exit-idle-time=</option></term>

        <listitem><para>Sets the time before exiting when there are no connections, defaults to
        <constant>infinity</constant>. Takes a unit-less value in seconds, or a time span value such
        as <literal>5min 20s</literal>.</para></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>Exit status</title>
    <para>On success, 0 is returned, a non-zero failure
    code otherwise.</para>
  </refsect1>
  <refsect1>
    <title>Examples</title>
    <refsect2>
      <title>Simple Example</title>
      <para>Use two services with a dependency and no namespace
      isolation.</para>
      <example>
        <title>proxy-to-nginx.socket</title>
        <programlisting><![CDATA[[Socket]
ListenStream=80

[Install]
WantedBy=sockets.target]]></programlisting>
      </example>
      <example>
        <title>proxy-to-nginx.service</title>
        <programlisting><![CDATA[[Unit]
Requires=nginx.service
After=nginx.service
Requires=proxy-to-nginx.socket
After=proxy-to-nginx.socket

[Service]
ExecStart=/usr/lib/systemd/systemd-socket-proxyd /run/nginx/socket
PrivateTmp=yes
PrivateNetwork=yes]]></programlisting>
      </example>
      <example>
        <title>nginx.conf</title>
        <programlisting>
<![CDATA[[…]
server {
    listen       unix:/run/nginx/socket;
    […]]]>
</programlisting>
      </example>
      <example>
        <title>Enabling the proxy</title>
        <programlisting><![CDATA[# systemctl enable --now proxy-to-nginx.socket
$ curl http://localhost:80/]]></programlisting>
      </example>
      <para>If <filename>nginx.service</filename> has <varname>StopWhenUnneeded=</varname> set, then
      passing <option>--exit-idle-time=</option> to <command>systemd-socket-proxyd</command> allows
      both services to stop during idle periods.</para>
    </refsect2>
    <refsect2>
      <title>Namespace Example</title>
      <para>Similar as above, but runs the socket proxy and the main
      service in the same private namespace, assuming that
      <filename>nginx.service</filename> has
      <varname>PrivateTmp=</varname> and
      <varname>PrivateNetwork=</varname> set, too.</para>
      <example>
        <title>proxy-to-nginx.socket</title>
        <programlisting><![CDATA[[Socket]
ListenStream=80

[Install]
WantedBy=sockets.target]]></programlisting>
      </example>
      <example>
        <title>proxy-to-nginx.service</title>
        <programlisting><![CDATA[[Unit]
Requires=nginx.service
After=nginx.service
Requires=proxy-to-nginx.socket
After=proxy-to-nginx.socket
JoinsNamespaceOf=nginx.service

[Service]
ExecStart=/usr/lib/systemd/systemd-socket-proxyd 127.0.0.1:8080
PrivateTmp=yes
PrivateNetwork=yes]]></programlisting>
      </example>
      <example>
        <title>nginx.conf</title>
        <programlisting><![CDATA[[…]
server {
    listen       8080;
    […]]]></programlisting>
      </example>
      <example>
        <title>Enabling the proxy</title>
        <programlisting><![CDATA[# systemctl enable --now proxy-to-nginx.socket
$ curl http://localhost:80/]]></programlisting>
      </example>
    </refsect2>
  </refsect1>
  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='die-net'><refentrytitle>socat</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='die-net'><refentrytitle>nginx</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='die-net'><refentrytitle>curl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    </para>
  </refsect1>
</refentry>
Commit	Line	Data
912b54ad DS	1	<?xml version="1.0"?>
912b54ad DS	2	<!---nxml--->
3a54a157 ZJS	3	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3a54a157 ZJS	4	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
0307f791	5	<!-- SPDX-License-Identifier: LGPL-2.1+ -->
dfdebb1b	6	<refentry id="systemd-socket-proxyd"
798d3a52	7	xmlns:xi="http://www.w3.org/2001/XInclude">
dfdebb1b	8
798d3a52 ZJS	9	<refentryinfo>
	10	<title>systemd-socket-proxyd</title>
	11	<productname>systemd</productname>
798d3a52 ZJS	12	</refentryinfo>
	13	<refmeta>
	14	<refentrytitle>systemd-socket-proxyd</refentrytitle>
	15	<manvolnum>8</manvolnum>
	16	</refmeta>
	17	<refnamediv>
	18	<refname>systemd-socket-proxyd</refname>
e9dd6984	19	<refpurpose>Bidirectionally proxy local sockets to another (possibly remote) socket</refpurpose>
798d3a52 ZJS	20	</refnamediv>
	21	<refsynopsisdiv>
	22	<cmdsynopsis>
	23	<command>systemd-socket-proxyd</command>
	24	<arg choice="opt" rep="repeat"><replaceable>OPTIONS</replaceable></arg>
	25	<arg choice="plain"><replaceable>HOST</replaceable>:<replaceable>PORT</replaceable></arg>
	26	</cmdsynopsis>
	27	<cmdsynopsis>
	28	<command>systemd-socket-proxyd</command>
	29	<arg choice="opt" rep="repeat"><replaceable>OPTIONS</replaceable></arg>
	30	<arg choice="plain"><replaceable>UNIX-DOMAIN-SOCKET-PATH</replaceable>
	31	</arg>
	32	</cmdsynopsis>
	33	</refsynopsisdiv>
	34	<refsect1>
	35	<title>Description</title>
	36	<para>
	37	<command>systemd-socket-proxyd</command> is a generic
	38	socket-activated network socket forwarder proxy daemon for IPv4,
	39	IPv6 and UNIX stream sockets. It may be used to bi-directionally
	40	forward traffic from a local listening socket to a local or remote
	41	destination socket.</para>
8569a776	42
798d3a52 ZJS	43	<para>One use of this tool is to provide socket activation support
	44	for services that do not natively support socket activation. On
	45	behalf of the service to activate, the proxy inherits the socket
	46	from systemd, accepts each client connection, opens a connection
	47	to a configured server for each client, and then bidirectionally
	48	forwards data between the two.</para>
	49	<para>This utility's behavior is similar to
3ba3a79d	50	<citerefentry project='die-net'><refentrytitle>socat</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
798d3a52 ZJS	51	The main differences for <command>systemd-socket-proxyd</command>
798d3a52 ZJS	52	are support for socket activation with
964c4eda	53	<literal>Accept=no</literal> and an event-driven
798d3a52 ZJS	54	design that scales better with the number of
	55	connections.</para>
	56	</refsect1>
	57	<refsect1>
	58	<title>Options</title>
	59	<para>The following options are understood:</para>
	60	<variablelist>
	61	<xi:include href="standard-options.xml" xpointer="help" />
	62	<xi:include href="standard-options.xml" xpointer="version" />
dc3b8afb	63	<varlistentry>
23d0fff7	64	<term><option>--connections-max=</option></term>
dc3b8afb DK	65	<term><option>-c</option></term>
	66
	67	<listitem><para>Sets the maximum number of simultaneous connections, defaults to 256.
	68	If the limit of concurrent connections is reached further connections will be refused.</para></listitem>
	69	</varlistentry>
9e12d5bf EA	70	<varlistentry>
	71	<term><option>--exit-idle-time=</option></term>
	72
	73	<listitem><para>Sets the time before exiting when there are no connections, defaults to
	74	<constant>infinity</constant>. Takes a unit-less value in seconds, or a time span value such
	75	as <literal>5min 20s</literal>.</para></listitem>
	76	</varlistentry>
798d3a52 ZJS	77	</variablelist>
	78	</refsect1>
	79	<refsect1>
	80	<title>Exit status</title>
	81	<para>On success, 0 is returned, a non-zero failure
	82	code otherwise.</para>
	83	</refsect1>
	84	<refsect1>
	85	<title>Examples</title>
	86	<refsect2>
	87	<title>Simple Example</title>
	88	<para>Use two services with a dependency and no namespace
	89	isolation.</para>
	90	<example>
	91	<title>proxy-to-nginx.socket</title>
	92	<programlisting><![CDATA[[Socket]
912b54ad DS	93	ListenStream=80
	94
	95	[Install]
9fccdb0f	96	WantedBy=sockets.target]]></programlisting>
798d3a52 ZJS	97	</example>
	98	<example>
	99	<title>proxy-to-nginx.service</title>
	100	<programlisting><![CDATA[[Unit]
912b54ad	101	Requires=nginx.service
34c7dc47	102	After=nginx.service
d7cefe8b	103	Requires=proxy-to-nginx.socket
e5bb1de8	104	After=proxy-to-nginx.socket
912b54ad DS	105
912b54ad DS	106	[Service]
edd1dcd0	107	ExecStart=/usr/lib/systemd/systemd-socket-proxyd /run/nginx/socket
34c7dc47	108	PrivateTmp=yes
9fccdb0f	109	PrivateNetwork=yes]]></programlisting>
798d3a52 ZJS	110	</example>
	111	<example>
	112	<title>nginx.conf</title>
	113	<programlisting>
1eecafb8	114	<![CDATA[[…]
912b54ad	115	server {
edd1dcd0	116	listen unix:/run/nginx/socket;
1eecafb8	117	[…]]]>
912b54ad	118	</programlisting>
798d3a52 ZJS	119	</example>
	120	<example>
	121	<title>Enabling the proxy</title>
ee3c52eb	122	<programlisting><![CDATA[# systemctl enable --now proxy-to-nginx.socket
9fccdb0f	123	$ curl http://localhost:80/]]></programlisting>
798d3a52	124	</example>
9e12d5bf EA	125	<para>If <filename>nginx.service</filename> has <varname>StopWhenUnneeded=</varname> set, then
	126	passing <option>--exit-idle-time=</option> to <command>systemd-socket-proxyd</command> allows
	127	both services to stop during idle periods.</para>
798d3a52 ZJS	128	</refsect2>
	129	<refsect2>
	130	<title>Namespace Example</title>
	131	<para>Similar as above, but runs the socket proxy and the main
	132	service in the same private namespace, assuming that
	133	<filename>nginx.service</filename> has
	134	<varname>PrivateTmp=</varname> and
	135	<varname>PrivateNetwork=</varname> set, too.</para>
	136	<example>
	137	<title>proxy-to-nginx.socket</title>
	138	<programlisting><![CDATA[[Socket]
912b54ad DS	139	ListenStream=80
	140
	141	[Install]
9fccdb0f	142	WantedBy=sockets.target]]></programlisting>
798d3a52 ZJS	143	</example>
	144	<example>
	145	<title>proxy-to-nginx.service</title>
	146	<programlisting><![CDATA[[Unit]
34c7dc47 LP	147	Requires=nginx.service
34c7dc47 LP	148	After=nginx.service
e5bb1de8 RH	149	Requires=proxy-to-nginx.socket
e5bb1de8 RH	150	After=proxy-to-nginx.socket
34c7dc47	151	JoinsNamespaceOf=nginx.service
912b54ad DS	152
912b54ad DS	153	[Service]
12b42c76	154	ExecStart=/usr/lib/systemd/systemd-socket-proxyd 127.0.0.1:8080
34c7dc47	155	PrivateTmp=yes
9fccdb0f	156	PrivateNetwork=yes]]></programlisting>
798d3a52 ZJS	157	</example>
	158	<example>
	159	<title>nginx.conf</title>
1eecafb8	160	<programlisting><![CDATA[[…]
912b54ad DS	161	server {
912b54ad DS	162	listen 8080;
1eecafb8	163	[…]]]></programlisting>
798d3a52 ZJS	164	</example>
	165	<example>
	166	<title>Enabling the proxy</title>
ee3c52eb	167	<programlisting><![CDATA[# systemctl enable --now proxy-to-nginx.socket
9fccdb0f	168	$ curl http://localhost:80/]]></programlisting>
798d3a52 ZJS	169	</example>
	170	</refsect2>
	171	</refsect1>
	172	<refsect1>
	173	<title>See Also</title>
	174	<para>
	175	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	176	<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	177	<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	178	<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
3ba3a79d ZJS	179	<citerefentry project='die-net'><refentrytitle>socat</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	180	<citerefentry project='die-net'><refentrytitle>nginx</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	181	<citerefentry project='die-net'><refentrytitle>curl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
798d3a52 ZJS	182	</para>
798d3a52 ZJS	183	</refsect1>
912b54ad	184	</refentry>