<surname>Strauss</surname>
<email>david@davidstrauss.net</email>
</author>
- <author>
- <contrib>Developer</contrib>
- <firstname>Lennart</firstname>
- <surname>Poettering</surname>
- <email>lennart@poettering.net</email>
- </author>
</authorgroup>
</refentryinfo>
<refmeta>
<refentrytitle>systemd-socket-proxyd</refentrytitle>
- <manvolnum>1</manvolnum>
+ <manvolnum>8</manvolnum>
</refmeta>
<refnamediv>
<refname>systemd-socket-proxyd</refname>
<para>
<command>systemd-socket-proxyd</command> is a generic
socket-activated network socket forwarder proxy daemon
- for IPV4, IPv6 and UNIX stream sockets. It may be used
+ for IPv4, IPv6 and UNIX stream sockets. It may be used
to bi-directionally forward traffic from a local listening socket to a
local or remote destination socket.</para>
<title>Options</title>
<para>The following options are understood:</para>
<variablelist>
- <varlistentry>
- <term><option>-l</option></term>
- <term><option>--listener</option></term>
- <listitem>
- <para>Restricts listening to a
- single inherited socket, specified
- as a file descriptor. By default,
- the proxy listens on all inherited
- sockets.</para>
- </listitem>
- </varlistentry>
<varlistentry>
<term><option>-h</option></term>
<term><option>--help</option></term>
<refsect1>
<title>Examples</title>
<refsect2>
- <title>Direct-Use Example</title>
+ <title>Simple Example</title>
<para>Use two services with a dependency
and no namespace isolation.</para>
- <example label="proxy socket unit">
- <title>/etc/systemd/system/proxy-to-nginx.socket</title>
+ <example>
+ <title>proxy-to-nginx.socket</title>
<programlisting>
<![CDATA[[Socket]
ListenStream=80
WantedBy=sockets.target]]>
</programlisting>
</example>
- <example label="proxy service unit">
- <title>/etc/systemd/system/proxy-to-nginx.service</title>
+ <example>
+ <title>proxy-to-nginx.service</title>
<programlisting>
<![CDATA[[Unit]
-After=nginx.service
Requires=nginx.service
+After=nginx.service
[Service]
-ExecStart=/usr/bin/systemd-socket-proxyd /tmp/nginx.sock
-PrivateTmp=true
-PrivateNetwork=true]]>
+ExecStart=/usr/lib/systemd/systemd-socket-proxyd /tmp/nginx.sock
+PrivateTmp=yes
+PrivateNetwork=yes]]>
</programlisting>
</example>
- <example label="nginx configuration">
- <title>/etc/nginx/nginx.conf</title>
+ <example>
+ <title>nginx.conf</title>
<programlisting>
<![CDATA[[...]
server {
[...]]]>
</programlisting>
</example>
- <example label="commands">
+ <example>
+ <title>Enabling the proxy</title>
<programlisting>
<![CDATA[# systemctl enable proxy-to-nginx.socket
# systemctl start proxy-to-nginx.socket
</example>
</refsect2>
<refsect2>
- <title>Indirect-Use Example</title>
- <para>Use a shell script to isolate the
- service and proxy into the same namespace.
- This is particularly useful for running
- TCP-only daemons without the daemon
- affecting ports on regular
- interfaces.</para>
- <example label="combined proxy and nginx socket unit">
-
- <title>
- /etc/systemd/system/proxy-with-nginx.socket</title>
+ <title>Namespace Example</title>
+ <para>Similar as above, but runs the socket
+ proxy and the main service in the same private
+ namespace, assuming that
+ <filename>nginx.service</filename> has
+ <varname>PrivateTmp=</varname> and
+ <varname>PrivateNetwork=</varname> set,
+ too.</para>
+ <example>
+ <title>proxy-to-nginx.socket</title>
<programlisting>
<![CDATA[[Socket]
ListenStream=80
WantedBy=sockets.target]]>
</programlisting>
</example>
- <example label="combined proxy and nginx service unit">
-
- <title>
- /etc/systemd/system/proxy-with-nginx.service</title>
+ <example>
+ <title>proxy-to-nginx.service</title>
<programlisting>
<![CDATA[[Unit]
-After=remote-fs.target nss-lookup.target
+Requires=nginx.service
+After=nginx.service
+JoinsNamespaceOf=nginx.service
[Service]
-ExecStartPre=/usr/sbin/nginx -t
-ExecStart=/usr/bin/socket-proxyd-nginx.sh
-PrivateTmp=true
-PrivateNetwork=true]]>
-</programlisting>
- </example>
- <example label="shell script">
- <title>
- /usr/bin/socket-proxyd-nginx.sh</title>
- <programlisting>
-<![CDATA[#!/bin/sh
-/usr/sbin/nginx
-while [ ! -f /tmp/nginx.pid ]
- do
- /usr/bin/inotifywait /tmp/nginx.pid
- done
-exec /usr/bin/systemd-socket-proxyd localhost:8080]]>
+ExecStart=/usr/lib/systemd/systemd-socket-proxyd 127.0.0.1:8080
+PrivateTmp=yes
+PrivateNetwork=yes]]>
</programlisting>
- <para>Make it executable:</para>
- <programlisting>
-<![CDATA[chmod 755 /usr/bin/socket-proxyd-nginx.sh]]>
- </programlisting>
</example>
- <example label="nginx configuration">
- <title>
- /etc/nginx/nginx.conf</title>
+ <example>
+ <title>nginx.conf</title>
<programlisting>
<![CDATA[[...]
server {
[...]]]>
</programlisting>
</example>
- <example label="commands">
+ <example>
+ <title>Enabling the proxy</title>
<programlisting>
-<![CDATA[# systemctl enable proxy-with-nginx.socket
-# systemctl start proxy-with-nginx.socket
+<![CDATA[# systemctl enable proxy-to-nginx.socket
+# systemctl start proxy-to-nginx.socket
$ curl http://localhost:80/]]>
-</programlisting>
- </example>
- </refsect2>
-
- <refsect2>
- <title>Multiple Listeners with Multiple Destinations</title>
- <para>When using namespaces, it may be useful to
- have multiple listeners with each going to a unique
- destination. systemd always passes sockets into
- services in the order specified in the socket
- unit, beginning with file descriptor 3.</para>
- <para>In this example, port <literal>80</literal>
- will proxy to <literal>localhost:8080</literal>,
- and port <literal>443</literal> will proxy to
- <literal>localhost:8443</literal>.</para>
- <example label="proxy socket unit">
- <title>/etc/systemd/system/multi-destination.socket</title>
- <programlisting>
-<![CDATA[[Socket]
-ListenStream=80
-ListenStream=443
-
-[Install]
-WantedBy=sockets.target]]>
-</programlisting>
- </example>
- <example label="proxy service unit">
- <title>/etc/systemd/system/multi-destination.service</title>
- <programlisting>
-<![CDATA[[Service]
-ExecStart=/usr/bin/socket-proxyd-multi-destination.sh
-PrivateTmp=true
-PrivateNetwork=true]]>
-</programlisting>
- </example>
-
- <example label="shell script">
- <title>
- /usr/bin/socket-proxyd-multi-destination.sh</title>
- <programlisting>
-<![CDATA[#!/bin/sh
-/usr/bin/systemd-socket-proxyd --listener=3 localhost:8080 &
-/usr/bin/systemd-socket-proxyd --listener=4 localhost:8443 &
-wait]]>
-</programlisting>
- <para>Make it executable:</para>
- <programlisting>
-<![CDATA[chmod 755 /usr/bin/socket-proxyd-multi-destination.sh]]>
- </programlisting>
- </example>
-
- <example label="commands">
- <programlisting>
-<![CDATA[# systemctl enable multi-destination.socket
-# systemctl start multi-destination.socket
-$ curl http://localhost/
-$ curl https://localhost/]]>
</programlisting>
</example>
</refsect2>
<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>socat</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>socat</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>nginx</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>curl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
</para>
</refsect1>
</refentry>
~ianmdlvl / elogind.git / blobdiff