You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
-<refentry id="systemd-socket-proxyd">
- <refentryinfo>
- <title>systemd-socket-proxyd</title>
- <productname>systemd</productname>
- <authorgroup>
- <author>
- <contrib>Developer</contrib>
- <firstname>David</firstname>
- <surname>Strauss</surname>
- <email>david@davidstrauss.net</email>
- </author>
- <author>
- <contrib>Developer</contrib>
- <firstname>Lennart</firstname>
- <surname>Poettering</surname>
- <email>lennart@poettering.net</email>
- </author>
- </authorgroup>
- </refentryinfo>
- <refmeta>
- <refentrytitle>systemd-socket-proxyd</refentrytitle>
- <manvolnum>1</manvolnum>
- </refmeta>
- <refnamediv>
- <refname>systemd-socket-proxyd</refname>
- <refpurpose>Bidirectionally proxy local sockets to another (possibly remote) socket.</refpurpose>
- </refnamediv>
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>systemd-socket-proxyd</command>
- <arg choice="opt" rep="repeat"><replaceable>OPTIONS</replaceable></arg>
- <arg choice="plain"><replaceable>HOST</replaceable>:<replaceable>PORT</replaceable></arg>
- </cmdsynopsis>
- <cmdsynopsis>
- <command>systemd-socket-proxyd</command>
- <arg choice="opt" rep="repeat"><replaceable>OPTIONS</replaceable></arg>
- <arg choice="plain"><replaceable>UNIX-DOMAIN-SOCKET-PATH</replaceable>
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
- <refsect1>
- <title>Description</title>
- <para>
- <command>systemd-socket-proxyd</command> is a generic
- socket-activated network socket forwarder proxy daemon
- for IPV4, IPv6 and UNIX stream sockets. It may be used
- to bi-directionally forward traffic from a local listening socket to a
- local or remote destination socket.</para>
+<refentry id="systemd-socket-proxyd"
+ xmlns:xi="http://www.w3.org/2001/XInclude">
- <para>One use of this tool is to provide
- socket activation support for services that do not
- natively support socket activation. On behalf of the
- service to activate, the proxy inherits the socket
- from systemd, accepts each client connection, opens a
- connection to a configured server for each client, and
- then bidirectionally forwards data between the
- two.</para>
- <para>This utility's behavior is similar to
- <citerefentry><refentrytitle>socat</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
- The main differences for <command>systemd-socket-proxyd</command>
- are support for socket activation with
- <literal>Accept=false</literal> and an event-driven
- design that scales better with the number of
- connections.</para>
- </refsect1>
- <refsect1>
- <title>Options</title>
- <para>The following options are understood:</para>
- <variablelist>
- <varlistentry>
- <term><option>-l</option></term>
- <term><option>--listener=</option></term>
- <listitem>
- <para>Restricts listening to a
- single inherited socket, specified
- as a file descriptor. By default,
- the proxy listens on all inherited
- sockets.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>-h</option></term>
- <term><option>--help</option></term>
- <listitem>
- <para>Prints a short help
- text and exits.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>--version</option></term>
- <listitem>
- <para>Prints a version
- string and exits.</para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
- <refsect1>
- <title>Exit status</title>
- <para>On success, 0 is returned, a non-zero failure
- code otherwise.</para>
- </refsect1>
- <refsect1>
- <title>Examples</title>
- <refsect2>
- <title>Direct-Use Example</title>
- <para>Use two services with a dependency
- and no namespace isolation.</para>
- <example label="proxy socket unit">
- <title>/etc/systemd/system/proxy-to-nginx.socket</title>
- <programlisting>
-<![CDATA[[Socket]
+ <refentryinfo>
+ <title>systemd-socket-proxyd</title>
+ <productname>systemd</productname>
+ <authorgroup>
+ <author>
+ <contrib>Developer</contrib>
+ <firstname>David</firstname>
+ <surname>Strauss</surname>
+ <email>david@davidstrauss.net</email>
+ </author>
+ </authorgroup>
+ </refentryinfo>
+ <refmeta>
+ <refentrytitle>systemd-socket-proxyd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+ <refnamediv>
+ <refname>systemd-socket-proxyd</refname>
+ <refpurpose>Bidirectionally proxy local sockets to another (possibly remote) socket.</refpurpose>
+ </refnamediv>
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>systemd-socket-proxyd</command>
+ <arg choice="opt" rep="repeat"><replaceable>OPTIONS</replaceable></arg>
+ <arg choice="plain"><replaceable>HOST</replaceable>:<replaceable>PORT</replaceable></arg>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>systemd-socket-proxyd</command>
+ <arg choice="opt" rep="repeat"><replaceable>OPTIONS</replaceable></arg>
+ <arg choice="plain"><replaceable>UNIX-DOMAIN-SOCKET-PATH</replaceable>
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+ <refsect1>
+ <title>Description</title>
+ <para>
+ <command>systemd-socket-proxyd</command> is a generic
+ socket-activated network socket forwarder proxy daemon for IPv4,
+ IPv6 and UNIX stream sockets. It may be used to bi-directionally
+ forward traffic from a local listening socket to a local or remote
+ destination socket.</para>
+
+ <para>One use of this tool is to provide socket activation support
+ for services that do not natively support socket activation. On
+ behalf of the service to activate, the proxy inherits the socket
+ from systemd, accepts each client connection, opens a connection
+ to a configured server for each client, and then bidirectionally
+ forwards data between the two.</para>
+ <para>This utility's behavior is similar to
+ <citerefentry project='die-net'><refentrytitle>socat</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
+ The main differences for <command>systemd-socket-proxyd</command>
+ are support for socket activation with
+ <literal>Accept=false</literal> and an event-driven
+ design that scales better with the number of
+ connections.</para>
+ </refsect1>
+ <refsect1>
+ <title>Options</title>
+ <para>The following options are understood:</para>
+ <variablelist>
+ <xi:include href="standard-options.xml" xpointer="help" />
+ <xi:include href="standard-options.xml" xpointer="version" />
+ </variablelist>
+ </refsect1>
+ <refsect1>
+ <title>Exit status</title>
+ <para>On success, 0 is returned, a non-zero failure
+ code otherwise.</para>
+ </refsect1>
+ <refsect1>
+ <title>Examples</title>
+ <refsect2>
+ <title>Simple Example</title>
+ <para>Use two services with a dependency and no namespace
+ isolation.</para>
+ <example>
+ <title>proxy-to-nginx.socket</title>
+ <programlisting><![CDATA[[Socket]
ListenStream=80
[Install]
-WantedBy=sockets.target]]>
-</programlisting>
- </example>
- <example label="proxy service unit">
- <title>/etc/systemd/system/proxy-to-nginx.service</title>
- <programlisting>
-<![CDATA[[Unit]
-After=nginx.service
+WantedBy=sockets.target]]></programlisting>
+ </example>
+ <example>
+ <title>proxy-to-nginx.service</title>
+ <programlisting><![CDATA[[Unit]
Requires=nginx.service
+After=nginx.service
[Service]
-ExecStart=/usr/bin/systemd-socket-proxyd /tmp/nginx.sock
-PrivateTmp=true
-PrivateNetwork=true]]>
-</programlisting>
- </example>
- <example label="nginx configuration">
- <title>/etc/nginx/nginx.conf</title>
- <programlisting>
+ExecStart=/usr/lib/systemd/systemd-socket-proxyd /tmp/nginx.sock
+PrivateTmp=yes
+PrivateNetwork=yes]]></programlisting>
+ </example>
+ <example>
+ <title>nginx.conf</title>
+ <programlisting>
<![CDATA[[...]
server {
listen unix:/tmp/nginx.sock;
[...]]]>
</programlisting>
- </example>
- <example label="commands">
- <programlisting>
-<![CDATA[# systemctl enable proxy-to-nginx.socket
+ </example>
+ <example>
+ <title>Enabling the proxy</title>
+ <programlisting><![CDATA[# systemctl enable proxy-to-nginx.socket
# systemctl start proxy-to-nginx.socket
-$ curl http://localhost:80/]]>
-</programlisting>
- </example>
- </refsect2>
- <refsect2>
- <title>Indirect-Use Example</title>
- <para>Use a shell script to isolate the
- service and proxy into the same namespace.
- This is particularly useful for running
- TCP-only daemons without the daemon
- affecting ports on regular
- interfaces.</para>
- <example label="combined proxy and nginx socket unit">
-
- <title>
- /etc/systemd/system/proxy-with-nginx.socket</title>
- <programlisting>
-<![CDATA[[Socket]
+$ curl http://localhost:80/]]></programlisting>
+ </example>
+ </refsect2>
+ <refsect2>
+ <title>Namespace Example</title>
+ <para>Similar as above, but runs the socket proxy and the main
+ service in the same private namespace, assuming that
+ <filename>nginx.service</filename> has
+ <varname>PrivateTmp=</varname> and
+ <varname>PrivateNetwork=</varname> set, too.</para>
+ <example>
+ <title>proxy-to-nginx.socket</title>
+ <programlisting><![CDATA[[Socket]
ListenStream=80
[Install]
-WantedBy=sockets.target]]>
-</programlisting>
- </example>
- <example label="combined proxy and nginx service unit">
-
- <title>
- /etc/systemd/system/proxy-with-nginx.service</title>
- <programlisting>
-<![CDATA[[Unit]
-After=remote-fs.target nss-lookup.target
+WantedBy=sockets.target]]></programlisting>
+ </example>
+ <example>
+ <title>proxy-to-nginx.service</title>
+ <programlisting><![CDATA[[Unit]
+Requires=nginx.service
+After=nginx.service
+JoinsNamespaceOf=nginx.service
[Service]
-ExecStartPre=/usr/sbin/nginx -t
-ExecStart=/usr/bin/socket-proxyd-nginx.sh
-PrivateTmp=true
-PrivateNetwork=true]]>
-</programlisting>
- </example>
- <example label="shell script">
- <title>
- /usr/bin/socket-proxyd-nginx.sh</title>
- <programlisting>
-<![CDATA[#!/bin/sh
-/usr/sbin/nginx
-while [ ! -f /tmp/nginx.pid ]
- do
- /usr/bin/inotifywait /tmp/nginx.pid
- done
-exec /usr/bin/systemd-socket-proxyd localhost:8080]]>
-</programlisting>
- <para>Make it executable:</para>
- <programlisting>
-<![CDATA[chmod 755 /usr/bin/socket-proxyd-nginx.sh]]>
- </programlisting>
- </example>
- <example label="nginx configuration">
- <title>
- /etc/nginx/nginx.conf</title>
- <programlisting>
-<![CDATA[[...]
+ExecStart=/usr/lib/systemd/systemd-socket-proxyd 127.0.0.1:8080
+PrivateTmp=yes
+PrivateNetwork=yes]]></programlisting>
+ </example>
+ <example>
+ <title>nginx.conf</title>
+ <programlisting><![CDATA[[...]
server {
listen 8080;
- listen unix:/tmp/nginx.sock;
- [...]]]>
-</programlisting>
- </example>
- <example label="commands">
- <programlisting>
-<![CDATA[# systemctl enable proxy-with-nginx.socket
-# systemctl start proxy-with-nginx.socket
-$ curl http://localhost:80/]]>
-</programlisting>
- </example>
- </refsect2>
-
- <refsect2>
- <title>Multiple Listeners with Multiple Destinations</title>
- <para>When using namespaces, it may be useful to
- have multiple listeners with each going to a unique
- destination. systemd always passes sockets into
- services in the order specified in the socket
- unit, beginning with file descriptor 3.</para>
- <para>In this example, port <literal>80</literal>
- will proxy to <literal>localhost:8080</literal>,
- and port <literal>443</literal> will proxy to
- <literal>localhost:8443</literal>.</para>
- <example label="proxy socket unit">
- <title>/etc/systemd/system/multi-destination.socket</title>
- <programlisting>
-<![CDATA[[Socket]
-ListenStream=80
-ListenStream=443
-
-[Install]
-WantedBy=sockets.target]]>
-</programlisting>
- </example>
- <example label="proxy service unit">
- <title>/etc/systemd/system/multi-destination.service</title>
- <programlisting>
-<![CDATA[[Service]
-ExecStart=/usr/bin/socket-proxyd-multi-destination.sh
-PrivateTmp=true
-PrivateNetwork=true]]>
-</programlisting>
- </example>
-
- <example label="shell script">
- <title>
- /usr/bin/socket-proxyd-multi-destination.sh</title>
- <programlisting>
-<![CDATA[#!/bin/sh
-/usr/bin/systemd-socket-proxyd --listener=3 localhost:8080 &
-/usr/bin/systemd-socket-proxyd --listener=4 localhost:8443 &
-wait]]>
-</programlisting>
- <para>Make it executable:</para>
- <programlisting>
-<![CDATA[chmod 755 /usr/bin/socket-proxyd-multi-destination.sh]]>
- </programlisting>
- </example>
-
- <example label="commands">
- <programlisting>
-<![CDATA[# systemctl enable multi-destination.socket
-# systemctl start multi-destination.socket
-$ curl http://localhost/
-$ curl https://localhost/]]>
-</programlisting>
- </example>
- </refsect2>
- </refsect1>
- <refsect1>
- <title>See Also</title>
- <para>
- <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>socat</refentrytitle><manvolnum>1</manvolnum></citerefentry>
- </para>
- </refsect1>
+ [...]]]></programlisting>
+ </example>
+ <example>
+ <title>Enabling the proxy</title>
+ <programlisting><![CDATA[# systemctl enable proxy-to-nginx.socket
+# systemctl start proxy-to-nginx.socket
+$ curl http://localhost:80/]]></programlisting>
+ </example>
+ </refsect2>
+ </refsect1>
+ <refsect1>
+ <title>See Also</title>
+ <para>
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry project='die-net'><refentrytitle>socat</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry project='die-net'><refentrytitle>nginx</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry project='die-net'><refentrytitle>curl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ </para>
+ </refsect1>
</refentry>