1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="Content-Language" content="en" />
<title>s6: the s6-connlimit program</title>
<meta name="Description" content="s6: the s6-connlimit program" />
<meta name="Keywords" content="s6 connection limit s6-connlimit" />
<!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> -->
</head>
<body>
<p>
<a href="index.html">s6</a><br />
<a href="//skarnet.org/software/">Software</a><br />
<a href="//skarnet.org/">skarnet.org</a>
</p>
<h1> The <tt>s6-connlimit</tt> program </h1>
<p>
<tt>s6-connlimit</tt> is a small utility to perform IP-based
control on the number of client connections to a TCP socket, and
uid-based control on the number of client connections to a Unix
domain socket.
</p>
<h2> Interface </h2>
<pre>
s6-connlimit <em>prog...</em>
</pre>
<ul>
<li> <tt>s6-connlimit</tt> reads its environment for the PROTO
environment variable, and then for ${PROTO}CONNNUM and ${PROTO}CONNMAX,
which must contain integers. </li>
<li> If the value of ${PROTO}CONNNUM is superior or equal to the value
of ${PROTO}CONNMAX, s6-connlimit exits 1 with an error message. </li>
<li> Else it execs into <em>prog...</em>. </li>
<li> If ${PROTO}CONNMAX is unset, s6-connlimit directly execs into
<em>prog...</em> without performing any check:
no maximum number of connections has been defined. </li>
</ul>
<h2> Usage </h2>
<p>
The <a href="//skarnet.org/software/s6-networking/s6-tcpserver.html">s6-tcpserver</a> program
defines the PROTO environment variable to "TCP", and spawns every child server with the TCPCONNNUM environment
variable set to the number of connections from the same IP address.
The <a href="//skarnet.org/software/s6-networking/s6-tcpserver-access.html">s6-tcpserver-access</a> program
can set environment variables depending on the client's IP address. If the
s6-tcpserver-access database is configured to set the TCPCONNMAX environment
variable for a given set of IP addresses, and s6-tcpserver-access execs into
s6-connlimit, then s6-connlimit will drop connections if there already are
${TCPCONNMAX} connections from the same client IP address.
</p>
<p>
The <a href="s6-ipcserver.html">s6-ipcserver</a> and
<a href="s6-ipcserver-access.html">s6-ipcserver-access</a> programs can
be used the same way, with "IPC" instead of "TCP", to limit the number
of client connections by UID.
</p>
<h2> Example </h2>
<p>
The following command line:
</p>
<pre>
s6-tcpserver -v2 -c1000 -C40 1.2.3.4 80 \
s6-tcpserver-access -v2 -RHl0 -i <em>dir</em> \
s6-connlimit \
<em>prog...</em>
</pre>
<p>
will run a server listening to IPv4 address 1.2.3.4, on port 80,
serving up to 1000 concurrent connections, and up to 40 concurrent
connections from the same IP address, no matter what the IP address.
For every client connection, it will look up the database set up
in <em>dir</em>; if the connection is accepted, it will run <em>prog...</em>.
</p>
<p>
If the <tt><em>dir</em>/ip4/5.6.7.8_32/env/TCPCONNMAX</tt> file
exists and contains the string <tt>30</tt>, then at most 30 concurrent
connections from 5.6.7.8 will execute <em>prog...</em>, instead of the
default of 40.
</p>
<h2> Notes </h2>
<ul>
<li> The s6-connlimit utility was once part of the
<a href="//skarnet.org/software/s6-networking/">s6-networking</a>
suite, and is mostly useful with TCP connections, which is why the
examples here involve TCP. Nevertheless, it can be used with connections
across Unix domain sockets, and that is why it has been moved to the s6
package. </li>
</ul>
</body>
</html>
|