<?xml version="1.0"?>
<!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
     "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
  This file is part of systemd.

  Copyright 2013 David Strauss

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
<refentry id="systemd-saproxy">
        <refentryinfo>
                <title>systemd-saproxy</title>
                <productname>systemd</productname>
                <authorgroup>
                        <author>
                                <contrib>Developer</contrib>
                                <firstname>David</firstname>
                                <surname>Strauss</surname>
                                <email>david@davidstrauss.net</email>
                        </author>
                </authorgroup>
        </refentryinfo>
        <refmeta>
                <refentrytitle>systemd-saproxy</refentrytitle>
                <manvolnum>1</manvolnum>
        </refmeta>
        <refnamediv>
                <refname>systemd-saproxy</refname>
                <refpurpose>Inherit a socket. Bidirectionally
                proxy.</refpurpose>
        </refnamediv>
        <refsynopsisdiv>
                <cmdsynopsis>
                        <command>systemd-saproxy</command>
                        <arg choice="opt" rep="repeat">OPTIONS</arg>
                        <arg choice="plain"><replaceable>HOSTNAME-OR-IP</replaceable></arg>
                        <arg choice="plain"><replaceable>PORT-OR-SERVICE</replaceable></arg>
                </cmdsynopsis>
                <cmdsynopsis>
                        <command>systemd-saproxy</command>
                        <arg choice="opt" rep="repeat">OPTIONS</arg>
                        <arg choice="plain"><replaceable>UNIX-DOMAIN-SOCKET-PATH</replaceable>
                        </arg>
                </cmdsynopsis>
        </refsynopsisdiv>
        <refsect1>
                <title>Description</title>
                <para>
                <command>systemd-saproxy</command>provides a proxy
                to socket-activate services that do not yet support
                native socket activation. On behalf of the daemon,
                the proxy inherits the socket from systemd, accepts
                each client connection, opens a connection to the server
                for each client, and then bidirectionally forwards
                data between the two.</para>
                <para>This utility's behavior is similar to
                <citerefentry><refentrytitle>socat</refentrytitle><manvolnum>1</manvolnum> </citerefentry>.
                The main differences for <command>systemd-saproxy</command>
                are support for socket activation with
                <literal>Accept=false</literal> and an event-driven
                design that scales better with the number of
                connections.</para>
        </refsect1>
        <refsect1>
                <title>Options</title>
                <para>The following options are understood:</para>
                <variablelist>
                        <varlistentry>
                                <term><option>-h</option></term>
                                <term><option>--help</option></term>
                                <listitem>
                                        <para>Prints a short help
                                        text and exits.</para>
                                </listitem>
                        </varlistentry>
                        <varlistentry>
                                <term><option>--version</option></term>
                                <listitem>
                                        <para>Prints a version
                                        string and exits.</para>
                                </listitem>
                        </varlistentry>
                        <varlistentry>
                                <term><option>--ignore-env</option></term>
                                <listitem>
                                        <para>Skips verification of
                                        the expected PID and file
                                        descriptor numbers. Use if
                                        invoked indirectly, for
                                        example with a shell script
                                        rather than with
                                        <option>ExecStart=/usr/bin/systemd-saproxy</option>
                                        </para>
                                </listitem>
                        </varlistentry>
                </variablelist>
        </refsect1>
        <refsect1>
                <title>Exit status</title>
                <para>On success 0 is returned, a non-zero failure
                code otherwise.</para>
        </refsect1>
        <refsect1>
                <title>Examples</title>
                <refsect2>
                        <title>Direct-Use Example</title>
                        <para>Use two services with a dependency
                        and no namespace isolation.</para>
                        <example label="bridge socket unit">
                                <title>/etc/systemd/system/bridge-to-nginx.socket</title>
                                <programlisting>
<![CDATA[[Socket]
ListenStream=80

[Install]
WantedBy=socket.target]]>
</programlisting>
                        </example>
                        <example label="bridge service unit">
                                <title>/etc/systemd/system/bridge-to-nginx.service</title>
                                <programlisting>
<![CDATA[[Unit]
After=nginx.service
Requires=nginx.service

[Service]
ExecStart=/usr/bin/systemd-saproxy /tmp/nginx.sock
PrivateTmp=true
PrivateNetwork=true]]>
</programlisting>
                        </example>
                        <example label="nginx configuration">
                                <title>/etc/nginx/nginx.conf</title>
                                <programlisting>
<![CDATA[[...]
server {
    listen       unix:/tmp/nginx.sock;
    [...]]]>
</programlisting>
                        </example>
                        <example label="commands">
                                <programlisting>
<![CDATA[$ sudo systemctl --system daemon-reload
$ sudo systemctl start bridge-to-nginx.socket
$ sudo systemctl enable bridge-to-nginx.socket
$ curl http://localhost:80/]]>
</programlisting>
                        </example>
                </refsect2>
                <refsect2>
                        <title>Indirect-Use Example</title>
                        <para>Use a shell script to isolate the
                        service and bridge into the same namespace.
                        This is particularly useful for running
                        TCP-only daemons without the daemon
                        affecting ports on regular
                        interfaces.</para>
                        <example label="combined bridge and nginx socket unit">

                                <title>
                                /etc/systemd/system/bridge-with-nginx.socket</title>
                                <programlisting>
<![CDATA[[Socket]
ListenStream=80

[Install]
WantedBy=socket.target]]>
</programlisting>
                        </example>
                        <example label="combined bridge and nginx service unit">

                                <title>
                                /etc/systemd/system/bridge-with-nginx.service</title>
                                <programlisting>
<![CDATA[[Unit]
After=syslog.target remote-fs.target nss-lookup.target

[Service]
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/bin/saproxy-nginx.sh
PrivateTmp=true
PrivateNetwork=true]]>
</programlisting>
                        </example>
                        <example label="shell script">
                                <title>
                                /usr/bin/saproxy-nginx.sh</title>
                                <programlisting>
<![CDATA[#!/bin/sh
/usr/sbin/nginx
while [ ! -f /tmp/nginx.pid ]
  do
     /usr/bin/inotifywait /tmp/nginx.pid
  done
/usr/bin/systemd-saproxy --ignore-env localhost 8080]]>
</programlisting>
                        </example>
                        <example label="nginx configuration">
                                <title>
                                /etc/nginx/nginx.conf</title>
                                <programlisting>
<![CDATA[[...]
server {
    listen       8080;
    listen       unix:/tmp/nginx.sock;
    [...]]]>
</programlisting>
                        </example>
                        <example label="commands">
                                <programlisting>
<![CDATA[$ sudo systemctl --system daemon-reload
$ sudo systemctl start bridge-with-nginx.socket
$ sudo systemctl enable bridge-with-nginx.socket
$ curl http://localhost:80/]]>
</programlisting>
                        </example>
                </refsect2>
        </refsect1>
        <refsect1>
                <title>See Also</title>
                <para>
                <citerefentry>
                        <refentrytitle>
                        systemd.service</refentrytitle>
                        <manvolnum>5</manvolnum>
                </citerefentry>,
                <citerefentry>
                        <refentrytitle>
                        systemd.socket</refentrytitle>
                        <manvolnum>5</manvolnum>
                </citerefentry>,
                <citerefentry>
                        <refentrytitle>systemctl</refentrytitle>
                        <manvolnum>1</manvolnum>
                </citerefentry>,
                <citerefentry>
                        <refentrytitle>socat</refentrytitle>
                        <manvolnum>1</manvolnum>
                </citerefentry></para>
        </refsect1>
</refentry>