Kyle Isom
564e0a9c67
Configurable maximum concurrent connections per listener. When the limit is reached, new connections are closed immediately after accept. 0 means unlimited (default, preserving existing behavior). Config: Listener gains max_connections field, validated non-negative. DB: Migration 3 adds listeners.max_connections column. UpdateListenerMaxConns method for runtime changes via gRPC. CreateListener updated to persist max_connections on seed. Server: ListenerState/ListenerData gain MaxConnections. Limit checked in serve() after Accept but before handleConn — if ActiveConnections >= MaxConnections, connection is closed and the accept loop continues. SetMaxConnections method for runtime updates. Proto: SetListenerMaxConnections RPC added. ListenerStatus gains max_connections field. Generated code regenerated. gRPC server: SetListenerMaxConnections implements write-through (DB first, then in-memory update). GetStatus includes max_connections. Client: SetListenerMaxConnections method, MaxConnections in ListenerStatus. Tests: DB CRUD and UpdateListenerMaxConns, server connection limit enforcement (accept 2, reject 3rd, close one, accept again), gRPC SetListenerMaxConnections round-trip with DB persistence, not-found error handling. Also updates PROJECT_PLAN.md with phases 6-8 and PROGRESS.md with tracking for the new features. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mc-proxy
mc-proxy is a Layer 4 TLS SNI proxy and router for Metacircular Dynamics services. It reads the SNI hostname from incoming TLS ClientHello messages and proxies the raw TCP stream to the matched backend. It does not terminate TLS.
A global firewall (IP, CIDR, GeoIP country blocking) is evaluated before any routing decision. Blocked connections receive a TCP RST with no further information.
Quick Start
# Build
make mc-proxy
# Run locally (creates srv/ with example config on first run)
make devserver
# Full CI pipeline: vet → lint → test → build
make all
Configuration
Copy the example config and edit it:
cp mc-proxy.toml.example /srv/mc-proxy/mc-proxy.toml
See ARCHITECTURE.md for the full configuration reference.
Key sections:
[database]— SQLite database path (required)[[listeners]]— TCP ports to bind and their route tables (seeds DB on first run)[grpc]— optional gRPC admin API with TLS/mTLS[firewall]— global blocklist (IP, CIDR, GeoIP country)[proxy]— connect timeout, idle timeout, shutdown timeout
CLI Commands
| Command | Purpose |
|---|---|
mc-proxy server -c <config> |
Start the proxy |
mc-proxy status -c <config> |
Query a running instance's health via gRPC |
mc-proxy snapshot -c <config> |
Create a database backup (VACUUM INTO) |
Deployment
See RUNBOOK.md for operational procedures.
# Install on a Linux host
sudo deploy/scripts/install.sh
# Or build and run as a container
make docker
docker run -v /srv/mc-proxy:/srv/mc-proxy mc-proxy server -c /srv/mc-proxy/mc-proxy.toml
Design
mc-proxy intentionally omits a REST API and web frontend. The gRPC admin API is the sole management interface. This is an intentional departure from the Metacircular engineering standards — mc-proxy is pre-auth infrastructure and a minimal attack surface is prioritized over interface breadth.
See ARCHITECTURE.md for the full system specification.
License
Proprietary. Metacircular Dynamics.