You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Apr 5, 2026. It is now read-only.
Follow-up to #60 (comment) requesting per-secret connection limits.
The secret labels feature (f5aacb9) established the infrastructure:
Each connection stores its matched secret index in tcp_rpc_data.extra_int2
Per-secret active connection counters (per_secret_connections[16]) are already tracked
Labels are available via tcp_rpcs_get_ext_secret_label()
Requested behavior
Add an optional per-secret connection limit (e.g., -S secret:label:1000 or a separate --secret-limit flag)
When the limit is reached for a given secret, new connections using that secret are rejected
Existing connections are not affected
The limit should be visible in stats output
Use case
Prevent a leaked secret from consuming all proxy resources — if one secret is compromised and shared widely, it can be capped while other secrets continue operating normally.
Implementation notes
The check would go in tcp_rpcs_compact_parse_execute() right after D->extra_int2 = secret_id + 1 is set, before the connection is fully established. Compare per_secret_connections[secret_id] against the configured limit.
Context
Follow-up to #60 (comment) requesting per-secret connection limits.
The secret labels feature (f5aacb9) established the infrastructure:
tcp_rpc_data.extra_int2per_secret_connections[16]) are already trackedtcp_rpcs_get_ext_secret_label()Requested behavior
-S secret:label:1000or a separate--secret-limitflag)Use case
Prevent a leaked secret from consuming all proxy resources — if one secret is compromised and shared widely, it can be capped while other secrets continue operating normally.
Implementation notes
The check would go in
tcp_rpcs_compact_parse_execute()right afterD->extra_int2 = secret_id + 1is set, before the connection is fully established. Compareper_secret_connections[secret_id]against the configured limit.