Everyone knows about the limits on the number of connections from one IP (IP-based), but what if we want to limit the number of connections to a certain API per authorization token?
And it doesn’t matter how many different IPs will be used.

Part of the nginx config:

map $request_uri $client_token {
    "~*(?i)(token=)([a-f0-9]{32})" $2;      # regex return <32str>
    default                        "";      # Fallback to limit_req_zone:global
}

limit_req_zone  $binary_remote_addr   zone=global:32m       rate=100r/s;    # Rule_1
limit_req_zone  $client_token         zone=tokenlimit:32m   rate=5r/s;      # Rule_2
limit_req       zone=global           burst=25;

server {
        location / {
            index index.html;
            root /var/www/html;
        }
        location = /api {
            index index.html;
            root /var/www/api/html;
            limit_req   zone=tokenlimit   burst=5 nodelay;  # api location
            limit_req   zone=global;                        # Fallback
            limit_req_status              429;              # 503

Abstractly.
There is some software that needs X’s.
Download, install, launch - enjoy.
But here’s the problem: I don’t want to run software (absolutely everything that is not included in the standard debian repository.) like this on:

1. My HOST.
2. From my user.
3. Under my user’s Xorg.
4. Allow into my networks, including 127.0.0.0

In addition, a browser for regular web surfing and a browser for client banking are not the same browser, user, and sometimes even system.
We will not consider points 1, 2, 4 now; we will talk about X.

In debian, with standard system settings, LightDM is used as the default display manager.
You can enable listen tcp in it, but it runs Xorg processes as root.
In gdm3, on the contrary, by default, it launches Xorg from the user who logs into the environment, but the ability to enable listen tcp was broken.
More precisely, they left the ability to disable nolisten tcp,
but not enable listen tcp.

To do this, you need to edit the wrapper over X.

We have a laptop with intel wifi onboard which sometimes failed due to overheating, or due to long-term uptime, or channel load / pps, or whatever.

[2250886.567817] ieee80211 phy0: Hardware restart was requested
[2250886.602451] iwlwifi 0000:24:00.0: Radio type=0x1-0x2-0x0
[2250886.899471] iwlwifi 0000:24:00.0: Radio type=0x1-0x2-0x0
[2250887.042217] iwlwifi 0000:24:00.0: Microcode SW error detected.  Restarting 0x2000000.
[2250887.042225] iwlwifi 0000:24:00.0: Loaded firmware version: 18.168.6.1 6000g2a-6.ucode
[2250887.042348] iwlwifi 0000:24:00.0: Start IWL Error Log Dump:
[2250887.042349] iwlwifi 0000:24:00.0: Status: 0x0000004C, count: 6
[2250887.042482] iwlwifi 0000:24:00.0: Start IWL Event Log Dump: nothing in log
[2250887.042486] iwlwifi 0000:24:00.0: BUG_ON, Stop restarting
[2250887.128058] iwlwifi 0000:24:00.0: Command REPLY_ADD_STA failed: FW Error
[2250887.128063] wlan0: failed to remove key (0, 01:11:88:ab:2c:99) from hardware (-5)
[2250887.128112] iwlwifi 0000:24:00.0: iwl_trans_wait_tx_queues_empty bad state = 0
[2250887.128132] iwlwifi 0000:24:00.0: Command REPLY_ADD_STA failed: FW Error
[2250887.128133] wlan0: failed to remove key (1, ff:ff:ff:ff:ff:ff) from hardware (-5)
[2250887.228460] iwlwifi 0000:24:00.0: Request scan called when driver not ready.
[2250902.567848] iwlwifi 0000:24:00.0: Command REPLY_RXON failed: FW Error
[2250902.567857] iwlwifi 0000:24:00.0: Error clearing ASSOC_MSK on BSS (-5)
[2250902.587425] iwlwifi 0000:24:00.0: Radio type=0x1-0x2-0x0
[2250902.637530] iwlwifi 0000:24:00.0: Command COEX_PRIORITY_TABLE_CMD failed: FW Error
[2250902.637535] iwlwifi 0000:24:00.0: Could not complete ALIVE transition: -5
[2250902.649786] iwlwifi 0000:24:00.0: Failed to run INIT ucode: -5
[2250902.649819] iwlwifi 0000:24:00.0: Unable to initialize device.
[2250960.530138] iwlwifi 0000:24:00.0: Radio type=0x1-0x2-0x0
[2250960.665000] iwlwifi 0000:24:00.0: Unable to initialize device.

Basic or simple option just reboot system. But when (always) you have million open windows and million shell tabs with runned scripts over mounted partitions, it’s not a vary good option.

Installing and configuring an unprivileged lxc container with uid/gid offset.

LANG=C SUITE=bookworm MIRROR=https://ftp.debian.org/debian/ lxc-create --name=unprivileged-lxc --template=debian

Let’s add additional subuids/subgids for the root user.

usermod --add-subuids 200000-265535 root
usermod --add-subgids 200000-265535 root
# to remove subgroups
# usermod --del-subuids 200000-265535 root
# usermod --del-subgids 200000-265535 root

There are a lot of articles on the Internet about improving OpenVPN speed, and often they are all focused on the settings of the server-client itself, packet sizes, encryption algorithms or disabling them. Everyone compares OpenVPN to a WireGuard. WireGuard works in kernel space and that’s what determines everything. Compared to userspace for openvpn. But that’s not quite true.

Here I must immediately clarify, that the given method of solving the problem is specific for virtual machines with small memory size, from 1Gb to 8Gb, in other cases you need to compare memory, link bandwidth and speed.

Here is a list of dynamically set values ​​relative to the system memory size:

• sysctl net.core.rmem_default
• sysctl net.core.rmem_max
• sysctl net.core.wmem_default
• sysctl net.core.wmem_max
• sysctl net.core.somaxconn
• sysctl net.core.netdev_max_backlog
• sysctl net.core.optmem_max
• sysctl net.ipv4.udp_mem
• sysctl net.ipv4.udp_rmem_min
• sysctl net.ipv4.udp_wmem_min
• sysctl net.ipv4.tcp_mem
• sysctl net.ipv4.tcp_rmem
• sysctl net.ipv4.tcp_wmem
• sysctl net.ipv4.tcp_synack_retries
• sysctl net.ipv4.tcp_keepalive_time
• sysctl net.ipv4.tcp_max_tw_buckets