From bd1a481bfb4975ccbb10e0d6bc9e3e7e91734b3c Mon Sep 17 00:00:00 2001
From: contact <contact@f0ae65fe-ee39-954e-97ec-027ff2717ef4>
Date: Wed, 17 Nov 2021 17:04:14 +0000
Subject: [PATCH] doc/per-user-ip: new documentation article

git-svn-id: file:///srv/svn/repo/suika/trunk@715 f0ae65fe-ee39-954e-97ec-027ff2717ef4
---
 doc/per-user-ip.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 doc/per-user-ip.md

diff --git a/doc/per-user-ip.md b/doc/per-user-ip.md
new file mode 100644
index 0000000..cb2ef73
--- /dev/null
+++ b/doc/per-user-ip.md
@@ -0,0 +1,22 @@
+# Setting up per-user IP addresses
+
+If your bouncer hosts many users, you may want to assign a unique IP address for
+each user. This allows upstream networks to easily ban a single user when a
+misbehavior is detected, instead of banning the whole bouncer.
+
+Assuming you're running Linux and want to use the IPv6 prefix `2001:db8::/32`:
+
+1. Setup the router to redirect ingress packets with one of these IP addresses
+   as the destination to your bouncer.
+2. Enable `net.ipv6.ip_nonlocal_bind=1` with `sysctl`.
+3. Setup a local route for this prefix:
+   `ip route add local 2001:db8::/56 dev lo`
+4. Check network connectivity:
+   `curl -6 --interface 2001:db8::42 https://emersion.fr`
+5. Configure soju to use this IP range: `upstream-user-ip 2001:db8::/32`
+
+The address `2001:db8::1` will be left unused. Users will be assigned IP
+addresses starting from `2001:db8::2`.
+
+The IRC `/whois` command can be used to double-check that the expected IPv6
+addresses are being used.