Commit aa92deea authored by Grzegorz Kostkowski's avatar Grzegorz Kostkowski

Init commit with working code

parents
tdb_config.env
\ No newline at end of file
MIT License
Copyright (c) 2022 gkostkowski
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
# Nginx proxy for private triple store
## Overview
Configuration of NGINX proxy server that allows for read-only requests without
the need to provide credentials to the database. This is done by appending
_Authorization_ header to request header.
Server accepts _HTTP GET_ read-only requests to specified endpoint.
Requests to any other locations in proxied server will be ignored.
According to _SPARQL Update_ standard, update queries can only be performed
through POST requests, so this requirement restricts allowed operations to
read-only queries (_SELECT_, _DESCRIBE_, _ASK_, _CONSTRUCT_).
_Note that this solves quite general problem, so it can be easily adjusted for
any other proxied server._
## Configuration and launching
1. Create ``tdb_config.env`` file from ``tdb_config.env.tmpl`` file, providing
proper values,
1. ``docker-compose up``
1. Server will be available at _localhost:31035_ and expose one specific
endpoint specified in _TDB_REPO_PATH_.
There is also _localhost:38090/nginx_status_ endpoint, providing basic nginx
status and basic stats (check [stub_status](http://nginx.org/en/docs/http/ngx_http_stub_status_module.html#stub_status).)
## Demo
[demo.sh](./demo.sh) contains few _curl_ commands demonstrating use of this server.
#!/bin/bash -x
CONTAINER_HOST_PORT=localhost:31035
source ./tdb_config.env
curl -G \
-H "Accept: application/sparql-results+json" \
"${CONTAINER_HOST_PORT}${TDB_REPO_PATH}" \
--data-urlencode "query=SELECT ?s ?p ?o { ?s ?p ?o } LIMIT 1"
# will return 404
curl -G \
-H "Accept: application/sparql-results+json" \
"${CONTAINER_HOST_PORT}/catalogs/root/repositories/nonexistent" \
--data-urlencode "query=SELECT ?s ?p ?o { ?s ?p ?o } LIMIT 1"
# will return 403 Forbidden
curl -X POST \
"${CONTAINER_HOST_PORT}${TDB_REPO_PATH}" \
--data-urlencode "query=INSERT DATA { <http://example.com/1> <http://example.com/2> <http://example.com/3> . }"
version: '3'
services:
nginx-tdb-proxy:
image: nginx:1.11.9-alpine
ports:
- "31035:10035"
- "38090:8090"
entrypoint:
- /entrypoint.sh
env_file:
- tdb_config.env
environment:
- SERVER_NAME=tdb-proxy
- CLIENT_MAX_BODY_SIZE=10m
- PROXY_READ_TIMEOUT=300s
- WORKER_PROCESSES=auto
volumes:
- ./entrypoint.sh:/entrypoint.sh
- ./nginx.conf.tmpl:/nginx.conf.tmpl
stop_signal: SIGQUIT
#!/bin/sh
set -e
# do we need this?
rm -f /etc/nginx/conf.d/*
sed \
-e "s|##CLIENT_MAX_BODY_SIZE##|$CLIENT_MAX_BODY_SIZE|g" \
-e "s|##PROXY_READ_TIMEOUT##|$PROXY_READ_TIMEOUT|g" \
-e "s|##WORKER_PROCESSES##|$WORKER_PROCESSES|g" \
-e "s|##SERVER_NAME##|$SERVER_NAME|g" \
-e "s|##PROXY_PASS##|$TDB_HOST:${TDB_PORT}${TDB_REPO_PATH}|g" \
-e "s|##SERVER_PATH##|$TDB_REPO_PATH|g" \
-e "s|##BASIC_AUTH##|\"Basic $(echo -n $BASIC_AUTH_USERNAME:$BASIC_AUTH_PASSWORD | base64)\"|g" \
-e "s|##PORT##|$TDB_PORT|g" \
nginx.conf.tmpl > /etc/nginx/nginx.conf
exec nginx -g "daemon off;"
user nginx;
worker_processes ##WORKER_PROCESSES##;
error_log /dev/stdout info;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
access_log /dev/stdout;
server {
listen ##PORT##;
server_name ##SERVER_NAME##;
client_max_body_size ##CLIENT_MAX_BODY_SIZE##;
proxy_read_timeout ##PROXY_READ_TIMEOUT##;
location ##SERVER_PATH## {
proxy_set_header Host $host;
limit_except GET {
deny all;
}
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass ##PROXY_PASS##;
proxy_set_header Authorization ##BASIC_AUTH##;
}
}
server {
listen 8090;
location /nginx_status {
stub_status on;
access_log off;
}
}
include /etc/nginx/conf.d/*.conf;
}
BASIC_AUTH_USERNAME={{BASIC_AUTH_USERNAME}}
BASIC_AUTH_PASSWORD={{BASIC_AUTH_PASSWORD}}
TDB_HOST={{TDB_HOST}}
TDB_PORT={{TDB_PORT}}
TDB_REPO_PATH={{TDB_REPO_PATH-starting-with-slash}}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment