Init commit with working code

aa92deea · Grzegorz Kostkowski · aa92deea · aa92deea · aa92deea · aa92deea
Commit aa92deea authored Apr 28, 2022 by Grzegorz Kostkowski
8 changed files
--- a/.gitignore
+++ b/.gitignore
+tdb_config.env
\ No newline at end of file
--- a/LICENCE
+++ b/LICENCE
+MIT License
+
+Copyright (c) 2022 gkostkowski
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/README.md
+++ b/README.md
+# Nginx proxy for private triple store
+## Overview
+Configuration of NGINX proxy server that allows for read-only requests without
+the need to provide credentials to the database. This is done by appending
+_Authorization_ header to request header.
+Server accepts _HTTP GET_ read-only requests to specified endpoint.
+Requests to any other locations in proxied server will be ignored.
+According to _SPARQL Update_ standard, update queries can only be performed
+through POST requests, so this requirement restricts allowed operations to
+read-only queries (_SELECT_, _DESCRIBE_, _ASK_, _CONSTRUCT_).
+
+_Note that this solves quite general problem, so it can be easily adjusted for
+any other proxied server._
+
+## Configuration and launching
+1. Create ``tdb_config.env`` file from ``tdb_config.env.tmpl`` file, providing
+   proper values,
+1. ``docker-compose up``
+1. Server will be available at _localhost:31035_ and expose one specific
+   endpoint specified in _TDB_REPO_PATH_.
+
+There is also _localhost:38090/nginx_status_ endpoint, providing basic nginx
+status and basic stats (check [stub_status](http://nginx.org/en/docs/http/ngx_http_stub_status_module.html#stub_status).)
+
+## Demo
+[demo.sh](./demo.sh) contains few _curl_ commands demonstrating use of this server.
--- a/demo.sh
+++ b/demo.sh
+#!/bin/bash -x
+
+CONTAINER_HOST_PORT=localhost:31035
+source ./tdb_config.env
+curl -G \
+	-H "Accept: application/sparql-results+json" \
+	"${CONTAINER_HOST_PORT}${TDB_REPO_PATH}" \
+    --data-urlencode "query=SELECT ?s ?p ?o { ?s ?p ?o } LIMIT 1"
+
+# will return 404
+curl -G \
+	-H "Accept: application/sparql-results+json" \
+	"${CONTAINER_HOST_PORT}/catalogs/root/repositories/nonexistent" \
+    --data-urlencode "query=SELECT ?s ?p ?o { ?s ?p ?o } LIMIT 1"
+
+# will return 403 Forbidden
+curl -X POST \
+	"${CONTAINER_HOST_PORT}${TDB_REPO_PATH}" \
+    --data-urlencode "query=INSERT DATA { <http://example.com/1> <http://example.com/2> <http://example.com/3> . }"
--- a/docker-compose.yml
+++ b/docker-compose.yml
+version: '3'
+services:
+  nginx-tdb-proxy:
+    image: nginx:1.11.9-alpine
+    ports:
+      - "31035:10035"
+      - "38090:8090"
+    entrypoint:
+      - /entrypoint.sh
+    env_file:
+      - tdb_config.env
+    environment:
+      - SERVER_NAME=tdb-proxy
+      - CLIENT_MAX_BODY_SIZE=10m
+      - PROXY_READ_TIMEOUT=300s
+      - WORKER_PROCESSES=auto
+    volumes:
+      - ./entrypoint.sh:/entrypoint.sh
+      - ./nginx.conf.tmpl:/nginx.conf.tmpl
+    stop_signal: SIGQUIT
--- a/entrypoint.sh
+++ b/entrypoint.sh
+#!/bin/sh
+
+set -e
+
+# do we need this?
+rm -f /etc/nginx/conf.d/*
+
+sed \
+  -e "s|##CLIENT_MAX_BODY_SIZE##|$CLIENT_MAX_BODY_SIZE|g" \
+  -e "s|##PROXY_READ_TIMEOUT##|$PROXY_READ_TIMEOUT|g" \
+  -e "s|##WORKER_PROCESSES##|$WORKER_PROCESSES|g" \
+  -e "s|##SERVER_NAME##|$SERVER_NAME|g" \
+  -e "s|##PROXY_PASS##|$TDB_HOST:${TDB_PORT}${TDB_REPO_PATH}|g" \
+  -e "s|##SERVER_PATH##|$TDB_REPO_PATH|g" \
+  -e "s|##BASIC_AUTH##|\"Basic $(echo -n $BASIC_AUTH_USERNAME:$BASIC_AUTH_PASSWORD | base64)\"|g" \
+  -e "s|##PORT##|$TDB_PORT|g" \
+  nginx.conf.tmpl > /etc/nginx/nginx.conf
+exec nginx -g "daemon off;"
--- a/nginx.conf.tmpl
+++ b/nginx.conf.tmpl
+user nginx;
+worker_processes ##WORKER_PROCESSES##;
+
+error_log /dev/stdout info;
+pid /var/run/nginx.pid;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  access_log /dev/stdout;
+
+  server {
+    listen ##PORT##;
+    server_name ##SERVER_NAME##;
+
+    client_max_body_size ##CLIENT_MAX_BODY_SIZE##;
+    proxy_read_timeout ##PROXY_READ_TIMEOUT##;
+
+    location ##SERVER_PATH## {
+        proxy_set_header Host      $host;
+        limit_except GET {
+          deny  all;
+        }
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass ##PROXY_PASS##;
+        proxy_set_header  Authorization ##BASIC_AUTH##;
+    }
+  }
+
+  server {
+    listen 8090;
+
+    location /nginx_status {
+      stub_status on;
+      access_log off;
+    }
+  }
+
+  include /etc/nginx/conf.d/*.conf;
+}
--- a/tdb_config.env.tmpl
+++ b/tdb_config.env.tmpl
+BASIC_AUTH_USERNAME={{BASIC_AUTH_USERNAME}}
+BASIC_AUTH_PASSWORD={{BASIC_AUTH_PASSWORD}}
+TDB_HOST={{TDB_HOST}}
+TDB_PORT={{TDB_PORT}}
+TDB_REPO_PATH={{TDB_REPO_PATH-starting-with-slash}}