aboutsummaryrefslogtreecommitdiffstats
path: root/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'README.md')
-rw-r--r--README.md43
1 files changed, 43 insertions, 0 deletions
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..5920b9c
--- /dev/null
+++ b/README.md
@@ -0,0 +1,43 @@
+
+**es-public-proxy**: Elasticsearch API proxy intended to be exposed to the
+public internet (or any non-localhost clients) for safe read-only queries
+
+This is intended as a simple alternative to other "read-only" plugins or
+authentication solutions for elasticsearch. A benefit of keeping the
+elasticsearch API itself, instead of building a application-layer wrapper, is
+that there already exist client libraries, tools, and integrations in many
+languages.
+
+Plan:
+
+- single Rust executable
+- fast and simple enough to never impact performance or latency
+- TOML configuration
+- some modern async/await framework
+- use official elasticsearch crate? or just reqwest?
+- small subset of total public API: get, search, scroll
+- per-index permissions
+- return response bodies untouched
+- parse queries with serde JSON, then re-serialize
+
+Stretch or future goals:
+
+- parsing Lucene `query_string`
+- provide an alternate simpler API
+- query caching
+- index aliases and routing
+- version mapping (eg, expose 7.x API for 6.x index)
+
+Non-features:
+
+- TLS (use a general purpose reverse proxy)
+
+## Deployment
+
+The imagined use case is that you have elasticsearch proper listening only to
+localhost connections with plain HTTP. This makes adminstration easy from
+authenticated local UNIX users. No non-localhost connections to elasticsearch
+are allowed, even from trusted clients. This daemon runs as a small sidecar
+proxy on localhost, listening on a public port. All non-localhost clients
+direct queries through the proxy, which parses the query, ensures it is "safe",
+then passes through to backend.