From f0aa8010401e3872f8f1dcc85c409e77c6b5a1d8 Mon Sep 17 00:00:00 2001 From: Bryan Newbold Date: Mon, 17 Aug 2020 23:22:52 -0700 Subject: init repo with README, gitignore, etc --- README.md | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 README.md (limited to 'README.md') diff --git a/README.md b/README.md new file mode 100644 index 0000000..5920b9c --- /dev/null +++ b/README.md @@ -0,0 +1,43 @@ + +**es-public-proxy**: Elasticsearch API proxy intended to be exposed to the +public internet (or any non-localhost clients) for safe read-only queries + +This is intended as a simple alternative to other "read-only" plugins or +authentication solutions for elasticsearch. A benefit of keeping the +elasticsearch API itself, instead of building a application-layer wrapper, is +that there already exist client libraries, tools, and integrations in many +languages. + +Plan: + +- single Rust executable +- fast and simple enough to never impact performance or latency +- TOML configuration +- some modern async/await framework +- use official elasticsearch crate? or just reqwest? +- small subset of total public API: get, search, scroll +- per-index permissions +- return response bodies untouched +- parse queries with serde JSON, then re-serialize + +Stretch or future goals: + +- parsing Lucene `query_string` +- provide an alternate simpler API +- query caching +- index aliases and routing +- version mapping (eg, expose 7.x API for 6.x index) + +Non-features: + +- TLS (use a general purpose reverse proxy) + +## Deployment + +The imagined use case is that you have elasticsearch proper listening only to +localhost connections with plain HTTP. This makes adminstration easy from +authenticated local UNIX users. No non-localhost connections to elasticsearch +are allowed, even from trusted clients. This daemon runs as a small sidecar +proxy on localhost, listening on a public port. All non-localhost clients +direct queries through the proxy, which parses the query, ensures it is "safe", +then passes through to backend. -- cgit v1.2.3