blob: 5920b9caa3c9999cbba7cba128e6e06ccb83415d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
**es-public-proxy**: Elasticsearch API proxy intended to be exposed to the
public internet (or any non-localhost clients) for safe read-only queries
This is intended as a simple alternative to other "read-only" plugins or
authentication solutions for elasticsearch. A benefit of keeping the
elasticsearch API itself, instead of building a application-layer wrapper, is
that there already exist client libraries, tools, and integrations in many
languages.
Plan:
- single Rust executable
- fast and simple enough to never impact performance or latency
- TOML configuration
- some modern async/await framework
- use official elasticsearch crate? or just reqwest?
- small subset of total public API: get, search, scroll
- per-index permissions
- return response bodies untouched
- parse queries with serde JSON, then re-serialize
Stretch or future goals:
- parsing Lucene `query_string`
- provide an alternate simpler API
- query caching
- index aliases and routing
- version mapping (eg, expose 7.x API for 6.x index)
Non-features:
- TLS (use a general purpose reverse proxy)
## Deployment
The imagined use case is that you have elasticsearch proper listening only to
localhost connections with plain HTTP. This makes adminstration easy from
authenticated local UNIX users. No non-localhost connections to elasticsearch
are allowed, even from trusted clients. This daemon runs as a small sidecar
proxy on localhost, listening on a public port. All non-localhost clients
direct queries through the proxy, which parses the query, ensures it is "safe",
then passes through to backend.
|