Configuration

Overview of configuration options

LinkedDataHub is configured using environment variables in the docker-compose.yml file (environment-specific configuration should go into docker-compose.override.yml instead).

Below you'll find a list of environment variables and secrets grouped by service (they are defined in the environment sections in docker-compose.yml).

Configuration files

LinkedDataHub uses two main RDF configuration files that define dataspaces and services:

config/dataspaces.trig

Contains application metadata for each dataspace, including:

Base URIs and application origins
Application titles and descriptions
Associated ontologies
Custom stylesheets

This file contains public-facing metadata and can be safely shared.

config/system.trig

Contains internal deployment wiring, including:

Application-to-service bindings (admin and end-user roles)
SPARQL endpoint URLs
Graph Store Protocol endpoints

This file contains internal configuration and is not intended for public sharing, but does not contain credentials.

secrets/credentials.trig

Optional file containing service authentication credentials, including:

Bearer tokens (a:authToken)
HTTP Basic auth credentials (a:authUser, a:authPwd)

This file is gitignored and must not be committed to version control. See the credentials secret entry below for configuration details.

All files are in TriG format and are mounted into the LinkedDataHub container at startup. The separation allows you to version control dataspace metadata and service wiring while keeping credentials out of version control entirely.

Service configuration

SPARQL service endpoints are configured in config/system.trig. See service configuration in the triplestores reference for the RDF properties and examples, and the dataspace reference for the conceptual overview.

linkeddatahub

Secrets

owner_cert_password: Password of the owner's WebID certificate
secretary_cert_password: Password of the secretary's WebID certificate
client_truststore_password: Password of the client truststore
google_client_id: OAuth client ID; Login with Google authentication is enabled when this value is provided
google_client_secret: OAuth client secret
credentials: RDF dataset file (./secrets/credentials.trig) containing service authentication credentials (optional); Supports HTTP Basic authentication (a:authUser, a:authPwd) and Bearer token authentication (a:authToken); See authentication in the triplestores reference for RDF examples

WebID authentication

ENABLE_WEBID_SIGNUP: false to disable. Enabled by default.; Currently this will only hide the signup button in the UI, without disabling the endpoint

Email server

MAIL_SMTP_HOST: Hostname of the email server
MAIL_SMTP_PORT: Port number of the email server
MAIL_USER: Username
MAIL_PASSWORD: Password (if required)

Linked Data

ENABLE_LINKED_DATA_PROXY: false to disable the Linked Data proxy (enabled by default)

HTTP(S)

SELF_SIGNED_CERT: Set to false false if not using the self-signed server certificate (e.g. using LetsEncrypt certificate instead). Not to be confused with the WebID client certificate. Enabled by default.
MAX_CONTENT_LENGTH: Maximum allowed request body size (nginx has a separate setting for this.) By default 2097152.

Debug

JPDA_ADDRESS: The address through which Java debugger can connect, for example *:8000. Note that the port has to be mapped to host in order for the debugger to work, e.g. 8080:8080.
CATALINA_OPTS: Tomcat's Java options

Proxy

LDHC_FRONTEND_PROXY: Frontend proxy URL for HTTP requests (optional); Configures a proxy server for the HTTP client infrastructure layer when making frontend requests
LDHC_BACKEND_PROXY: Backend proxy URL for SPARQL service access (optional); Configures a proxy server for accessing SPARQL services and backend endpoints

Varnish

VARNISH_FRONTEND_BACKEND_PORT: Port for frontend Varnish backend (default: 7070); Can be customized when running LinkedDataHub behind additional proxies or in non-standard Docker networking configurations
VARNISH_ADMIN_BACKEND_PORT: Port for admin Varnish backend (default: 3030); Can be customized when running LinkedDataHub behind additional proxies or in non-standard Docker networking configurations
VARNISH_END_USER_BACKEND_PORT: Port for end-user Varnish backend (default: 3030); Can be customized when running LinkedDataHub behind additional proxies or in non-standard Docker networking configurations

nginx

SERVER_CERT_FILE: Location of the server's SSL certificate. By default /etc/nginx/ssl/server.crt.
SERVER_KEY_FILE: Location of the server's SSL certificate's key. By default /etc/nginx/ssl/server.key.
SSL_VERIFY_CLIENT: off to disable TLS client certificate authentication on the $HTTPS_PORT port, which also disables LinkedDataHub's WebID-TLS authentication method.; This option can be used to avoid the certificate prompt in the browser in end-user facing applications. The client certificate authentication is still available on port 5443.; optional_no_ca to enable it.
MAX_BODY_SIZE: Maximum allowed request body size (linkeddatahub has a separate setting for this.) By default 2097152.

By default nginx is configured to guard against DoS by limiting the rate of requests per second, which can be necessary on a public instance. The limiting can be disabled in platform/nginx.conf.template by commenting out all lines starting with limit_req using #.

Server certificates

The certificates generated by the server-cert-gen.sh script are self-signed and therefore are shown as "not secure" in web browsers. On a local machine this shouldn't be a problem; on public/production servers we recommend using LetsEncrypt certificates. They can be mounted into nginx as follows:

  nginx:
    environment:
      - SERVER_CERT_FILE=/etc/letsencrypt/live/kgdev.net/fullchain.pem
      - SERVER_KEY_FILE=/etc/letsencrypt/live/kgdev.net/privkey.pem
    volumes:
      - /etc/letsencrypt:/etc/letsencrypt

SELF_SIGNED_CERT should be set to false in this case.