Configuration

Overview of configuration options

LinkedDataHub is configured using environment variables in the docker-compose.yml file (environment-specific configuration should go into docker-compose.override.yml instead).

Below you'll find a list of environment variables and secrets grouped by service (they are defined in the environment sections in docker-compose.yml).

linkeddatahub

Secrets

owner_cert_password: Password of the owner's WebID certificate
secretary_cert_password: Password of the secretary's WebID certificate
client_truststore_password: Password of the client truststore
google_client_id: OAuth client ID; Login with Google authentication is enabled when this value is provided
google_client_secret: OAuth client secret

WebID authentication

ENABLE_WEBID_SIGNUP: false to disable. Enabled by default.; Currently this will only hide the signup button in the UI, without disabling the endpoint

Email server

MAIL_SMTP_HOST: Hostname of the email server
MAIL_SMTP_PORT: Port number of the email server
MAIL_USER: Username
MAIL_PASSWORD: Password (if required)

Linked Data

ENABLE_LINKED_DATA_PROXY: false to disable the Linked Data proxy (enabled by default)

HTTP(S)

SELF_SIGNED_CERT: Set to false false if not using the self-signed server certificate (e.g. using LetsEncrypt certificate instead). Not to be confused with the WebID client certificate. Enabled by default.
MAX_CONTENT_LENGTH: Maximum allowed request body size (nginx has a separate setting for this.) By default 2097152.

Debug

JPDA_ADDRESS: The address through which Java debugger can connect, for example *:8000. Note that the port has to be mapped to host in order for the debugger to work, e.g. 8080:8080.
CATALINA_OPTS: Tomcat's Java options

nginx

SERVER_CERT_FILE: Location of the server's SSL certificate. By default /etc/nginx/ssl/server.crt.
SERVER_KEY_FILE: Location of the server's SSL certificate's key. By default /etc/nginx/ssl/server.key.
SSL_VERIFY_CLIENT: off to disable TLS client certificate authentication on the $HTTPS_PORT port, which also disables LinkedDataHub's WebID-TLS authentication method.; This option can be used to avoid the certificate prompt in the browser in end-user facing applications. The client certificate authentication is still available on port 5443.; optional_no_ca to enable it.
MAX_BODY_SIZE: Maximum allowed request body size (linkeddatahub has a separate setting for this.) By default 2097152.

By default nginx is configured to guard against DoS by limiting the rate of requests per second, which can be necessary on a public instance. The limiting can be disabled in platform/nginx.conf.template by commenting out all lines starting with limit_req using #.

Server certificates

The certificates generated by the server-cert-gen.sh script are self-signed and therefore are shown as "not secure" in web browsers. On a local machine this shouldn't be a problem; on public/production servers we recomment using LetsEncrypt certificates. They can be mounted into nginx as follows:

  nginx:
    environment:
      - SERVER_CERT_FILE=/etc/letsencrypt/live/kgdev.net/fullchain.pem
      - SERVER_KEY_FILE=/etc/letsencrypt/live/kgdev.net/privkey.pem
    volumes:
      - /etc/letsencrypt:/etc/letsencrypt

SELF_SIGNED_CERT should be set to false in this case.