nginx fronts varnish-end-user and varnish-admin

`ServiceImpl` uses the new `GraphStoreClient` and `SPARQLClient` subclasses

Author: namedgraph

config/system-varnish.trig

@@ -29,7 +29,7 @@
     sd:endpoint <http://fuseki-admin:3030/ds/> ;
     a:graphStore <http://fuseki-admin:3030/ds/> ;
     a:quadStore <http://fuseki-admin:3030/ds/> ;
-    lapp:backendProxy <http://varnish-admin/> .
+    lapp:backendProxy <http://nginx-admin:8080/> .
 
 # root end-user
 
@@ -48,4 +48,4 @@
     sd:endpoint <http://fuseki-end-user:3030/ds/> ;
     a:graphStore <http://fuseki-end-user:3030/ds/> ;
     a:quadStore <http://fuseki-end-user:3030/ds/> ;
-    lapp:backendProxy <http://varnish-end-user/> .
+    lapp:backendProxy <http://nginx-end-user:8080/> .

docker-compose.yml

@@ -34,7 +34,7 @@ services:
       - SSL_VERIFY_CLIENT=optional_no_ca
       - MAX_BODY_SIZE=2097152
     volumes:
-      - ./platform/nginx.conf.template:/etc/nginx/nginx.conf.template:ro
+      - ./platform/nginx-frontend.conf.template:/etc/nginx/nginx.conf.template:ro
       - ./ssl/server:/etc/nginx/ssl:ro
   linkeddatahub:
     user: root # otherwise the ldh user does not have permissions to the mounted folder which is owner by root
@@ -128,6 +128,28 @@ services:
     command: [ "-t", "86400" ] # time to live
     volumes:
       - ./platform/varnish-frontend.vcl.template:/etc/varnish/default.vcl.template:ro
+  nginx-admin:
+    image: nginx:1.23.3
+    depends_on:
+      - varnish-admin
+    command: /bin/sh -c "cp /etc/nginx/nginx.conf.template /etc/nginx/nginx.conf && sed -i 's|$${UPSTREAM_SERVER}|'"$$UPSTREAM_SERVER"'|g' /etc/nginx/nginx.conf && sed -i 's|$${UPSTREAM_HTTP_PORT}|'"$$UPSTREAM_HTTP_PORT"'|g' /etc/nginx/nginx.conf && sed -i 's|$${SERVER_HTTP_PORT}|'"$$SERVER_HTTP_PORT"'|g' /etc/nginx/nginx.conf && nginx -g 'daemon off;'"
+    environment:
+      - UPSTREAM_SERVER=varnish-admin
+      - UPSTREAM_HTTP_PORT=80
+      - SERVER_HTTP_PORT=8080 # because of nginx-unprivileged
+    volumes:
+      - ./platform/nginx-backend.conf.template:/etc/nginx/nginx.conf.template:ro
+  nginx-end-user:
+    image: nginx:1.23.3
+    depends_on:
+      - varnish-end-user
+    command: /bin/sh -c "cp /etc/nginx/nginx.conf.template /etc/nginx/nginx.conf && sed -i 's|$${UPSTREAM_SERVER}|'"$$UPSTREAM_SERVER"'|g' /etc/nginx/nginx.conf && sed -i 's|$${UPSTREAM_HTTP_PORT}|'"$$UPSTREAM_HTTP_PORT"'|g' /etc/nginx/nginx.conf && sed -i 's|$${SERVER_HTTP_PORT}|'"$$SERVER_HTTP_PORT"'|g' /etc/nginx/nginx.conf && nginx -g 'daemon off;'"
+    environment:
+      - UPSTREAM_SERVER=varnish-end-user
+      - UPSTREAM_HTTP_PORT=80
+      - SERVER_HTTP_PORT=8080 # because of nginx-unprivileged
+    volumes:
+      - ./platform/nginx-backend.conf.template:/etc/nginx/nginx.conf.template:ro
   varnish-admin:
     image: varnish:7.3.0
     user: root # otherwise the varnish user does not have permissions to the mounted folder which is owner by root

platform/nginx-backend.conf.template

@@ -0,0 +1,38 @@
+worker_processes 1;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    # Define a shared memory zone for rate limiting (keyed by client IP)
+    limit_req_zone $binary_remote_addr zone=api_ratelimit:10m rate=5r/s;
+    limit_req_status 429;
+
+    upstream varnish_backend {
+        server ${UPSTREAM_SERVER}:${UPSTREAM_HTTP_PORT};
+    }
+
+    server {
+        listen ${SERVER_HTTP_PORT};
+
+        # Optional: allow health checks or pre-flight OPTIONS through without limits
+        location = /healthz {
+            return 200 'ok';
+            add_header Content-Type text/plain;
+        }
+
+        location / {
+            # Apply rate limiting
+            limit_req zone=api_ratelimit nodelay;
+
+            proxy_pass http://varnish_backend;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+    }
+}

platform/nginx.conf.template platform/nginx-frontend.conf.templateplatform/nginx.conf.template renamed to platform/nginx-frontend.conf.template

@@ -37,23 +37,17 @@ public class GraphStoreClient extends com.atomgraph.core.client.GraphStoreClient
 
     private static final Logger log = LoggerFactory.getLogger(GraphStoreClient.class);
 
-    private final long defaultDelayMillis = 5000L;
-    private final int maxRetryCount = 3;
+    private final long defaultDelayMillis; // = 5000L;
+    private final int maxRetryCount; // = 3;
 
-    protected GraphStoreClient(MediaTypes mediaTypes, WebTarget endpoint) {
+    protected GraphStoreClient(MediaTypes mediaTypes, WebTarget endpoint, long defaultDelayMillis, int maxRetryCount) {
         super(mediaTypes, endpoint);
+        this.defaultDelayMillis = defaultDelayMillis;
+        this.maxRetryCount = maxRetryCount;
     }
 
-    protected GraphStoreClient(WebTarget endpoint) {
-        this(new MediaTypes(), endpoint);
-    }
-
-    public static GraphStoreClient create(MediaTypes mediaTypes, WebTarget endpoint) {
-        return new GraphStoreClient(mediaTypes, endpoint);
-    }
-
-    public static GraphStoreClient create(WebTarget endpoint) {
-        return new GraphStoreClient(endpoint);
+    public static GraphStoreClient create(MediaTypes mediaTypes, WebTarget endpoint, long defaultDelayMillis, int maxRetryCount) {
+        return new GraphStoreClient(mediaTypes, endpoint, defaultDelayMillis, maxRetryCount);
     }
 
     @Override

src/main/java/com/atomgraph/linkeddatahub/client/GraphStoreClient.java

@@ -34,31 +34,27 @@ public class SPARQLClient extends com.atomgraph.core.client.SPARQLClient {
 
     private static final Logger log = LoggerFactory.getLogger(SPARQLClient.class);
 
-    private final long defaultDelayMillis = 1000L;
-    private final int maxRetryCount = 3;
+    private final long defaultDelayMillis; // = 1000L;
+    private final int maxRetryCount; // = 3;
 
-    protected SPARQLClient(MediaTypes mediaTypes, WebTarget endpoint, int maxGetRequestSize) {
+    protected SPARQLClient(MediaTypes mediaTypes, WebTarget endpoint, int maxGetRequestSize, long defaultDelayMillis, int maxRetryCount) {
         super(mediaTypes, endpoint, maxGetRequestSize);
+        this.defaultDelayMillis = defaultDelayMillis;
+        this.maxRetryCount = maxRetryCount;
     }
 
-    protected SPARQLClient(MediaTypes mediaTypes, WebTarget endpoint) {
-        this(mediaTypes, endpoint, 8192);
+    protected SPARQLClient(MediaTypes mediaTypes, WebTarget endpoint, long defaultDelayMillis, int maxRetryCount) {
+        super(mediaTypes, endpoint);
+        this.defaultDelayMillis = defaultDelayMillis;
+        this.maxRetryCount = maxRetryCount;
     }
 
-    protected SPARQLClient(WebTarget endpoint) {
-        this(new MediaTypes(), endpoint);
+    public static SPARQLClient create(MediaTypes mediaTypes, WebTarget endpoint, int maxGetRequestSize, long defaultDelayMillis, int maxRetryCount) {
+        return new SPARQLClient(mediaTypes, endpoint, maxGetRequestSize, defaultDelayMillis, maxRetryCount);
     }
 
-    public static SPARQLClient create(MediaTypes mediaTypes, WebTarget endpoint, int maxGetRequestSize) {
-        return new SPARQLClient(mediaTypes, endpoint, maxGetRequestSize);
-    }
-
-    public static SPARQLClient create(MediaTypes mediaTypes, WebTarget endpoint) {
-        return new SPARQLClient(mediaTypes, endpoint);
-    }
-
-    public static SPARQLClient create(WebTarget endpoint) {
-        return new SPARQLClient(endpoint);
+    public static SPARQLClient create(MediaTypes mediaTypes, WebTarget endpoint, long defaultDelayMillis, int maxRetryCount) {
+        return new SPARQLClient(mediaTypes, endpoint, defaultDelayMillis, maxRetryCount);
     }
 
     @Override

src/main/java/com/atomgraph/linkeddatahub/client/SPARQLClient.java

@@ -18,7 +18,6 @@
 
 import com.atomgraph.core.MediaTypes;
 import com.atomgraph.core.client.QuadStoreClient;
-import com.atomgraph.core.client.SPARQLClient;
 import com.atomgraph.core.model.DatasetAccessor;
 import com.atomgraph.core.model.DatasetQuadAccessor;
 import com.atomgraph.core.model.EndpointAccessor;
@@ -28,6 +27,7 @@
 import com.atomgraph.core.vocabulary.A;
 import com.atomgraph.core.vocabulary.SD;
 import com.atomgraph.linkeddatahub.client.GraphStoreClient;
+import com.atomgraph.linkeddatahub.client.SPARQLClient;
 import com.atomgraph.linkeddatahub.model.Service;
 import com.atomgraph.linkeddatahub.vocabulary.LAPP;
 import java.net.URI;
@@ -131,11 +131,13 @@ public SPARQLClient getSPARQLClient()
     public SPARQLClient getSPARQLClient(WebTarget webTarget)
     {
         SPARQLClient sparqlClient;
-        
+        final long defaultDelayMillis = 1000L;
+        final int maxRetryCount = 3;
+
         if (getMaxGetRequestSize() != null)
-            sparqlClient = SPARQLClient.create(getMediaTypes(), webTarget, getMaxGetRequestSize());
+            sparqlClient = SPARQLClient.create(getMediaTypes(), webTarget, getMaxGetRequestSize(), defaultDelayMillis, maxRetryCount);
         else
-            sparqlClient = SPARQLClient.create(getMediaTypes(), webTarget);
+            sparqlClient = SPARQLClient.create(getMediaTypes(), webTarget, defaultDelayMillis, maxRetryCount);
 
         if (getAuthUser() != null && getAuthPwd() != null)
         {
@@ -169,8 +171,10 @@ public com.atomgraph.core.client.GraphStoreClient getGraphStoreClient()
      */
     public GraphStoreClient getGraphStoreClient(WebTarget webTarget)
     {
-        GraphStoreClient graphStoreClient = GraphStoreClient.create(webTarget);
-        
+        final long defaultDelayMillis = 1000L;
+        final int maxRetryCount = 3;
+        GraphStoreClient graphStoreClient = GraphStoreClient.create(getMediaTypes(), webTarget, defaultDelayMillis, maxRetryCount);
+
         if (getAuthUser() != null && getAuthPwd() != null)
         {
             HttpAuthenticationFeature authFeature = HttpAuthenticationFeature.basicBuilder().