<https://docs.linkeddatahub.com/reference/configuration/#content>
        a       <https://w3id.org/atomgraph/linkeddatahub#XHTML>;
        <http://www.w3.org/1999/02/22-rdf-syntax-ns#value>
                "<div xmlns=\"http://www.w3.org/1999/xhtml\">\n    <p class=\"lead\">Overview of configuration options</p>\n    <p>LinkedDataHub is configured using environment variables in the <samp>docker-compose.yml</samp> file (environment-specific configuration should go into <samp>docker-compose.override.yml</samp> instead).</p>\n    <p>Below you'll find a list of environment variables and secrets grouped by service (they are defined in the <samp>environment</samp> sections in <samp>docker-compose.yml</samp>).</p>\n    <div>\n        <h2 id=\"config-files\">Configuration files</h2>\n        <p>LinkedDataHub uses two main RDF configuration files that define dataspaces and services:</p>\n        <dl>\n            <dt><samp>config/dataspaces.trig</samp></dt>\n            <dd>Contains application metadata for each dataspace, including:</dd>\n            <dd>\n                <ul>\n                    <li>Base URIs and application origins</li>\n                    <li>Application titles and descriptions</li>\n                    <li>Associated ontologies</li>\n                    <li>Custom stylesheets</li>\n                </ul>\n            </dd>\n            <dd>This file contains public-facing metadata and can be safely shared.</dd>\n            <dt><samp>config/system.trig</samp></dt>\n            <dd>Contains internal deployment wiring, including:</dd>\n            <dd>\n                <ul>\n                    <li>Application-to-service bindings (admin and end-user roles)</li>\n                    <li>SPARQL endpoint URLs</li>\n                    <li>Graph Store Protocol endpoints</li>\n                </ul>\n            </dd>\n            <dd>This file contains internal configuration and is not intended for public sharing, but does not contain credentials.</dd>\n            <dt><samp>secrets/credentials.trig</samp></dt>\n            <dd>Optional file containing service authentication credentials, including:</dd>\n            <dd>\n                <ul>\n                    <li>Bearer tokens (<code>a:authToken</code>)</li>\n                    <li>HTTP Basic auth credentials (<code>a:authUser</code>, <code>a:authPwd</code>)</li>\n                </ul>\n            </dd>\n            <dd>This file is gitignored and must not be committed to version control. See the <samp>credentials</samp> secret entry below for configuration details.</dd>\n        </dl>\n        <p>All files are in TriG format and are mounted into the LinkedDataHub container at startup. The separation allows you to version control\n        dataspace metadata and service wiring while keeping credentials out of version control entirely.</p>\n    </div>\n    <div>\n        <h2 id=\"service-configuration\">Service configuration</h2>\n        <p>SPARQL service endpoints are configured in <samp>config/system.trig</samp>. See <a href=\"../triplestores/#service-configuration\">service configuration</a> in the triplestores reference for the RDF properties and examples, and the <a href=\"../dataspace/#services\">dataspace reference</a> for the conceptual overview.</p>\n    </div>\n    <div>\n        <h2 id=\"linkeddatahub\">linkeddatahub</h2>\n        <div>\n            <h3 id=\"secrets\">Secrets</h3>\n            <dl>\n                <dt><samp>owner_cert_password</samp></dt>\n                <dd>Password of the owner's WebID certificate</dd>\n                <dt><samp>secretary_cert_password</samp></dt>\n                <dd>Password of the secretary's WebID certificate</dd>\n                <dt><samp>client_truststore_password</samp></dt>\n                <dd>Password of the client truststore</dd>\n                <dt><samp>google_client_id</samp></dt>\n                <dd><a href=\"https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid\">OAuth client ID</a></dd>\n                <dd><a href=\"../../get-started/get-an-account/\">Login with Google</a> authentication is enabled when this value is provided</dd>\n                <dt><samp>google_client_secret</samp></dt>\n                <dd><a href=\"https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid\">OAuth client secret</a></dd>\n                <dt><samp>credentials</samp></dt>\n                <dd>RDF dataset file (<samp>./secrets/credentials.trig</samp>) containing service authentication credentials (optional)</dd>\n                <dd>Supports HTTP Basic authentication (<code>a:authUser</code>, <code>a:authPwd</code>) and Bearer token authentication (<code>a:authToken</code>)</dd>\n                <dd>See <a href=\"../triplestores/#authentication\">authentication</a> in the triplestores reference for RDF examples</dd>\n            </dl>\n        </div>\n        <div>\n            <h3 id=\"webid-auth\">WebID authentication</h3>\n            <dl>\n                <dt><samp>ENABLE_WEBID_SIGNUP</samp></dt>\n                <dd><samp>false</samp> to disable. Enabled by default.</dd>\n                <dd><em>Currently this will only hide the signup button in the UI, without disabling the endpoint</em></dd>\n            </dl>\n        </div>\n        <div>\n            <h3 id=\"email-server\">Email server</h3>\n            <dl>\n                <dt><samp>MAIL_SMTP_HOST</samp></dt>\n                <dd>Hostname of the email server</dd>\n                <dt><samp>MAIL_SMTP_PORT</samp></dt>\n                <dd>Port number of the email server</dd>\n                <dt><samp>MAIL_USER</samp></dt>\n                <dd>Username</dd>\n                <dt><samp>MAIL_PASSWORD</samp></dt>\n                <dd>Password (if required)</dd>\n            </dl>\n        </div>\n        <div>\n            <h3 id=\"linked-data\">Linked Data</h3>\n            <dl>\n                <dt><samp>ENABLE_LINKED_DATA_PROXY</samp></dt>\n                <dd><samp>false</samp> to disable the <a href=\"../http-api/#ld-proxy\">Linked Data proxy</a> (enabled by default)</dd>\n            </dl>\n        </div>\n        <div>\n            <h3 id=\"http\">HTTP(S)</h3>\n            <dl>\n                <dt><samp>SELF_SIGNED_CERT</samp></dt>\n                <dd>Set to false <samp>false</samp> if not using the self-signed <em>server</em> certificate (e.g. using LetsEncrypt certificate instead). Not to be confused with the WebID client certificate.\n                    Enabled by default.</dd>\n                <dt><samp>MAX_CONTENT_LENGTH</samp></dt>\n                <dd>Maximum allowed request body size (<samp>nginx</samp> has a separate setting for this.) By default <samp>2097152</samp>.</dd>\n            </dl>\n        </div>\n        <div>\n            <h3 id=\"debug\">Debug</h3>\n            <dl>\n                <dt><samp>JPDA_ADDRESS</samp></dt>\n                <dd>The address through which Java debugger can connect, for example <samp>*:8000</samp>. Note that the port has to be mapped to host in order for the debugger to work, e.g. <samp>8080:8080</samp>.</dd>\n                <dt><samp>CATALINA_OPTS</samp></dt>\n                <dd>Tomcat's Java options</dd>\n            </dl>\n        </div>\n        <div>\n            <h3 id=\"proxy\">Proxy</h3>\n            <dl>\n                <dt><samp>LDHC_FRONTEND_PROXY</samp></dt>\n                <dd>Frontend proxy URL for HTTP requests (optional)</dd>\n                <dd>Configures a proxy server for the HTTP client infrastructure layer when making frontend requests</dd>\n                <dt><samp>LDHC_BACKEND_PROXY</samp></dt>\n                <dd>Backend proxy URL for SPARQL service access (optional)</dd>\n                <dd>Configures a proxy server for accessing SPARQL services and backend endpoints</dd>\n            </dl>\n        </div>\n        <div>\n            <h3 id=\"varnish\">Varnish</h3>\n            <dl>\n                <dt><samp>VARNISH_FRONTEND_BACKEND_PORT</samp></dt>\n                <dd>Port for frontend Varnish backend (default: <samp>7070</samp>)</dd>\n                <dd>Can be customized when running LinkedDataHub behind additional proxies or in non-standard Docker networking configurations</dd>\n                <dt><samp>VARNISH_ADMIN_BACKEND_PORT</samp></dt>\n                <dd>Port for admin Varnish backend (default: <samp>3030</samp>)</dd>\n                <dd>Can be customized when running LinkedDataHub behind additional proxies or in non-standard Docker networking configurations</dd>\n                <dt><samp>VARNISH_END_USER_BACKEND_PORT</samp></dt>\n                <dd>Port for end-user Varnish backend (default: <samp>3030</samp>)</dd>\n                <dd>Can be customized when running LinkedDataHub behind additional proxies or in non-standard Docker networking configurations</dd>\n            </dl>\n        </div>\n    </div>\n    <div>\n        <h2 id=\"nginx\">nginx</h2>\n        <dl>\n            <dt><samp>SERVER_CERT_FILE</samp></dt>\n            <dd>Location of the server's SSL certificate. By default <samp>/etc/nginx/ssl/server.crt</samp>.</dd>\n            <dt><samp>SERVER_KEY_FILE</samp></dt>\n            <dd>Location of the server's SSL certificate's key. By default <samp>/etc/nginx/ssl/server.key</samp>.</dd>\n            <dt><samp>SSL_VERIFY_CLIENT</samp></dt>\n            <dd><samp>off</samp> to disable TLS client certificate authentication on the <samp>$HTTPS_PORT</samp> port, which also disables LinkedDataHub's <a href=\"../../get-started/get-an-account/\">WebID-TLS authentication method</a>.</dd>\n            <dd>This option can be used to avoid the certificate prompt in the browser in end-user facing applications. The client certificate authentication is still available on port 5443.</dd>\n            <dd><samp>optional_no_ca</samp> to enable it.</dd>\n            <dt><samp>MAX_BODY_SIZE</samp></dt>\n            <dd>Maximum allowed request body size (<samp>linkeddatahub</samp> has a separate setting for this.) By default <samp>2097152</samp>.</dd>\n        </dl>\n        <p>By default nginx is configured to guard against DoS by limiting the rate of requests per second, which can be necessary on a public instance. The limiting can be disabled in <samp>platform/nginx.conf.template</samp>\n            by commenting out all lines starting with <samp>limit_req</samp> using <samp>#</samp>.</p>\n        <div>\n            <h3 id=\"server-certs\">Server certificates</h3>\n            <p>The certificates generated by the <samp>server-cert-gen.sh</samp> script are self-signed and therefore are shown as\n            \"not secure\" in web browsers. On a local machine this shouldn't be a problem; on public/production servers we recommend\n            using <a href=\"https://letsencrypt.org/\" target=\"_blank\">LetsEncrypt</a> certificates. They can be mounted into nginx as follows:</p>\n            <pre><code>  nginx:\n    environment:\n      - SERVER_CERT_FILE=/etc/letsencrypt/live/kgdev.net/fullchain.pem\n      - SERVER_KEY_FILE=/etc/letsencrypt/live/kgdev.net/privkey.pem\n    volumes:\n      - /etc/letsencrypt:/etc/letsencrypt</code></pre>\n        </div>\n        <p><a href=\"#http\"><samp>SELF_SIGNED_CERT</samp></a> should be set to <samp>false</samp> in this case.</p>\n    </div>\n</div>"^^<http://www.w3.org/1999/02/22-rdf-syntax-ns#XMLLiteral> .

<https://docs.linkeddatahub.com/reference/configuration/>
        a       <https://www.w3.org/ns/ldt/document-hierarchy#Item>;
        <http://www.w3.org/1999/02/22-rdf-syntax-ns#_1>
                <https://docs.linkeddatahub.com/reference/configuration/#content>;
        <http://purl.org/dc/terms/created>
                "2026-06-16T20:33:47.878Z"^^<http://www.w3.org/2001/XMLSchema#dateTime>;
        <http://purl.org/dc/terms/creator>
                <https://admin.linkeddatahub.com/acl/agents/0ab4a0f7-1ab0-4d0c-8efc-63a79a2e9a10/#this>;
        <http://purl.org/dc/terms/description>
                "Overview of configuration options";
        <http://purl.org/dc/terms/title>
                "Configuration";
        <http://rdfs.org/sioc/ns#has_container>
                <https://docs.linkeddatahub.com/reference/>;
        <http://www.w3.org/ns/auth/acl#owner>
                <https://admin.linkeddatahub.com/acl/agents/0ab4a0f7-1ab0-4d0c-8efc-63a79a2e9a10/#this> .
