Channels
pacc-may-31-2023
prefect-ai
pacc-clearcover-june-12-2023
marvin-in-the-wild
data-ecosystem
geo-israel
pacc-june-14-2023
geo-japan
prefect-cloud
ppcc-may-16-2023
prefect-azure
prefect-docker
prefect-recipes
gratitude
geo-nyc
geo-bay-area
geo-boston
geo-london
geo-dc
geo-chicago
geo-berlin
geo-texas
geo-seattle
geo-colorado
prefect-community
data-tricks-and-tips
prefect-aws
prefect-gcp
introductions
find-a-prefect-job
prefect-dbt
random
events
ask-marvin
show-us-what-you-got
prefect-getting-started
prefect-integrations
prefect-contributors
best-practices-coordination-plane
announcements
prefect-server
prefect-ui
prefect-kubernetes
Title
e
emmanuel
08/11/2020, 11:31 AMis there a way to run the OSS server and the UI in a secured way, that is not exposing the apollo endpoint publicly? or protecting it?
b
Ben Davison
08/11/2020, 11:47 AMdepends on your deployment environment.
We put everything behind firewalls
e
emmanuel
08/11/2020, 11:51 AMI think the real issue is that the UI is run client side and expect to be able to access apollo on a public endpoint….
b
Ben Davison
08/11/2020, 11:53 AMwhen you say public what do you mean? Open to the world?
our current setup looks like this
user -> vpn -> kubernetes👍🏼 1
e
emmanuel
08/11/2020, 11:56 AMright… I don’t have a VPN
b
Ben Davison
08/11/2020, 12:00 PMwhere do you deploy apollo? AWS?
e
emmanuel
08/11/2020, 12:00 PMa private kubernetes cluster
b
Ben Davison
08/11/2020, 12:02 PMhow do you control access to that cluster?
e
emmanuel
08/11/2020, 12:05 PMWe run protected endpoints under Google OAuth so I guess I could expose apollo this way too
b
Ben Davison
08/11/2020, 12:08 PMif your running under google (i'm assuming GKE) you could also use firewall rules:
https://cloud.google.com/kubernetes-engine/docs/how-to/exposing-apps
But if you already use oauth endpoints you should use them
e
emmanuel
08/11/2020, 12:08 PMWe have a custom implementation, but yeah generally speaking as long as the UI forwards all original browser headers, that could work
is Apollo POST only?
well it does not forward custom headers set in the browser 😕
or maybe because we are behind HTTPS…
b
Ben Davison
08/11/2020, 1:03 PMit uses
OPTIONSe
emmanuel
08/11/2020, 1:04 PMyeah I’ve seen, I only filter gets to answer 200 directly because unfortunately that’s what our auth layer needs 😕 Apollo answers 400
maybe it’s just an nginx configuration issue
I use it in front of apollo to return 200 on
/is the response to
OPTIONSnah ok it’s a CORS stuff blocking the requests
ok I can deal with that thanks @Ben Davison
ok fixed
b
Ben Davison
08/11/2020, 2:48 PMnice
e
emmanuel
08/11/2020, 2:49 PMnothing too fancy really:
log_format custom '[$time_local] $http_x_forwarded_for - $remote_user - $remote_addr '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
server {
listen 8080;
access_log /dev/stdout custom;
server_name _;
location ^~ /graphql {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass_request_headers on;
proxy_http_version 1.1;
proxy_pass <http://prefect-service-core.prefect-service:4200/>;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass_request_headers on;
proxy_http_version 1.1;
proxy_pass <http://prefect-service-ui.prefect-service:8080>;
}
}