is there a way to run the OSS server and the UI in...
# ask-communitye
emmanuel
08/11/2020, 11:31 AMis there a way to run the OSS server and the UI in a secured way, that is not exposing the apollo endpoint publicly? or protecting it?
b
Ben Davison
08/11/2020, 11:47 AMdepends on your deployment environment.
We put everything behind firewalls
e
emmanuel
08/11/2020, 11:51 AMI think the real issue is that the UI is run client side and expect to be able to access apollo on a public endpoint….
b
Ben Davison
08/11/2020, 11:53 AMwhen you say public what do you mean? Open to the world?
Ben Davison
08/11/2020, 11:54 AMour current setup looks like this
user -> vpn -> kubernetes👍🏼 1
e
emmanuel
08/11/2020, 11:56 AMright… I don’t have a VPN
b
Ben Davison
08/11/2020, 12:00 PMwhere do you deploy apollo? AWS?
e
emmanuel
08/11/2020, 12:00 PMa private kubernetes cluster
b
Ben Davison
08/11/2020, 12:02 PMhow do you control access to that cluster?
e
emmanuel
08/11/2020, 12:05 PMWe run protected endpoints under Google OAuth so I guess I could expose apollo this way too
b
Ben Davison
08/11/2020, 12:08 PMif your running under google (i'm assuming GKE) you could also use firewall rules:
https://cloud.google.com/kubernetes-engine/docs/how-to/exposing-apps
But if you already use oauth endpoints you should use them
e
emmanuel
08/11/2020, 12:08 PMWe have a custom implementation, but yeah generally speaking as long as the UI forwards all original browser headers, that could work
emmanuel
08/11/2020, 12:29 PMis Apollo POST only?
emmanuel
08/11/2020, 12:52 PMwell it does not forward custom headers set in the browser 😕
emmanuel
08/11/2020, 12:56 PMor maybe because we are behind HTTPS…
b
Ben Davison
08/11/2020, 1:03 PMit uses
OPTIONSe
emmanuel
08/11/2020, 1:04 PMyeah I’ve seen, I only filter gets to answer 200 directly because unfortunately that’s what our auth layer needs 😕 Apollo answers 400
emmanuel
08/11/2020, 1:14 PMmaybe it’s just an nginx configuration issue
emmanuel
08/11/2020, 1:14 PMI use it in front of apollo to return 200 on
/emmanuel
08/11/2020, 1:32 PMis the response to
OPTIONSemmanuel
08/11/2020, 2:01 PMnah ok it’s a CORS stuff blocking the requests
emmanuel
08/11/2020, 2:01 PMok I can deal with that thanks @Ben Davison
emmanuel
08/11/2020, 2:20 PMok fixed
b
Ben Davison
08/11/2020, 2:48 PMnice
e
emmanuel
08/11/2020, 2:49 PMnothing too fancy really:
Copy code
log_format custom '[$time_local] $http_x_forwarded_for - $remote_user - $remote_addr '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
server {
listen 8080;
access_log /dev/stdout custom;
server_name _;
location ^~ /graphql {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass_request_headers on;
proxy_http_version 1.1;
proxy_pass <http://prefect-service-core.prefect-service:4200/>;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass_request_headers on;
proxy_http_version 1.1;
proxy_pass <http://prefect-service-ui.prefect-service:8080>;
}
}3 Views