https://prefect.io logo
Join Slack
Powered by
is there a way to run the OSS server and the UI in...
# prefect-community
e
is there a way to run the OSS server and the UI in a secured way, that is not exposing the apollo endpoint publicly? or protecting it?
b
depends on your deployment environment. We put everything behind firewalls
e
I think the real issue is that the UI is run client side and expect to be able to access apollo on a public endpoint….
b
when you say public what do you mean? Open to the world?
our current setup looks like this 
user -> vpn -> kubernetes
So no one can access apollo from outside our network, but yes apollo is still accessible to everyone "inside" the network
👍🏼 1
e
right… I don’t have a VPN
b
where do you deploy apollo? AWS?
e
a private kubernetes cluster
b
how do you control access to that cluster?
e
We run protected endpoints under Google OAuth so I guess I could expose apollo this way too
b
if your running under google (i'm assuming GKE) you could also use firewall rules: https://cloud.google.com/kubernetes-engine/docs/how-to/exposing-apps But if you already use oauth endpoints you should use them
e
We have a custom implementation, but yeah generally speaking as long as the UI forwards all original browser headers, that could work
is Apollo POST only?
well it does not forward custom headers set in the browser 😕
or maybe because we are behind HTTPS…
b
it uses 
OPTIONS
also
e
yeah I’ve seen, I only filter gets to answer 200 directly because unfortunately that’s what our auth layer needs 😕 Apollo answers 400
maybe it’s just an nginx configuration issue
I use it in front of apollo to return 200 on 
/
is the response to 
OPTIONS
actually used?
nah ok it’s a CORS stuff blocking the requests
ok I can deal with that thanks @Ben Davison
ok fixed
b
nice
e
nothing too fancy really:
Copy code
log_format custom '[$time_local] $http_x_forwarded_for - $remote_user - $remote_addr '
                  '"$request" $status $body_bytes_sent '
                  '"$http_referer" "$http_user_agent"';

server {

  listen                8080;
  access_log /dev/stdout custom;
  server_name           _;

  location ^~ /graphql {
    
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass_request_headers on;
    proxy_http_version 1.1;
    proxy_pass <http://prefect-service-core.prefect-service:4200/>;

  }

  location / {

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass_request_headers      on;
    proxy_http_version 1.1;
    proxy_pass <http://prefect-service-ui.prefect-service:8080>;
  }


}
2 Views
Open in Slack
PreviousNext
Powered by