https://prefect.io logo
Title
e

emmanuel

08/11/2020, 11:31 AM
is there a way to run the OSS server and the UI in a secured way, that is not exposing the apollo endpoint publicly? or protecting it?
b

Ben Davison

08/11/2020, 11:47 AM
depends on your deployment environment. We put everything behind firewalls
e

emmanuel

08/11/2020, 11:51 AM
I think the real issue is that the UI is run client side and expect to be able to access apollo on a public endpoint….
b

Ben Davison

08/11/2020, 11:53 AM
when you say public what do you mean? Open to the world?
our current setup looks like this
user -> vpn -> kubernetes
So no one can access apollo from outside our network, but yes apollo is still accessible to everyone "inside" the network
👍🏼 1
e

emmanuel

08/11/2020, 11:56 AM
right… I don’t have a VPN
b

Ben Davison

08/11/2020, 12:00 PM
where do you deploy apollo? AWS?
e

emmanuel

08/11/2020, 12:00 PM
a private kubernetes cluster
b

Ben Davison

08/11/2020, 12:02 PM
how do you control access to that cluster?
e

emmanuel

08/11/2020, 12:05 PM
We run protected endpoints under Google OAuth so I guess I could expose apollo this way too
b

Ben Davison

08/11/2020, 12:08 PM
if your running under google (i'm assuming GKE) you could also use firewall rules: https://cloud.google.com/kubernetes-engine/docs/how-to/exposing-apps But if you already use oauth endpoints you should use them
e

emmanuel

08/11/2020, 12:08 PM
We have a custom implementation, but yeah generally speaking as long as the UI forwards all original browser headers, that could work
is Apollo POST only?
well it does not forward custom headers set in the browser 😕
or maybe because we are behind HTTPS…
b

Ben Davison

08/11/2020, 1:03 PM
it uses
OPTIONS
also
e

emmanuel

08/11/2020, 1:04 PM
yeah I’ve seen, I only filter gets to answer 200 directly because unfortunately that’s what our auth layer needs 😕 Apollo answers 400
maybe it’s just an nginx configuration issue
I use it in front of apollo to return 200 on
/
is the response to
OPTIONS
actually used?
nah ok it’s a CORS stuff blocking the requests
ok I can deal with that thanks @Ben Davison
ok fixed
b

Ben Davison

08/11/2020, 2:48 PM
nice
e

emmanuel

08/11/2020, 2:49 PM
nothing too fancy really:
log_format custom '[$time_local] $http_x_forwarded_for - $remote_user - $remote_addr '
                  '"$request" $status $body_bytes_sent '
                  '"$http_referer" "$http_user_agent"';

server {

  listen                8080;
  access_log /dev/stdout custom;
  server_name           _;

  location ^~ /graphql {
    
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass_request_headers on;
    proxy_http_version 1.1;
    proxy_pass <http://prefect-service-core.prefect-service:4200/>;

  }

  location / {

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass_request_headers      on;
    proxy_http_version 1.1;
    proxy_pass <http://prefect-service-ui.prefect-service:8080>;
  }


}