e

    emmanuel

    2 years ago
    is there a way to run the OSS server and the UI in a secured way, that is not exposing the apollo endpoint publicly? or protecting it?
    b

    Ben Davison

    2 years ago
    depends on your deployment environment. We put everything behind firewalls
    e

    emmanuel

    2 years ago
    I think the real issue is that the UI is run client side and expect to be able to access apollo on a public endpoint….
    b

    Ben Davison

    2 years ago
    when you say public what do you mean? Open to the world?
    our current setup looks like this
    user -> vpn -> kubernetes
    So no one can access apollo from outside our network, but yes apollo is still accessible to everyone "inside" the network
    e

    emmanuel

    2 years ago
    right… I don’t have a VPN
    b

    Ben Davison

    2 years ago
    where do you deploy apollo? AWS?
    e

    emmanuel

    2 years ago
    a private kubernetes cluster
    b

    Ben Davison

    2 years ago
    how do you control access to that cluster?
    e

    emmanuel

    2 years ago
    We run protected endpoints under Google OAuth so I guess I could expose apollo this way too
    b

    Ben Davison

    2 years ago
    if your running under google (i'm assuming GKE) you could also use firewall rules: https://cloud.google.com/kubernetes-engine/docs/how-to/exposing-apps But if you already use oauth endpoints you should use them
    e

    emmanuel

    2 years ago
    We have a custom implementation, but yeah generally speaking as long as the UI forwards all original browser headers, that could work
    is Apollo POST only?
    well it does not forward custom headers set in the browser 😕
    or maybe because we are behind HTTPS…
    b

    Ben Davison

    2 years ago
    it uses
    OPTIONS
    also
    e

    emmanuel

    2 years ago
    yeah I’ve seen, I only filter gets to answer 200 directly because unfortunately that’s what our auth layer needs 😕 Apollo answers 400
    maybe it’s just an nginx configuration issue
    I use it in front of apollo to return 200 on
    /
    is the response to
    OPTIONS
    actually used?
    nah ok it’s a CORS stuff blocking the requests
    ok I can deal with that thanks @Ben Davison
    ok fixed
    b

    Ben Davison

    2 years ago
    nice
    e

    emmanuel

    2 years ago
    nothing too fancy really:
    log_format custom '[$time_local] $http_x_forwarded_for - $remote_user - $remote_addr '
                      '"$request" $status $body_bytes_sent '
                      '"$http_referer" "$http_user_agent"';
    
    server {
    
      listen                8080;
      access_log /dev/stdout custom;
      server_name           _;
    
      location ^~ /graphql {
        
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass_request_headers on;
        proxy_http_version 1.1;
        proxy_pass <http://prefect-service-core.prefect-service:4200/>;
    
      }
    
      location / {
    
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass_request_headers      on;
        proxy_http_version 1.1;
        proxy_pass <http://prefect-service-ui.prefect-service:8080>;
      }
    
    
    }