-
Notifications
You must be signed in to change notification settings - Fork 2.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
- Loading branch information
1 parent
713d689
commit 7664f1a
Showing
10 changed files
with
248 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,5 @@ | ||
| .. _api-reference: | ||
|
|
||
| API Reference | ||
| ============= | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,5 @@ | ||
| .. _allow-list: | ||
|
|
||
| Allow-list for queries | ||
| ====================== | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,5 @@ | ||
| .. _http-compression: | ||
|
|
||
| HTTP Compression | ||
| ================ | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| .. _enable-https: | ||
|
|
||
| Enable HTTPS | ||
| ============ | ||
|
|
||
| .. contents:: Table of contents | ||
| :backlinks: none | ||
| :depth: 2 | ||
| :local: | ||
|
|
||
| Setting up HTTPS | ||
| ---------------- | ||
|
|
||
| Hasura GraphQL engine does not handle SSL/TLS for your API. That means, Hasura GraphQL engine cannot serve | ||
| your API on an HTTPS URL. | ||
|
|
||
| You should use a reverse proxy (like Nginx, Caddy, | ||
| Kong, Traefik etc.) or the cloud provider's native load balancer SSL | ||
| termination features to secure your API. | ||
|
|
||
| Sample configurations | ||
| --------------------- | ||
|
|
||
| Here are a few sample configurations for some popular proxies: | ||
|
|
||
| `Nginx <https://nginx.org/en/docs/>`__ | ||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
|
||
| Here is a sample ``nginx.conf`` to proxy requests to Hasura: | ||
|
|
||
| .. code-block:: nginx | ||
| server { | ||
| listen 80; | ||
| server_name hasura.my-domain.com; | ||
| location / { | ||
| proxy_pass http://localhost:8080/; | ||
| proxy_http_version 1.1; | ||
| proxy_set_header Upgrade $http_upgrade; | ||
| proxy_set_header Connection "upgrade"; | ||
| } | ||
| } | ||
| Please note that setting up SSL is not covered in this guide. You can find more | ||
| information at `Nginx docs | ||
| <https://nginx.org/en/docs/http/configuring_https_servers.html>`__. | ||
|
|
||
| To serve Hasura with a URL prefix instead of a separate subdomain, use | ||
| ``location /hasura/`` or similar. | ||
|
|
||
| `Caddy <https://caddyserver.com/>`__ | ||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
|
||
| Here is a sample ``Caddyfile`` to proxy requests to Hasura: | ||
|
|
||
| .. code-block:: bash | ||
| hasura.my-domain.com { | ||
| proxy / http://localhost:8080 | ||
| websocket | ||
| } | ||
| Caddy has SSL provisioning built-in with Let's Encrypt. You can find the docs at | ||
| `Caddy website <https://caddyserver.com/docs/automatic-https>`__. | ||
|
|
||
| In order to serve at a URL prefix, use the following configuration: | ||
|
|
||
| .. code-block:: bash | ||
| my-domain.com { | ||
| proxy /hasura http://localhost:8080 | ||
| websocket | ||
| without /hasura | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,5 @@ | ||
| .. _hge_logs: | ||
|
|
||
| Hasura GraphQL engine logs | ||
| ========================== | ||
|
|
||
|
|
||
157 changes: 157 additions & 0 deletions
157
docs/graphql/manual/deployment/production-checklist.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,157 @@ | ||
| .. _production-checklist: | ||
|
|
||
| Production checklist | ||
| ==================== | ||
|
|
||
| .. contents:: Table of contents | ||
| :backlinks: none | ||
| :depth: 1 | ||
| :local: | ||
|
|
||
| This guide is a checklist for configuring and securing GraphQL engine for a | ||
| production deployment. | ||
|
|
||
| Set an admin secret | ||
| ------------------- | ||
|
|
||
| Set an admin secret to protect the API from unauthorized access. It is | ||
| recommended to keep this as a long string. | ||
|
|
||
| .. code-block:: bash | ||
| # set env var | ||
| HASURA_GRAPHQL_ADMIN_SECRET=averylongpasswordstring | ||
| # or use the flag | ||
| graphql-engine --database-url=<database-url> serve --admin-secret=averylongpasswordstring | ||
| More details can be found at :ref:`securing-graphql-endpoint`. | ||
|
|
||
| Verify permissions | ||
| ------------------ | ||
|
|
||
| .. contents:: | ||
| :backlinks: none | ||
| :depth: 1 | ||
| :local: | ||
|
|
||
| Review the summary | ||
| ~~~~~~~~~~~~~~~~~~ | ||
| Review the authorization/permission rules set on tables. You can make use of the | ||
| "Schema permissions summary" page to get a bird's eye view on all the | ||
| permissions set across all tables and roles. Pay extra attention to roles like | ||
| "anonymous" which allow unauthenticated access. | ||
|
|
||
| .. thumbnail:: ../../../img/graphql/manual/deployment/schema_permissions_summary.png | ||
| :alt: Hasura console - Schema permissions summary | ||
| :width: 75% | ||
|
|
||
| Limit number of rows returned | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
| You should :ref:`limit the number of rows <limit-rows-permissions>` that can be | ||
| accessed in one request, by setting the number in the select permission. This | ||
| will prevent someone from accidentally or otherwise querying the entire table in | ||
| one shot, thus adding load on Postgres. | ||
|
|
||
| Disable APIs | ||
| ------------ | ||
|
|
||
| Hasura exposes many APIs which might not be relevant for a production instance | ||
| that is only supposed to serve GraphQL. APIs can be selectively enabled using | ||
| the corresponding flag or environment variable. | ||
|
|
||
| In most production scenarios, you would only need GraphQL API to be enabled. | ||
|
|
||
| .. code-block:: bash | ||
| # set this env var to enable only the graphql api | ||
| HASURA_GRAPHQL_ENABLED_APIS=graphql | ||
| # if you're using flags | ||
| graphql-engine --database-url=<database-url> serve --enabled-apis=graphql | ||
| By setting the above flag or env var, we are disabling the ``metadata``, | ||
| ``pg_dump`` and ``config`` APIs. ``health`` and ``version`` APIs are public and | ||
| cannot be disabled. | ||
|
|
||
| Read more about all the API types at the :ref:`API reference <api-reference>`. | ||
|
|
||
| .. note:: | ||
|
|
||
| If you're using ``cli-migrations`` image, prior to ``v1.0.0-beta.8``, setting | ||
| enabled APIs to only ``graphql`` can cause the migration apply step to fail. | ||
| Please update to the latest version if you're facing this issue. | ||
|
|
||
|
|
||
| Disable console | ||
| --------------- | ||
|
|
||
| It is recommended that you disable the console on production deployments. Also, | ||
| when you disable the metadata API, console will stop working. | ||
|
|
||
| .. code-block:: bash | ||
| # set the env var to disable console | ||
| HASURA_GRAPHQL_ENABLE_CONSOLE=false | ||
| # when using flags, no --enable-console flag implies console is disabled | ||
| graphql-engine --database-url=<database-url> serve | ||
| .. note:: | ||
|
|
||
| You can still use the CLI to open a console connected to this instance. | ||
| (Provided ``metadata`` APIs are not disabled). | ||
|
|
||
| Set up an allow-list | ||
| -------------------- | ||
|
|
||
| An allow-list can be set up to restrict what kind of requests can be made against | ||
| this particular instance. If your API is meant to serve a frontend client, you | ||
| can only allow those requests used by the client to pass through. Every other | ||
| request will be rejected without even getting validated. | ||
|
|
||
| Read more at :ref:`allow-list`. | ||
|
|
||
| Restrict CORS domains | ||
| --------------------- | ||
|
|
||
| By default, all cross-origin requests are allowed by Hasura GraphQL engine. You should restrict | ||
| them to the domains which you trust. | ||
|
|
||
| .. code-block:: bash | ||
| # set the env var, accept cross-origin requests from https://my-ui.com | ||
| HASURA_GRAPHQL_CORS_DOMAIN=https://my-ui.com | ||
| # using flags | ||
| graphql-engine --database-url=<database-url> server --cors-domain="https://my-ui.com" | ||
| You can read more about this setting at :ref:`configure-cors`. | ||
|
|
||
| Enable HTTPS | ||
| ------------ | ||
|
|
||
| Production APIs should be served over HTTPS to be secure over the network. | ||
|
|
||
| See :ref:`enable-https` for details on achieving this. | ||
|
|
||
| Configure logging | ||
| ----------------- | ||
|
|
||
| The :ref:`logs guide <hge_logs>` describes different log types and log levels Hasura GraphQL engine uses. | ||
| You can configure the GraphQL engine to enable/disable certain log-types using | ||
| the the ``--enabled-log-types`` flag or the ``HASURA_GRAPHQL_ENABLED_LOG_TYPES`` | ||
| env var. | ||
|
|
||
| If you are collecting your logs using an agent and you're interested in | ||
| capturing the request logs along with the SQL that is generated, you should | ||
| enable ``query-log`` *(it is not enabled by default)*. | ||
|
|
||
| .. code-block:: bash | ||
| # enable all log types | ||
| HASURA_GRAPHQL_ENABLED_LOG_TYPES=startup,http-log,query-log,websocket-log,webhook-log | ||
| # using flags | ||
| graphql-engine --database-url=<database-url> | ||
| serve --enabled-log-types="startup,http-log,query-log,websocket-log,webhook-log" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,5 @@ | ||
| .. _securing-graphql-endpoint: | ||
|
|
||
| Securing the GraphQL endpoint | ||
| ============================= | ||
|
|
||
|
|
||
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.