hasura/graphql-engine
1
0
Fork 0
mirror of https://github.com/hasura/graphql-engine.git synced 2024-12-17 04:24:35 +03:00
Code Issues Projects Releases Wiki Activity
fd85d0ba5b
graphql-engine/docs/graphql/manual/deployment/graphql-engine-flags/config-examples.rst
Anon Ray 02d80c9ac6 read cookie while initialising websocket connection (fix #1660) (#1668) 
* read cookie while initialising websocket connection (fix #1660)

* add tests for cookie on websocket init

* fix logic for tests

* enforce cors, and flag to force read cookie when cors disabled

  - as browsers don't enforce SOP on websockets, we enforce CORS policy
  on websocket handshake
  - if CORS is disabled, by default cookie is not read (because XSS
  risk!). Add special flag to force override this behaviour

* add log and forward origin header to webhook

  - add log notice when cors is disabled, and cookie is not read on
  websocket handshake
  - forward origin header to webhook in POST mode. So that when CORS is
  disabled, webhook can also enforce CORS independently.

* add docs, and forward all client headers to webhook
2019-03-04 13:16:53 +05:30

132 lines
4.0 KiB
ReStructuredText
Raw Blame History

GraphQL engine server config examples
=====================================
.. contents:: Table of contents
:backlinks: none
:depth: 1
:local:
The following are a few configuration use cases:
.. _add-admin-secret:
Add an admin secret
-------------------
To add an admin-secret to Hasura, pass the ``--admin-secret`` flag with a secret
generated by you.
Run server in this mode using following docker command:
.. code-block:: bash
docker run -P -d hasura/graphql-engine:latest graphql-engine \
--database-url postgres://username:password@host:5432/dbname \
serve \
--admin-secret XXXXXXXXXXXXXXXX
Typically, you will also have a webhook for authentication:
.. code-block:: bash
docker run -P -d hasura/graphql-engine:latest graphql-engine \
--database-url postgres://username:password@host:5432/dbname \
serve \
--admin-secret XXXXXXXXXXXXXXXX
--auth-hook https://myauth.mywebsite.com/user/session-info
In addition to flags, the GraphQL Engine also accepts Environment variables.
In the above case, for adding an admin secret you will use the ``HASURA_GRAPHQL_ADMIN_SECRET``
and for the webhook, you will use the ``HASURA_GRAPHQL_AUTH_HOOK`` environment variables.
.. _cli-with-admin-secret:
Using CLI commands with admin secret
------------------------------------
When you start the GraphQL Engine with an admin secret key, CLI commands will also
need this admin secret to contact APIs. It can be set in ``config.yaml`` or as an
environment variable or as a flag to the command. For example, let's look at the
case of the ``console`` command:
In the ``my-project/config.yaml`` file, set a new key ``admin_secret``:
.. code-block:: yaml
# config.yaml
endpoint: https://my-graphql-endpoint.com
admin_secret: XXXXXXXXXXXXXXXX
The console can now contact the GraphQL APIs with the specified admin secret.
.. note::
If you're setting ``admin_secret`` in ``config.yaml`` please make sure you do
not check this file into a public repository.
An alternate and safe way is to pass the admin secret value to the command
as an environment variable:
.. code-block:: bash
export HASURA_GRAPHQL_ADMIN_SECRET=xxxxx
hasura console
# OR in a single line
HASURA_GRAPHQL_ADMIN_SECRET=xxxxx hasura console
You can also set the admin secret using a flag to the command:
.. code-block:: bash
hasura console --admin-secret=XXXXXXXXXXXX
.. note::
The order of precedence for admin secret and endpoint is as follows:
CLI flag > Environment variable > Config file
.. _configure-cors:
Configure CORS
--------------
By default, all CORS requests to Hasura GraphQL engine are allowed. To run with more restrictive CORS settings,
use the ``--cors-domain`` flag or the ``HASURA_GRAPHQL_CORS_DOMAIN`` ENV variable. The default value is ``*``,
which means CORS headers are sent for all domains.
Scheme + host with optional wildcard + optional port has to be mentioned.
Examples:
.. code-block:: bash
# Accepts from https://app.foo.bar.com , https://api.foo.bar.com etc.
HASURA_GRAPHQL_CORS_DOMAIN="https://*.foo.bar.com"
# Accepts from https://app.foo.bar.com:8080 , http://api.foo.bar.com:8080,
# http://app.localhost, http://api.localhost, http://localhost:3000,
# http://example.com etc.
HASURA_GRAPHQL_CORS_DOMAIN="https://*.foo.bar.com:8080, http://*.localhost, http://localhost:3000, http://example.com"
# Accepts from all domain
HASURA_GRAPHQL_CORS_DOMAIN="*"
# Accepts only from http://example.com
HASURA_GRAPHQL_CORS_DOMAIN="http://example.com"
.. note::
Top-level domains are not considered as part of wildcard domains. You
have to add them separately. E.g - ``https://*.foo.com`` doesn't include
``https://foo.com``.
You can tell Hasura to disable handling CORS entirely via the ``--disable-cors``
flag. Hasura will not respond with CORS headers. You can use this option if
you're already handling CORS on a reverse proxy etc.
Reference in New Issue View Git Blame Copy Permalink