search

apollographql / router

A configurable, high-performance routing runtime for Apollo Federation 🚀
https://www.apollographql.com/docs/router/
Other
797 stars 266 forks source link

Proxy Support for uplink and subgraphs #5809

Open LongLiveCHIEF opened 1 month ago

LongLiveCHIEF commented 1 month ago

Is your feature request related to a problem? Please describe.

There is no ability to connect to uplink endpoints from internal networks with restricted internet access. We've tried the normal solution of setting HTTP_PROXY and HTTPS_PROXY environment vars.

Describe the solution you'd like

I'd like to be able to set a proxy configuration for uplink and for individual subgraphs in router configuration

Describe alternatives you've considered

Right now, we can achieve this by putting a forwarding proxy in place alongside router, and forwarding traffic to uplink endpoints through our internal networks outgoing proxy.

Additional context

A blanket implementation that supports setting HTTPS_PROXY etc... may not work here, since typically these will need to be set on a per-endpoint setting. For example, when doing local development, I would be pointing to localhost for subgraphs under test, but to remote endpoints for all other subgraphs.

Those subgraphs could be inside our network, or outside our network, so proxy could apply differently to each (although setting a pattern in NO_PROXY would fix this if router respected that setting).

It may be something where there is a high-level configuration for proxy in the router config that sets proxy_env: true, to toggle that behavior, and then any individual proxy settings in uplink or subgraph configs would override the environment loaded proxy settings.

LongLiveCHIEF commented 1 month ago

Trey pointed me to uplink-relay, but this doesn't really solve the problem.

for one, it doesn't look like uplink relay supports proxy either, so it would still be unable to communicate with uplink endpoints.

The bigger issue though is that just trying to do rover dev or run a local development setup requires additional services and configuration on top of rover/router in order to connect to uplink, and that requires additonal automation/complexity in order to make sure companion services are started locally prior to router starting.

The entire tool suite right now just doesn't handle "can't connect directly to apollo" very well, which is a common problem in enterprise networks that need to prevent their hardware from many types of malicious activity.

In these situations, there is usually a local or enterprise proxy that can be used for legitimate traffic, and most developer tools we run into today support proxy agent configuration either directly, or through the standardized HTTP_PROXY, HTTPS_PROXY, NO_PROXY, SOCKS_PROXY environment variables. (docker, git, npm, aws cli, pip, cargo, go mods, etc... just to name a few)