Skip to main content
Version: v2.x

Enable HTTPS

Setting up HTTPS

Hasura GraphQL engine does not handle SSL/TLS for your API. That means, Hasura GraphQL engine cannot serve your API on an HTTPS URL.

You should use a reverse proxy (like Nginx, Caddy, Kong, Traefik etc.) or the cloud provider's native load balancer SSL termination features to secure your API.

Sample configurations

Here are a few sample configurations for some popular proxies:

Nginx

Here is a sample nginx.conf to proxy requests to Hasura:

server {
listen 80;
listen 443 ssl;
server_name hasura.<my-domain.com>;

location / {
proxy_pass http://localhost:8080/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

Please note that setting up SSL is not covered in this guide. You can find more information at Nginx docs.

To serve Hasura with a URL prefix instead of a separate subdomain, use location /hasura/ or similar.

Caddy

Here is a sample Caddyfile to proxy requests to Hasura:

hasura.<my-domain.com> {
reverse_proxy localhost:8080
}

Caddy has TLS provisioning built-in with Let's Encrypt or ZeroSSL. You can find the docs at Caddy website.

In order to serve at a URL prefix, use the following configuration:

<my-domain.com> {
handle_path /hasura* {
reverse_proxy localhost:8080
}

handle {
# Fallback for otherwise unhandled requests
}
}

Traefik

Here are sample traefik.toml and traefik-dynamic.toml files to proxy requests to Hasura:

#traefik.toml

[providers]
[providers.file]
filename = "traefik-dynamic.toml"

[api]
dashboard = true
debug = true

[entryPoints]
[entryPoints.web]
address = ":80"

[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "web-secure"
scheme = "https"

[entryPoints.web-secure]
address = ":443"

[certificatesResolvers.sample.acme]
email = "[email protected]"
storage = "acme.json"

[certificatesResolvers.sample.acme.httpChallenge]
# used during the challenge
entryPoint = "web"
#traefik-dynamic.toml

[http]
[http.routers]
[http.routers.my-router]
rule = "Host(`hasura.example.com`)"
service = "hasura"
entryPoints = ["web-secure"]
[http.routers.my-router.tls]
certResolver = "sample"

[http.services]
[http.services.hasura.loadbalancer]
[[http.services.hasura.loadbalancer.servers]]
url = "http://127.0.0.1:5000"

In order to serve at a URL prefix, use the following configuration:

#traefik-dynamic.toml
...

[http.routers]
[http.routers.my-router]
rule = "Host(`example.com`) && Path(`/hasura`))"
service = "hasura"
entryPoints = ["web-secure"]
[http.routers.my-router.tls]
certResolver = "sample"

...

Please note that setting up SSL is not covered in this guide. You can find more information at the Traefik docs.