Skip to main content
Version: v2.x

Running Behind a Proxy

Introduction

In environments where direct internet access is restricted or for enhanced security measures, running Hasura GraphQL Engine behind a proxy is often a necessity. This approach is essential for enterprises that control and monitor internet traffic through a proxy server. By configuring Hasura to run behind a proxy, you can manage and secure access to your API efficiently.

While Hasura GraphQL Engine itself does not handle proxy settings, it can be configured to work seamlessly behind various popular proxy servers. This guide illustrates several examples for setting up a reverse proxy, such as Nginx, Caddy, Kong, or Traefik, to handle requests to and from your Hasura GraphQL Engine. You can find more solution-specific details on the proxy server's documentation.

By using a reverse proxy, you can enforce security policies, perform SSL termination, and manage traffic effectively, ensuring that your Hasura API remains secure and accessible within your network infrastructure.

Setting up a proxy

Configuring your Hasura GraphQL Engine to work behind a proxy involves setting up the proxy server to forward requests to Hasura and, optionally, handle SSL/TLS termination. Here are some sample configurations for popular proxies that you can use as a starting point:

Nginx

Here is a sample nginx.conf to proxy requests to Hasura:

server {
listen 80;
listen 443 ssl;
server_name hasura.<my-domain.com>;

location / {
proxy_pass http://localhost:8080/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

The example above directs Nginx to listen on ports 80 and 443 for HTTP and HTTPS requests respectively on the subdomain hasura.<my-domain.com>. The proxy_pass directive forwards requests to Hasura GraphQL Engine running on port 8080.

Server via a URL prefix

To serve Hasura with a URL prefix instead of a separate subdomain, use location /hasura/ or similar.

Caddy

Here is a sample Caddyfile to proxy requests to Hasura:

hasura.<my-domain.com> {
reverse_proxy localhost:8080
}

In order to serve at a URL prefix, use the following configuration:

<my-domain.com> {
handle_path /hasura* {
reverse_proxy localhost:8080
}
}

Traefik

Here are sample traefik.toml and traefik-dynamic.toml files to proxy requests to Hasura:

#traefik.toml

[providers]
[providers.file]
filename = "traefik-dynamic.toml"

[api]
dashboard = true
debug = true

[entryPoints]
[entryPoints.web]
address = ":80"

[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "web-secure"
scheme = "https"

[entryPoints.web-secure]
address = ":443"

[certificatesResolvers.sample.acme]
email = "[email protected]"
storage = "acme.json"

[certificatesResolvers.sample.acme.httpChallenge]
# used during the challenge
entryPoint = "web"
#traefik-dynamic.toml

[http]
[http.routers]
[http.routers.my-router]
rule = "Host(`hasura.example.com`)"
service = "hasura"
entryPoints = ["web-secure"]
[http.routers.my-router.tls]
certResolver = "sample"

[http.services]
[http.services.hasura.loadbalancer]
[[http.services.hasura.loadbalancer.servers]]
url = "http://127.0.0.1:5000"

In order to serve at a URL prefix, use the following configuration:

#traefik-dynamic.toml
...

[http.routers]
[http.routers.my-router]
rule = "Host(`example.com`) && Path(`/hasura`))"
service = "hasura"
entryPoints = ["web-secure"]
[http.routers.my-router.tls]
certResolver = "sample"

...