Showing results for 
Search instead for 
Did you mean: 

Head's Up! Site migration is underway. Phase 1: replicate users.

Why does my graphql server need to be open to the internet to work?


I am quite perplexed and actually a bit concerned here.. 

I built a grandstack application.  The system consists of 3 physical servers, one for the webserver, one for the neo4j database server and a third machine is the graphql/apollo server.

The physical network looks like

(neo4j) - (apollo/graphql) - (web)

The neo4j & Apollo servers are not directly accessible from the internet (I can poke a hole in the firewall for them to be, but that defeats the purpose)

The webserver of course is internet public

And the apollo/graphql server has a hole poked in it so only the webserver machine at the correct TCP port can access the service. 

When I gave out the web address for people to test it, they said the website doesn't work. I checked, and sure enough their computers were attempting to access the graphql/apollo server directly??

Am I fundamentally misunderstanding something here? Why would a web client need direct access to my graphql/apollo server? If this is the case, and this behavior cannot be changed, graphql just went out the window and I'll go back to plain on REST API's as I want the added security of those machines NOT being accessible from the internet!

Thanks in advance,




Something is wrong with your setup there. The users should not have access to the graphql server.

The web server (implementation, not the webpage) would access the Graphql API.

You _can_ have the webpage access the graphql api, much like every other website does (like twitter, github etc), that's fine too for the right shape of API served by the graphql api.