Proxy Support for uplink and subgraphs

[LongLiveCHIEF]

Is your feature request related to a problem? Please describe.

There is no ability to connect to uplink endpoints from internal networks with restricted internet access. We've tried the normal solution of setting HTTP_PROXY and HTTPS_PROXY environment vars.

Describe the solution you'd like

I'd like to be able to set a proxy configuration for uplink and for individual subgraphs in router configuration

Describe alternatives you've considered

Right now, we can achieve this by putting a forwarding proxy in place alongside router, and forwarding traffic to uplink endpoints through our internal networks outgoing proxy.

Additional context

A blanket implementation that supports setting HTTPS_PROXY etc... may not work here, since typically these will need to be set on a per-endpoint setting. For example, when doing local development, I would be pointing to localhost for subgraphs under test, but to remote endpoints for all other subgraphs.

Those subgraphs could be inside our network, or outside our network, so proxy could apply differently to each (although setting a pattern in NO_PROXY would fix this if router respected that setting).

It may be something where there is a high-level configuration for proxy in the router config that sets proxy_env: true, to toggle that behavior, and then any individual proxy settings in uplink or subgraph configs would override the environment loaded proxy settings.

[LongLiveCHIEF]

Trey pointed me to uplink-relay, but this doesn't really solve the problem.

for one, it doesn't look like uplink relay supports proxy either, so it would still be unable to communicate with uplink endpoints.

The bigger issue though is that just trying to do rover dev or run a local development setup requires additional services and configuration on top of rover/router in order to connect to uplink, and that requires additonal automation/complexity in order to make sure companion services are started locally prior to router starting.

The entire tool suite right now just doesn't handle "can't connect directly to apollo" very well, which is a common problem in enterprise networks that need to prevent their hardware from many types of malicious activity.

In these situations, there is usually a local or enterprise proxy that can be used for legitimate traffic, and most developer tools we run into today support proxy agent configuration either directly, or through the standardized HTTP_PROXY, HTTPS_PROXY, NO_PROXY, SOCKS_PROXY environment variables. (docker, git, npm, aws cli, pip, cargo, go mods, etc... just to name a few)

[cyberhck]

I could be wrong, but I think I've been able to use it through a HTTPS_PROXY locally, if you start router with a HTTPS_PROXY environment, you're able to achieve this.

I've previously wanted to check what request/response is router getting from uplink, and I was able to see the query it fires, the response it receives by running it through a local proxy. You can just point it to the proxy you have. I hope it helps, but I could be wrong.