DocumentationGatewayOther FeaturesSecurityHTTPS

Secure HTTP Connection (HTTPS)

HTTPS (HyperText Transfer Protocol Secure) is an encrypted version of the HTTP protocol. It uses TLS to encrypt all communication between a client and a server.

There are different ways to secure the connection. It is either between the client and Hive Gateway or between Hive Gateway and the subgraphs.

💡
This is only available on Node environment.

Subgraph - Gateway Connection

Hive Gateway acts as a client to the subgraphs, so if you want to have a secure connection in between Hive Gateway and the subgraphs, you can use HTTPs.

Using Self-Signed Certificates

But if you use self-signed certificates, Hive Gateway may not verify the certificate by default, then you need to provide those certificates to Hive Gateway.

Environment Variables

Hive Gateway’s default HTTP Client implementation respects Node’s environment variables related to this;

  • NODE_TLS_REJECT_UNAUTHORIZED - If set to 0, it disables the rejection of self-signed certificates.
  • NODE_EXTRA_CA_CERTS - If set, it provides a path to a CA certificate file.

Below is an example of how to use self-signed certificates with Hive Gateway;

NODE_EXTRA_CA_CERTS=/path/to/ca.crt hive-gateway supergraph <path-to-supergraph-config>

Configuration File

The only way to configure HTTPS programmaticaly is to use a custom agent like below;

import { readFileSync } from 'fs'
import { Agent } from 'https'
import { defineConfig } from '@graphql-hive/gateway'
 
const agent = new Agent({
  ca: readFileSync('/path/to/ca.crt')
  // or
  rejectUnauthorized: false
})
 
export const gatewayConfig = defineConfig({
  // This function will be called for each URL to determine if the custom agent should be used
  customAgent: ({ url }) =>
        url === 'https://example.com'
          ? agent
          : undefined
})

Client - Gateway Connection

You can also configure Hive Gateway to listen on HTTPS. You can provide the path to the key and certificate files in the configuration file;

import { defineConfig } from '@graphql-hive/gateway'
 
export const gatewayConfig = defineConfig({
  sslCredentials: {
    key_file_name: 'path/to/key.pem',
    cert_file_name: 'path/to/cert.pem',
    passphrase: 'passphrase'
  },
  port: 443
})
IntrospectionHMAC Signature