Recommended health check strategy is impossible using AWS load balancer

Eric_Dauenhauer · May 31, 2023, 4:06pm

Apollo recommends enabling CSRF (solid recommendation )

Apollo recommends making a GET query to perform a health check against the Apollo server, not just the underlying (e.g. Express) server (also a solid recommendation )

In order to make a GET query for the health check, you must include headers. The docs are explicit:

Sending an apollo-require-preflight: true header alongside your health check ensures that Apollo Server’s CSRF prevention feature won’t block it.

A common way of configuring a health check (at least in AWS) is a load balancer health check. The AWS Load Balancer health check does not support configuring headers in the request. Therefore, using Apollo’s recommended health check strategy is impossible.

Is there any workaround for this? Is this a known issue? Does this deserve a bug report?

Thanks.

Sachin_Deshpande · September 1, 2023, 12:12pm

Spot on Eric. We are stuck with the same thing.

Have you managed to find a workaround?

scott · September 4, 2023, 5:00pm

+1 to you both. Having the same issue. My temporary fix was to turn off CSRF protection. I think a bug report might make sense for health checks that can’t have headers in the request. Maybe it’s just a documentation improvement (on how to implement a health check that tests that the GraphQL parts are working.

I can create an issue if the two of you haven’t figured out another way around this.

scott · September 4, 2023, 5:58pm

Actually, I ended up creating a quick health check endpoint of my own just now that worked and is aligned with the health check that Apollo proposes.

    app.get('/check-health', (_req, res) => {
      server
        .executeOperation({ query: '{ __typename }' })
        .then((data) => {
          if (data.body.kind === 'single') {
            if (data.body.singleResult.errors) {
              res.status(400).send(JSON.stringify(data.body.singleResult.errors));
            } else {
              res.status(200).send(JSON.stringify(data.body.singleResult.data));
            }
          }
        })
        .catch((error) => {
          res.status(400).send(JSON.stringify(error));
        });
    });

I turned CSRF protection back on, pointed the load balancer to my new endpoint, and everything seems good.