fly-log-shipper publishes graphql publicly

When I access /playground on the fly-log-shipper instance, I can issue graphql queries to it, with no authentication. That seems like a bad idea. How can I turn this off? It’s very surprising that it’s the default after following the directions on Shipping Logs · The Fly Blog

1 Like

First off, thanks for raising this as our docs are out of date. They need updating for our V2 platform.

It’s true that the log shipper exposes the Vector GraphQL API by default. A few clarifications:

  • You can repeat the setup with flyctl deploy --no-public-ips to ensure no public access
  • You can remove the existing public IPs with flyctl ips list and flyctl ips release
  • The API is enabled to support the vector tap command, which is useful for debugging log ship failures
  • The shipper should not have booted with public web access unless you changed internal_port from the default 8080 to the Vector port
  • You can disable the API by updating the vector config and deploying from source
1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.