Bolt vs HTTPS for Cypher browser


(Igor Clark) #1

Hi all, I'm working on updating from 3.1.x to 3.4.7 and preparing for 4.0. Quite a lot of work. It seems also that the browser no longer works just over HTTPS, I can no longer find the "don't use Bolt" option. We have quite a lot of infrastructure in place around connecting over HTTPS, we only connect to remote browser instances over HTTPS via firewall-whitelisted IPs, and we don't want to have to set up database authentication and open up more firewall ports just to use Bolt. HTTP across a private network and HTTPS to the browser are perfectly OK for us.

Is there a configuration option to turn this back on?

Thanks!


(Michael Hunger) #2

You might want to fix your title.
Afaik there are plans to support bolt via http(s), not sure when those will be realized.
Can't you put the bolt port onto 443 and use that? We recently were on a restricted network and just put browser itself on 443 and bolt on port 80 to work around that, and it worked well for us.


(Igor Clark) #3

Oh thanks, I thought I cancelled that post (when I got the similarity working)! Updated, cheers.

Not quite sure I understand what you're suggesting re: the browser. Until now, we've just used HTTPS for browser and for the database connection, meaning transport-layer security so no need for db auth, with config like:

dbms.connector.bolt.enabled=false
dbms.security.auth_enabled=false
dbms.connector.https.enabled=true
dbms.connector.https.listen_address=0.0.0.0:7473

From there we've just been able to connect to https://<external-ip>:7473/ in the browser, and it all works fine. We've set up firewalls to allow traffic to 7473, and it's only using that, so originally there was no more config to do. Since 3.x we've had to check the "don't use Bolt" option in the browser, and then everything's worked OK, but now that option's not even there.

Do we now have to use Bolt? Do we have to set up db authentication as well? We only have one user, the web app server, so we have no need for multiple users, and so no need for authentication, as long as the transport is secure.

I could be misunderstanding but it seems from what you're saying that you're using the HTTPS just expose Bolt on 80. Does it use TLS, or is there plain data going over the wire? Does that include auth info? How do you configure TLS in Bolt if so?

Sorry, I'm struggling to find documentation (apart from boltprotocol.org which is wire-level stuff) that goes into detail about configuring this as well as the overall concepts. There's https://neo4j.com/developer/kb/how-neo4j-browser-interacts-with-neo4j-server/ but it talks about plain HTTP, and I'm talking about accessing the browser over the internet, so it needs to be HTTPS. There's also https://neo4j.com/docs/operations-manual/current/security/authentication-authorization/ but again it's just db-user-level auth, and it's enterprise only too.

Thanks for any tips!


(Michael Hunger) #4

Yes Browser and other tools (like cypher-shell or bloom) use bolt exclusively.

Bolt uses TLS yes, you can configure encryption on the client and use server side certificates:

We just ran bolt on port 80 instead of 7867 to get through the infrastructure blocks and it worked well.

SSL & friends is described here: https://neo4j.com/docs/operations-manual/current/security/


(Igor Clark) #5

OK I'll have a look into that, thanks Michael.


(Igor Clark) #6

Hey Michael, thanks, I got this working using the docs you linked. It was just a matter of setting up all the SSL policy config options. One thing I initially wasn't clear on was that the https.ssl_policy could be the same as the bolt.ssl_policy, but then realised this should "just work", and it does, in dev at least - we set them both to use the same policy, and the browser documents are served over HTTPS on 7473 as before, with connections back to Bolt/TLS now running on 7687. So in our cloud environments we'll just need to expose port 7687 to the appropriate whitelist, which isn't a big deal given we control the firewall, so I think we should be fine. Thanks for your help!

Cheers,
Igor