Cannot connect to Neo4j Browser on Amazon EC2 instance

I am at the end of my rope. It seems that EVERY time I attempt to do ANYTHING beyond the "Hello World" examples of some tutorial, I spend days thrashing with intricacies of Neo4J -- documentation bugs or mismatches with the current version, things that work differently than advertised, things that don't work at all, and so on.

This week's special fun is trying to connect to neo4j browser running on an AWS EC2 instance. The instance is a direct clone of a local guest VM. Each is a CentOS 7 instance. Each runs Neo4J version 4.0. Each has the same configuration.

Oh, and by the way, yes I HAVE seen the several threads about running on AWS EC2 in the knowledge base. They either aren't relevant or don't work. I know it's tedious, but perhaps the moderators might flag knowledge base items that are made obsolete by subsequent releases of Neo4J.

No matter what I do, I get the same useless failure in the browser (ServiceUnavailable: WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver. Please use your browsers developm...). The console in the dev toolbox is similarly unhelpful:

WebSocket connection to 'ws://my.domain.name:7687/' failed: Error in connection establishment: net::ERR_CONNECTION_TIMED_OUT

I'm into my second day tilting at this latest windmill, and I'm frankly considering going back to MySQL.

The neo4j server on the EC2 instance runs fine. I can connect to it using cypher-shell, and all is as expected. I'm able to run queries from a bash command line using cypher-shell, and those all work as expected. I'm able to run queries against it using both the python and nodejs drivers. Everything EXCEPT neo4j-browser works fine.

I know that the ports are open (I've confirmed this with netstat -tpan and firewall-cmd --list-all).

There are knowledge base articles here that contain instructions that appear to be outdated. They include directions to append :7687 to various ```neo4j.conf ```` parameters. When I do that, neo4j refuses to start with complaints in neo4j.log similar to the following:

nohup: ignoring input
Exception in thread "main" java.lang.IllegalArgumentException: Error evaluating value for setting 'dbms.default_listen_address'. can not have a port
        at org.neo4j.configuration.Config.evaluateSetting(Config.java:552)
        at org.neo4j.configuration.Config.evaluateSettingValues(Config.java:384)
        at org.neo4j.configuration.Config.<init>(Config.java:357)
        at org.neo4j.configuration.Config$Builder.build(Config.java:260)
        at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:103)
        at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:89)
        at org.neo4j.server.CommunityEntryPoint.main(CommunityEntryPoint.java:35)
Caused by: java.lang.IllegalArgumentException: can not have a port
        at org.neo4j.configuration.SettingConstraints$11.validate(SettingConstraints.java:305)
        at org.neo4j.configuration.SettingConstraints$11.validate(SettingConstraints.java:294)
        at org.neo4j.configuration.SettingImpl.validate(SettingImpl.java:119)
        at org.neo4j.configuration.Config.createEntry(Config.java:568)
        at org.neo4j.configuration.Config.evaluateSetting(Config.java:547)
        ... 6 more
2020-06-09 12:37:45.612+0000 INFO [o.n.s.CommunityBootstrapper] Neo4j Server shutdown initiated by request
nohup: ignoring input
Exception in thread "main" java.lang.IllegalArgumentException: Error evaluating value for setting 'dbms.default_listen_address'. can not have a port
        at org.neo4j.configuration.Config.evaluateSetting(Config.java:552)
        at org.neo4j.configuration.Config.evaluateSettingValues(Config.java:384)
        at org.neo4j.configuration.Config.<init>(Config.java:357)
        at org.neo4j.configuration.Config$Builder.build(Config.java:260)
        at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:103)
        at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:89)
        at org.neo4j.server.CommunityEntryPoint.main(CommunityEntryPoint.java:35)
Caused by: java.lang.IllegalArgumentException: can not have a port
        at org.neo4j.configuration.SettingConstraints$11.validate(SettingConstraints.java:305)
        at org.neo4j.configuration.SettingConstraints$11.validate(SettingConstraints.java:294)
        at org.neo4j.configuration.SettingImpl.validate(SettingImpl.java:119)
        at org.neo4j.configuration.Config.createEntry(Config.java:568)
        at org.neo4j.configuration.Config.evaluateSetting(Config.java:547)
        ... 6 more
2020-06-09 12:40:41.714+0000 INFO [o.n.s.CommunityBootstrapper] Neo4j Server shutdown initiated by request
nohup: ignoring input
2020-06-09 12:44:53.495+0000 WARN  Use of deprecated setting port propagation. port 7687 is migrated from dbms.connector.bolt.listen_address to dbms.connector.bolt.advertised_address.
2020-06-09 12:44:53.510+0000 WARN  Use of deprecated setting dbms.directories.certificates. Legacy ssl policy is no longer supported.
2020-06-09 12:44:53.510+0000 WARN  Use of deprecated setting dbms.connectors.default_listen_address. It is replaced by dbms.default_listen_address

I'm able to connect to port 7474 from a different system using telnet, so I don't think there are firewall or security-rule issues. I think it's safe to say that the issue is specific to whatever is listening on 7474 connects -- or fails to connect -- to the rest of neo4j. One more time -- cypher-shell and all the language drivers work fine.

If the db password was incorrect, then I don't see why it would work with cypher-shell. So far as I can tell the multiple ways of saying "use port 7474" are all in place, yet it doesn't work.

Oh, and one more time, the same configuration on an identical guest VM running on my local system works fine.

Is there some path, short of spending however much it costs and however long it takes to become a "Neo4J Certified Developer", to make the Neo4J Browser work on AWS EC2? How can something as universal as signing into the showcase tool be this hard?

TL;DR: Sounds like you've already checked 7474, but you need to do the same for 7687, (and probably 7473.)

  • 7474 loads the Browser
  • 7473 loads the Browser via ssl
  • 7687 BOLT -- The browser, and anything else, uses this to connect to the db

So, if you can telnet to :7474, and, :7687, and you're still having trouble, share your neo4j.conf.

As it turns out, the issue was with the AWS "Security Group" being used by the EC2 instance. Although ports 7474 and 7687 were open in the firewall, they were not present in the Security Group. Once I added those (I restricted the IP address range to reduce the risk of mischief from third parties), everything started working fine.

While my learning curve with Cypher continues to be tortuous, this bottleneck was an independent configuration nit.

Yeah, that sounds like AWS to me.

As for the impenetrability of Cypher, which itself is a graph of features, and as such there are many starting points. My advice is to start here:

...and, a couple shameless plugs: