Need - neo4j reverse proxy config for apache


(Njs8) #1

Can someone provide me with Apache reverse proxy config for neo4j. The browser is loading fine , but no luck connecting to the DB using the connect url.
What should be the proxy config, specifically the one to connect to the Database.

This is my current Apache reverse config:

Redirect /neo4j /neo4j/

ProxyPass /neo4j/ http://hostname:7474/browser/

ProxyPassReverse /neo4j/ http://hostname:7474/browser/

and on the backend server where neo4j is installed and running, this is the only port thats listening

tcp6 0 0 :::7474 :::* LISTEN 21202/java

I can load the neo4j page from the web, but when I try to connect to the DB, I am getting ServiceUnavailable: Failed to fetch.

This is installed version - neo4j-3.5.1-1.noarch and the config file

dbms.directories.data=/var/lib/neo4j/data
dbms.directories.plugins=/var/lib/neo4j/plugins
dbms.directories.certificates=/var/lib/neo4j/certificates
dbms.directories.logs=/var/log/neo4j
dbms.directories.lib=/usr/share/neo4j/lib
dbms.directories.run=/var/run/neo4j
dbms.directories.import=/var/lib/neo4j/import
dbms.connectors.default_listen_address=0.0.0.0
dbms.connectors.default_advertised_address=localhost
dbms.connector.bolt.enabled=true
dbms.connector.http.enabled=true
dbms.connector.https.enabled=true
dbms.tx_log.rotation.retention_policy=1 days
dbms.jvm.additional=-XX:+UseG1GC
dbms.jvm.additional=-XX:-OmitStackTraceInFastThrow
dbms.jvm.additional=-XX:+AlwaysPreTouch
dbms.jvm.additional=-XX:+UnlockExperimentalVMOptions
dbms.jvm.additional=-XX:+TrustFinalNonStaticFields
dbms.jvm.additional=-XX:+DisableExplicitGC
dbms.jvm.additional=-Djdk.tls.ephemeralDHKeySize=2048
dbms.jvm.additional=-Djdk.tls.rejectClientInitiatedRenegotiation=true
dbms.windows_service_name=neo4j
dbms.jvm.additional=-Dunsupported.dbms.udc.source=rpm

Any help will be much appreciated


(Stefan Armbruster) #2

Neo4j Browser uses a BOLT connection to your server's port 7687. I guess you need to proxy that as well. Be aware this port is not http, so you need a tcp proxy.

See e.g. https://blog.armbruster-it.de/2018/05/using-nginx-to-proxy-a-neo4j-instance/


(Njs8) #3

Hi Stefan,

I tried reverse proxying 7687. Everything work fine on the internal network. But from external network/internet - the neo4j browser page loads. But when I enter the Connect URL and try login in ..its failing..its not even hitting the proxy. Do you have a config file for apache?


(Michael Hunger) #4

you probably have to adapt the advertised address.
can you check what it reports as bolt url in curl http://hostname:7474/


(Njs8) #5

Hi Michael,

This is what I get from the proxy host

curl http://hdp004:7474/
{
"data" : "http://hdp004:7474/db/data/",
"management" : "http://hdp004:7474/db/manage/",
"bolt" : "bolt://hdp004:7687"
}

How should I configure apache reverse proxy config using the above endpoints? So that we can try hit it from the internet.


(Stefan Armbruster) #6

try to set:

dbms.connectors.default_advertised_address=hdp004

(Njs8) #7

That what I have set in the config

dbms.directories.data=/var/lib/neo4j/data
dbms.directories.plugins=/var/lib/neo4j/plugins
dbms.directories.certificates=/var/lib/neo4j/certificates
dbms.directories.logs=/var/log/neo4j
dbms.directories.lib=/usr/share/neo4j/lib
dbms.directories.run=/var/run/neo4j
dbms.directories.import=/var/lib/neo4j/import
dbms.connectors.default_listen_address=0.0.0.0
dbms.connectors.default_advertised_address=hdp004
dbms.connector.bolt.enabled=true
dbms.connector.bolt.listen_address=0.0.0.0:7687
dbms.connector.http.enabled=true
dbms.connector.https.enabled=false
dbms.tx_log.rotation.retention_policy=1 days
dbms.jvm.additional=-XX:+UseG1GC
dbms.jvm.additional=-XX:-OmitStackTraceInFastThrow
dbms.jvm.additional=-XX:+AlwaysPreTouch
dbms.jvm.additional=-XX:+UnlockExperimentalVMOptions
dbms.jvm.additional=-XX:+TrustFinalNonStaticFields
dbms.jvm.additional=-XX:+DisableExplicitGC
dbms.jvm.additional=-Djdk.tls.ephemeralDHKeySize=2048
dbms.jvm.additional=-Djdk.tls.rejectClientInitiatedRenegotiation=true
dbms.windows_service_name=neo4j
dbms.jvm.additional=-Dunsupported.dbms.udc.source=rpm


(Stefan Armbruster) #8

can you check javascript console in your browser for some suspicious messages?


(Njs8) #9

I am seeing this error when trying http://portal.cac.queensu.ca in the connect url

Blocked loading mixed active content “http://portal.cac.queensu.ca:7474/db/data/transaction

and if I try just the url it showin -
Firefox can’t establish a connection to the server at wss://portal.cac.queensu.ca:7687/

In Chrome these are the errors

vendors~main.chunkhash.bundle.js:86 Mixed Content: The page at 'https://portal.cac.queensu.ca/neo4j/' was loaded over HTTPS, but requested an insecure resource 'http://portal.cac.queensu.ca:7474/db/data/transaction'. This request has been blocked; the content must be served over HTTPS.
(anonymous) @ vendors~main.chunkhash.bundle.js:86
e

If I try https
vendors~main.chunkhash.bundle.js:86 OPTIONS https://portal.cac.queensu.ca:7473/db/data/transaction net::ERR_CONNECTION_REFUSED

If I try just the url -
vendors~main.chunkhash.bundle.js:84 WebSocket connection to 'wss://portal.cac.queensu.ca:7687/' failed: Error in connection establishment: net::ERR_CERT_AUTHORITY_INVALID


(Njs8) #10

Hello Team,

Any further updates on this.. I am still struggling to get this working over the web. Locally it works fine.