Need - neo4j reverse proxy config for apache

Neo4j Graph Platform Server
14

A solution?

For folks who are still thinking about this years on, I have conceived of a horrible no good very bad way ™ of doing this which involves running two domains out of an Apache install. It works for a small project I'm doing over the summer with a very limited number of people; I am sure that a brain much larger than mine would improve it. As such, here it is for good or ill.

Context

The VPS on which I did this blocks many ports. I had to find a way to proxy the websocket/Bolt connection such that I could essentially connect to the same server from a remote connection outside the network on which the server lives. This turned out to be complicated, as /browser is served on one of the few open ports. Because I setup an SSL on the server, that's two ports down (80, and 443). Unfortunately, the last remaning open port, 22, is reserved for SSH folderol. This was a major limitation that spurred this solution.

Ok, just get to the goods

If you came here for configs -- go no further. However, this mess probably needs a bit of qualification. Read on!

SSLStrictSNIVHostCheck On

ServerName sub.subdomain.domain.com

<IfModule mod_ssl.c>
<VirtualHost *:443>

	ServerAdmin me@email.com
	ServerName subdomain.domain.com

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	<Location /browser>
		ProxyPreserveHost On
		ProxyPass http://localhost:7474/browser
		ProxyPassReverse http://localhost:7474/browser

		RewriteEngine On

		RewriteCond %{REQUEST_URI} !^/browser
		RewriteRule ^/$ /browser/$1 [R,L]
	</Location>	

	# Let's Encrypt SSL stuff
	# Let's Encrypt SSL stuff
	# Let's Encrypt SSL stuff
	# Let's Encrypt SSL stuff
	
</VirtualHost>
</IfModule>

<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerAdmin me@email.com
	ServerName sub.subdomain.domain.com

	ErrorLog ${APACHE_LOG_DIR}/db_error.log
	CustomLog ${APACHE_LOG_DIR}/db_access.log combined

	RewriteEngine On
    RewriteCond %{HTTP:Connection} Upgrade [NC]
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteRule /?(.*) wss://localhost:7687/$1 [P,L]

	SSLProxyEngine On
	SSLProxyCheckPeerCN off
	ProxyPassReverseCookieDomain "/" "sub.subdomain.domain.com"

    ProxyPreserveHost off
    ProxyPass / http://localhost:7687/
    ProxyPassReverse / http://localhost:7687/

	# Let's Encrypt SSL stuff
	# Let's Encrypt SSL stuff
	# Let's Encrypt SSL stuff
	# Let's Encrypt SSL stuff
	
</VirtualHost>
</IfModule>

The concept here is that I can access the HTTPS port of sub.subdomain.domain.com from subdomain.domain.com. Adding SSL configuration to neo4j (discussed here) ensures that the websockets don't run afoul of security policy. Due to this proxy, we also have to connect on sub.subdomain.domain.com:443 as our bolt+s:// connection.

There's probably a more elegant expression of this, but the idea surprisingly works.