Hello, i'm writing because of problem with neo4j.
My goal is:
- Run Neo4j in Docker behind dockerized reverse proxy (nginx) using own SSL certificates (generated using certbot - LetsEncrypt).
Information/Steps:
- I tried to use neo4j versions 3.5.2 and 4.4.5
- I have read quite a few articles like:
Bolt behind Apache reverse proxy, is it even possible?
Problem starting neo4j server on Ubuntu 18.04 with SSL enabled - #5 by Dragotic
Certificate issue - #2 by david.allen - I followed below to use certs appropriately
Getting Certificates for Neo4j with LetsEncrypt | by David Allen | Neo4j Developer Blog | Medium - Generated certifcates uploaded in appropriatelty docker container directories (fullchain.pem -> neo4j.key, privkey.pem -> privkey.cert).
- I tried countless neo4j.conf configurations
All for nothing. Through the appropriate configuration of nginx, I was able to solve the known problem with WebSockets (wss://) but all the time neo4j service starts over http instead of https.
My last suspicion is that some option set in neo4j.conf is not entirely correct?
A hashed my configuration below:
Dockerfile
FROM neo4j:3.5.16
RUN mkdir -p /var/lib/neo4j/certificates
RUN mkdir -p /var/lib/neo4j/certificates/trusted
RUN mkdir -p /var/lib/neo4j/certificates/revoked
ADD ./certs/privkey.pem /var/lib/neo4j/certificates/neo4j.key
ADD ./certs/fullchain.pem /var/lib/neo4j/certificates/fullchain.pem
RUN cat certificates/fullchain.pem > /var/lib/neo4j/certificates/neo4j.cert
docker-compose
version: "3"
services:
neo4j:
build:
context: .
container_name: neo4j
volumes:
- /opt/neo4j/data:/data
- ./config:/var/lib/neo4j/conf
environment:
- NEO4J_AUTH=login/password
- NEO4J_ACCEPT_LICENSE_AGREEMENT=yes
networks:
- local
nginx:
image: nginx:1.14
container_name: nginx
networks:
- local
ports:
- "80:80"
- "443:443"
- "7687:7687"
- "7688:7688"
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf
- ./nginx/ssl:/etc/nginx/conf.d/ssl
networks:
local:
nginx.conf
worker_processes auto;
events { worker_connections 1024; }
http {
map $http_upgrade $connection_upgrade {
"" close;
default upgrade;
}
upstream neo4j_bolt {
server neo4j:7687;
}
upstream neo4j_insecure {
server neo4j:7474;
}
upstream neo4j_secure {
server neo4j:7473;
}
server {
listen 80;
server_name <my_domain_name>;
location / {
proxy_pass http://neo4j_insecure;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
}
}
server {
listen 443 ssl;
server_name <my_domain_name>;
#SSL/https
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_ecdh_curve secp384r1;
ssl_certificate /etc/nginx/conf.d/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl/nginx.key;
ssl_dhparam /etc/nginx/conf.d/ssl/dhparam.pem;
location / {
proxy_pass https://neo4j_secure;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 7687 ssl;
server_name <my_domain_name>;
#SSL/https
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_ecdh_curve secp384r1;
ssl_certificate /etc/nginx/conf.d/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl/nginx.key;
ssl_dhparam /etc/nginx/conf.d/ssl/dhparam.pem;
location / {
proxy_pass https://neo4j_bolt;
proxy_http_version 1.1;
proxy_set_header Connection Upgrade;
proxy_set_header Host $host;
proxy_set_header Upgrade $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 7688;
server_name <my_domain_name>;
location / {
proxy_pass http://neo4j_bolt;
proxy_http_version 1.1;
proxy_set_header Connection Upgrade;
proxy_set_header Host $host;
proxy_set_header Upgrade $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
}
neo4j.conf
dbms.connectors.default_listen_address=0.0.0.0
dbms.connectors.default_advertised_address=<my_domain_name>
bolt.ssl_policy=default
dbms.ssl.policy.default.base_directory=/var/lib/neo4j/certificates
dbms.ssl.policy.default.allow_key_generation=false
dbms.ssl.policy.default.private_key=/var/lib/neo4j/certificates/neo4j.key
dbms.ssl.policy.default.public_certificate=/var/lib/neo4j/certificates/neo4j.cert
dbms.ssl.policy.default.revoked_dir=/var/lib/neo4j/certificates/revoked
dbms.ssl.policy.default.client_auth=NONE
dbms.connector.https.listen_address=0.0.0.0:7473
dbms.connector.http.listen_address=0.0.0.0:7474
dbms.connector.bolt.listen_address=0.0.0.0:7687
dbms.memory.pagecache.size=512M
dbms.security.auth_enabled=true
wrapper.java.additional=-Dneo4j.ext.udc.source=docker
dbms.tx_log.rotation.retention_policy=100M size
dbms.directories.logs=/logs
HOME=/var/lib/neo4j
EDITION=community
ACCEPT.LICENSE.AGREEMENT=yes