We have a strange effect when accessing a neo4j server behind a nginx proxy server.
When we start an Edge Browser with a clean cache the nginx proxy server returns the neo4j login page. But after entering the neo4j login credentials the following failure message appears:
Mixed Content: The page at 'https://<server_name>/browser/' was loaded over HTTPS, but requested an insecure resource 'http://<server_name>:7687/'. This request has been blocked; the content must be served over HTTPS.“
The full message is: “ServiceUnavailable: WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver. Please use your browsers development console to determine the root cause of the failure. Common reasons include the database being unavailable, using the wrong connection URL or temporary network problems. If you have enabled encryption, ensure your browser is configured to trust the certificate Neo4j is configured to use. WebSocket readyState is: 3”
Neo4j and the nginx proxy are using SSL/TLS encryption with the same certificate. The certificate has a valid key-chain up to a RootCA.
Now the interesting effect: when we query the neo4j instance directly with https://<server_name>:7473/browser, the browser login page pops up like above and we can proceed to the browser after entering the login. After this is done once, the proxy nginx connection within the same browser instance is possible as well. The connection that failed initially as describes above started to work.
I’m not a network specialist but it appears to me that after the edge browser has verified the certificate chain once during the direct login to neo4j the nginx proxy path is accepted as well (somehow...).
To make the whole thing even more bizarre: when we try the login with Firefox it works directly when querying nginx without any problems. Firefox seems to be more “relaxed” when accessing neo4j via a proxy server (regarding different web servers on the same server URI) on different ports as Edge.
Our guess is that we need to adjust some of the setting in the nginx or neo4j conf. We tried a few options but without much success.
Our nginx config for the forwarding is as follows:
# non TLS server - redirect to ssl server
server {
listen 80;
server_name <server_name>;
return 301 https://$host$request_uri;
}
# TLS server
server {
listen 443 ssl http2;
server_name <server_name>;
ssl_certificate /etc/pki/tls/certs/<certificate>.crt;
ssl_certificate_key /etc/pki/tls/private/<certificate>.key;
location / {
proxy_pass http://localhost:5005/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /browser/ {
proxy_pass https://<server_name>:7473/browser/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header X-Forwarded-Proto https;
}
}
Our neo4j conf for the server network section is:
server.default_listen_address=0.0.0.0
# Bolt connector
server.bolt.enabled=true
#server.bolt.tls_level=OPTIONAL
server.bolt.tls_level=REQUIRED
server.bolt.listen_address=:7687
server.bolt.advertised_address=<server_name>
# HTTP Connector. There can be zero or one HTTP connectors.
server.http.enabled=false
server.http.listen_address=:7474
#server.http.advertised_address=:7474
# HTTPS Connector. There can be zero or one HTTPS connectors.
server.https.enabled=true
server.https.listen_address=:7473
server.https.advertised_address=<server_name>
Does anybody have a working configuration for neo4j behind a nginx proxy server with SSL/TLS support or an idea what might be the root cause of the issue and how to solve it?