Not able to use Nginx as SSL reverse proxy for docker based neo4j

Neo4j Graph Platform
,
1
  • neo4j version: 5.18.1
  • Browser version: Version 127.0.6533.99 (Official Build) (64-bit) Google Chrome

Problem

  • Able to open Neo4j UI on HTTPS URL on browser but unable to login to the neo4j backend using same https url
  • Opening the browser on HTTP URL works and login works as well on this window with HTTP URL, pointing me towards either Nginx configuration or neo4j configuration to support SSL

image
image1736×549 78.9 KB

Nginx config:

`
server {
server_name
neo4j-1blr3-qa-vm1.vimaan.app
neo4j-1-1blr3.vimaan.app
neo4j-1.1blr3.vimaan.app;

listen 443 ssl
                          http2;
ssl_certificate /etc/nginx/ssl/letsencrypt_fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/letsencrypt_privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;

listen 80;

# Nginx log files
access_log /var/log/nginx/neo4j-1blr3.access.log;
error_log /var/log/nginx/neo4j-neo4j-1blr3.error.log;


    location / {

            # SSL termination
            
        proxy_pass http://10.72.99.31:7474;
            proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_connect_timeout 10s;
        proxy_read_timeout 60s;
        proxy_send_timeout 60s;
        client_max_body_size 256M;
    } # end location block
} # end server block

`

2

Can you go to the developer console and check network. What I think is happening is that the database is responding with a routing table where it says the server is on 10.72.99.31. If that is the case there are 2 ways to fix this:

  1. Set the advertised address to neo4j-lblr3-qa-vm1.vimaan.app Configure network connectors - Operations Manual
  2. Set routing to always be server side Leadership, routing, and load balancing - Operations Manual
3

I also realized you are only dealing with 443 -> 7474 where the neo4j browser is served. You will need to forward traffic to the bolt port 7687 as well.

It usually helps to have two entries:

browser.vimaan.app -> HTTP 10.72.99.31:7474
dbms.vimaan.app -> TCP 10.72.99.31:7687

Since it is a bit tricky "route by protocol" in nginx. I usually use one cert and sign it with multiple SAN's:

'[SAN]\nsubjectAltName=DNS.1:browser.vimaan.app,DNS.2:dbms.vimaan.app,....'

I made this a while ago GitHub - lqst/neo4j-docker-proxy: Neo4j reverse proxy service for docker hopefully you can grab bits and pieces form there.