cancel
Showing results for 
Search instead for 
Did you mean: 

Join the community at Nodes 2022, our free virtual event on November 16 - 17.

Neo4j 3.5 / 4.4.5 + Reverse Proxy + Docker + SSL does not work

Hello, i'm writing because of problem with neo4j.

My goal is:

  • Run Neo4j in Docker behind dockerized reverse proxy (nginx) using own SSL certificates (generated using certbot - LetsEncrypt).

Information/Steps:

All for nothing. Through the appropriate configuration of nginx, I was able to solve the known problem with WebSockets (wss://) but all the time neo4j service starts over http instead of https.

My last suspicion is that some option set in neo4j.conf is not entirely correct?

A hashed my configuration below:

Dockerfile

FROM neo4j:3.5.16

RUN mkdir -p /var/lib/neo4j/certificates
RUN mkdir -p /var/lib/neo4j/certificates/trusted
RUN mkdir -p /var/lib/neo4j/certificates/revoked

ADD ./certs/privkey.pem /var/lib/neo4j/certificates/neo4j.key
ADD ./certs/fullchain.pem /var/lib/neo4j/certificates/fullchain.pem
RUN cat certificates/fullchain.pem > /var/lib/neo4j/certificates/neo4j.cert

docker-compose

version: "3"

services:
  neo4j:
    build:
      context: .
    container_name: neo4j
    volumes:
      - /opt/neo4j/data:/data
      - ./config:/var/lib/neo4j/conf
    environment:
    - NEO4J_AUTH=login/password
    - NEO4J_ACCEPT_LICENSE_AGREEMENT=yes
    networks:
    - local

  nginx:
    image: nginx:1.14
    container_name: nginx
    networks:
    - local
    ports:
    - "80:80"
    - "443:443"
    - "7687:7687"
    - "7688:7688"
    volumes:
    - ./nginx/nginx.conf:/etc/nginx/nginx.conf
    - ./nginx/ssl:/etc/nginx/conf.d/ssl

networks:
  local:

nginx.conf

worker_processes auto;

events { worker_connections 1024; }

http {

    map $http_upgrade $connection_upgrade {
        "" close;
        default upgrade;
    }

    upstream neo4j_bolt {
        server neo4j:7687;
    }

    upstream neo4j_insecure {
        server neo4j:7474;
    }

    upstream neo4j_secure {
        server neo4j:7473;
    }

    server {
        listen 80;
        server_name <my_domain_name>;

        location / {
            proxy_pass http://neo4j_insecure;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            proxy_set_header Host $host;
        }
    }

    server {
        listen 443 ssl;
        server_name <my_domain_name>;

        #SSL/https
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_ecdh_curve secp384r1;
        ssl_certificate /etc/nginx/conf.d/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/conf.d/ssl/nginx.key;
        ssl_dhparam /etc/nginx/conf.d/ssl/dhparam.pem;

        location / {
            proxy_pass https://neo4j_secure;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }

    server {
        listen 7687 ssl;
        server_name <my_domain_name>;

        #SSL/https
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_ecdh_curve secp384r1;
        ssl_certificate /etc/nginx/conf.d/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/conf.d/ssl/nginx.key;
        ssl_dhparam /etc/nginx/conf.d/ssl/dhparam.pem;

        location / {
            proxy_pass https://neo4j_bolt;
            proxy_http_version 1.1;
            proxy_set_header Connection Upgrade;
            proxy_set_header Host $host;
            proxy_set_header Upgrade $connection_upgrade;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }

    server {
        listen 7688;
        server_name <my_domain_name>;

        location / {
            proxy_pass http://neo4j_bolt;
            proxy_http_version 1.1;
            proxy_set_header Connection Upgrade;
            proxy_set_header Host $host;
            proxy_set_header Upgrade $connection_upgrade;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
}

neo4j.conf

dbms.connectors.default_listen_address=0.0.0.0
dbms.connectors.default_advertised_address=<my_domain_name>
bolt.ssl_policy=default
dbms.ssl.policy.default.base_directory=/var/lib/neo4j/certificates
dbms.ssl.policy.default.allow_key_generation=false
dbms.ssl.policy.default.private_key=/var/lib/neo4j/certificates/neo4j.key
dbms.ssl.policy.default.public_certificate=/var/lib/neo4j/certificates/neo4j.cert
dbms.ssl.policy.default.revoked_dir=/var/lib/neo4j/certificates/revoked
dbms.ssl.policy.default.client_auth=NONE

dbms.connector.https.listen_address=0.0.0.0:7473
dbms.connector.http.listen_address=0.0.0.0:7474
dbms.connector.bolt.listen_address=0.0.0.0:7687
dbms.memory.pagecache.size=512M
dbms.security.auth_enabled=true
wrapper.java.additional=-Dneo4j.ext.udc.source=docker
dbms.tx_log.rotation.retention_policy=100M size
dbms.directories.logs=/logs
HOME=/var/lib/neo4j
EDITION=community
ACCEPT.LICENSE.AGREEMENT=yes
0 REPLIES 0