Need - neo4j reverse proxy config for apache

njs8 · January 9, 2019, 5:41pm

Can someone provide me with Apache reverse proxy config for neo4j. The browser is loading fine , but no luck connecting to the DB using the connect url.
What should be the proxy config, specifically the one to connect to the Database.

This is my current Apache reverse config:

Redirect /neo4j /neo4j/

ProxyPass /neo4j/ http://hostname:7474/browser/

ProxyPassReverse /neo4j/ http://hostname:7474/browser/

and on the backend server where neo4j is installed and running, this is the only port thats listening

tcp6 0 0 :::7474 :::* LISTEN 21202/java

I can load the neo4j page from the web, but when I try to connect to the DB, I am getting ServiceUnavailable: Failed to fetch.

This is installed version - neo4j-3.5.1-1.noarch and the config file

dbms.directories.data=/var/lib/neo4j/data
dbms.directories.plugins=/var/lib/neo4j/plugins
dbms.directories.certificates=/var/lib/neo4j/certificates
dbms.directories.logs=/var/log/neo4j
dbms.directories.lib=/usr/share/neo4j/lib
dbms.directories.run=/var/run/neo4j
dbms.directories.import=/var/lib/neo4j/import
dbms.connectors.default_listen_address=0.0.0.0
dbms.connectors.default_advertised_address=localhost
dbms.connector.bolt.enabled=true
dbms.connector.http.enabled=true
dbms.connector.https.enabled=true
dbms.tx_log.rotation.retention_policy=1 days
dbms.jvm.additional=-XX:+UseG1GC
dbms.jvm.additional=-XX:-OmitStackTraceInFastThrow
dbms.jvm.additional=-XX:+AlwaysPreTouch
dbms.jvm.additional=-XX:+UnlockExperimentalVMOptions
dbms.jvm.additional=-XX:+TrustFinalNonStaticFields
dbms.jvm.additional=-XX:+DisableExplicitGC
dbms.jvm.additional=-Djdk.tls.ephemeralDHKeySize=2048
dbms.jvm.additional=-Djdk.tls.rejectClientInitiatedRenegotiation=true
dbms.windows_service_name=neo4j
dbms.jvm.additional=-Dunsupported.dbms.udc.source=rpm

Any help will be much appreciated

stefan.armbruster · January 9, 2019, 9:07pm

Neo4j Browser uses a BOLT connection to your server's port 7687. I guess you need to proxy that as well. Be aware this port is not http, so you need a tcp proxy.

See e.g. Using Nginx to proxy a Neo4j instance - Armbruster IT Blog

njs8 · January 9, 2019, 9:22pm

Hi Stefan,

I tried reverse proxying 7687. Everything work fine on the internal network. But from external network/internet - the neo4j browser page loads. But when I enter the Connect URL and try login in ..its failing..its not even hitting the proxy. Do you have a config file for apache?

michael.hunger · January 9, 2019, 9:56pm

you probably have to adapt the advertised address.
can you check what it reports as bolt url in curl http://hostname:7474/

njs8 · January 10, 2019, 2:54pm

Hi Michael,

This is what I get from the proxy host

curl http://hdp004:7474/
{
"data" : "http://hdp004:7474/db/data/",
"management" : "http://hdp004:7474/db/manage/",
"bolt" : "bolt://hdp004:7687"
}

How should I configure apache reverse proxy config using the above endpoints? So that we can try hit it from the internet.

stefan.armbruster · January 10, 2019, 3:35pm

try to set:

dbms.connectors.default_advertised_address=hdp004

njs8 · January 10, 2019, 3:36pm

That what I have set in the config

dbms.directories.data=/var/lib/neo4j/data
dbms.directories.plugins=/var/lib/neo4j/plugins
dbms.directories.certificates=/var/lib/neo4j/certificates
dbms.directories.logs=/var/log/neo4j
dbms.directories.lib=/usr/share/neo4j/lib
dbms.directories.run=/var/run/neo4j
dbms.directories.import=/var/lib/neo4j/import
dbms.connectors.default_listen_address=0.0.0.0
dbms.connectors.default_advertised_address=hdp004
dbms.connector.bolt.enabled=true
dbms.connector.bolt.listen_address=0.0.0.0:7687
dbms.connector.http.enabled=true
dbms.connector.https.enabled=false
dbms.tx_log.rotation.retention_policy=1 days
dbms.jvm.additional=-XX:+UseG1GC
dbms.jvm.additional=-XX:-OmitStackTraceInFastThrow
dbms.jvm.additional=-XX:+AlwaysPreTouch
dbms.jvm.additional=-XX:+UnlockExperimentalVMOptions
dbms.jvm.additional=-XX:+TrustFinalNonStaticFields
dbms.jvm.additional=-XX:+DisableExplicitGC
dbms.jvm.additional=-Djdk.tls.ephemeralDHKeySize=2048
dbms.jvm.additional=-Djdk.tls.rejectClientInitiatedRenegotiation=true
dbms.windows_service_name=neo4j
dbms.jvm.additional=-Dunsupported.dbms.udc.source=rpm

stefan.armbruster · January 10, 2019, 5:05pm

can you check javascript console in your browser for some suspicious messages?

njs8 · January 10, 2019, 5:50pm

I am seeing this error when trying http://portal.cac.queensu.ca in the connect url

Blocked loading mixed active content “http://portal.cac.queensu.ca:7474/db/data/transaction

and if I try just the url it showin -
Firefox can’t establish a connection to the server at wss://portal.cac.queensu.ca:7687/

In Chrome these are the errors

vendors~main.chunkhash.bundle.js:86 Mixed Content: The page at 'Neo4j Browser' was loaded over HTTPS, but requested an insecure resource 'http://portal.cac.queensu.ca:7474/db/data/transaction'. This request has been blocked; the content must be served over HTTPS.
(anonymous) @ vendors~main.chunkhash.bundle.js:86
e

If I try https
vendors~main.chunkhash.bundle.js:86 OPTIONS https://portal.cac.queensu.ca:7473/db/data/transaction net::ERR_CONNECTION_REFUSED

If I try just the url -
vendors~main.chunkhash.bundle.js:84 WebSocket connection to 'wss://portal.cac.queensu.ca:7687/' failed: Error in connection establishment: net::ERR_CERT_AUTHORITY_INVALID

njs8 · February 14, 2019, 10:13pm

Hello Team,

Any further updates on this.. I am still struggling to get this working over the web. Locally it works fine.

ftrotter · March 26, 2019, 6:19am

Hey,
This is a pretty important unanswered question that is the top result for Googling "using Neo4J browser with Apache".

Answering the question with a link to a tutorial about how to do this in nginx is not helpful and a little insulting. Many of us are still using apache for good reasons, so asking us to switch to nginx so that we can use neo4j is the same thing as saying "you cannot use neo4j web browser".

Also, trying to debug njs8 specific configuration is really not helpful. What is needed is a tutorial on how to set this up correctly on a fresh installation of Apache, on a fresh installation of neo4j, both on Ubuntu. Then njs8 could just see how his setup deviates from the working example. I do not understand why there not just a link to how to do this for both nginx and apache2 as part of the default documentation for neo4j. This is a super-common use case.

If it cannot be made to work.. fine.. then please tell us that. But lots of people need this configuration, so if this is merely a question of priorities.. well this is a show-stopper for me, and there are likely to be many people coming here from the google search with the same "show stopping" relationship with this configuration problem.

Regards,
-FT

gautam.thakur · April 26, 2019, 2:06am

Any luck with configuring neo4j behind apache, yet?

wunsch.kevin · April 28, 2020, 4:58pm

Hi,
I cannot set neo4j up using neither nginx nor apache...

are there any tutorials How-Tos available?

susan_howe_stan_acco · July 1, 2021, 8:18pm

A solution?

For folks who are still thinking about this years on, I have conceived of a horrible no good very bad way ™ of doing this which involves running two domains out of an Apache install. It works for a small project I'm doing over the summer with a very limited number of people; I am sure that a brain much larger than mine would improve it. As such, here it is for good or ill.

Context

The VPS on which I did this blocks many ports. I had to find a way to proxy the websocket/Bolt connection such that I could essentially connect to the same server from a remote connection outside the network on which the server lives. This turned out to be complicated, as /browser is served on one of the few open ports. Because I setup an SSL on the server, that's two ports down (80, and 443). Unfortunately, the last remaning open port, 22, is reserved for SSH folderol. This was a major limitation that spurred this solution.

Ok, just get to the goods

If you came here for configs -- go no further. However, this mess probably needs a bit of qualification. Read on!

SSLStrictSNIVHostCheck On

ServerName sub.subdomain.domain.com

<IfModule mod_ssl.c>
<VirtualHost *:443>

	ServerAdmin me@email.com
	ServerName subdomain.domain.com

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	<Location /browser>
		ProxyPreserveHost On
		ProxyPass http://localhost:7474/browser
		ProxyPassReverse http://localhost:7474/browser

		RewriteEngine On

		RewriteCond %{REQUEST_URI} !^/browser
		RewriteRule ^/$ /browser/$1 [R,L]
	</Location>	

	# Let's Encrypt SSL stuff
	# Let's Encrypt SSL stuff
	# Let's Encrypt SSL stuff
	# Let's Encrypt SSL stuff
	
</VirtualHost>
</IfModule>

<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerAdmin me@email.com
	ServerName sub.subdomain.domain.com

	ErrorLog ${APACHE_LOG_DIR}/db_error.log
	CustomLog ${APACHE_LOG_DIR}/db_access.log combined

	RewriteEngine On
    RewriteCond %{HTTP:Connection} Upgrade [NC]
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteRule /?(.*) wss://localhost:7687/$1 [P,L]

	SSLProxyEngine On
	SSLProxyCheckPeerCN off
	ProxyPassReverseCookieDomain "/" "sub.subdomain.domain.com"

    ProxyPreserveHost off
    ProxyPass / http://localhost:7687/
    ProxyPassReverse / http://localhost:7687/

	# Let's Encrypt SSL stuff
	# Let's Encrypt SSL stuff
	# Let's Encrypt SSL stuff
	# Let's Encrypt SSL stuff
	
</VirtualHost>
</IfModule>

The concept here is that I can access the HTTPS port of sub.subdomain.domain.com from subdomain.domain.com. Adding SSL configuration to neo4j (discussed here) ensures that the websockets don't run afoul of security policy. Due to this proxy, we also have to connect on sub.subdomain.domain.com:443 as our bolt+s:// connection.

There's probably a more elegant expression of this, but the idea surprisingly works.