Query Neo4j in Production

Being very green to Neo4j I'm worried the answer to this question is obvious.

I've just started developing a Node app (accessing Neo4j) on my local machine and am now going to deploy my a dev version on Digital Ocean.
I'll be running a headless Linux server and therefore will not be able to query my database using the Neo4j browser (which I believe is a bad idea anyway due to security concerns?).

My question is to ask if something like Cypher Shell is the usual way that everyone queries their db on a headless server?
I know I can disable auth in neo4j.conf to allow browser access but what about production where one wouldn't do that. Is Cypher Shell how you query in production?

Again, apologies if there's a burning bush right in front of me that I'm just not seeing.
Thanks in anticipation.

There's a lot to unpack here, but I think it boils down to three unspoken assumptions/questions:

  1. How to make Neo4j secure for production?
  2. How to connect to Neo4j to run queries? (Cypher Shell?)
  3. How to secure that connection?

Precise Answer

The BOLT protocol, configured to port 7687 by default.

Short Answer

Whatever works for you, but using cypher-shell sounds off to me. Just make sure you've set up users, roles, and passwords.

Thanks for the input, but my apologies, I wasn't clear...

The Node API does query the db using the BOLT protocol.

My question refers to when I am debugging something and I need to randomly run queries against the db to check my data.
On my local machine I just use the Neo4j browser but since I cannot do that on the Digital Ocean server without exposing security... then what do I use to do random queries on the db?

There's a lot of ways to do that. For security, my best advise is to keep it simple, and locked down.

Simple options:

  1. Again, make sure you've got good users and roles. Change the default bolt port. Use UFW (or similar) to lock it down. Turn it on temporarily when you're accessing.
  2. Reverse proxy. Change the bolt port and browser port localhost only. Then setup a reverse proxy to the browser port (:7474).

Trickier option


Setup another machine as a read-only casual-cluster. If you're worried about people changing data, worry no more. If you're worried about people seeing the data, put it on a local, connected to your server via VPN.

1 Like

May thanks, much appreciated.