TechQA.

Neo4j with a reverse proxy and NGINX

6k views Asked by At

I'm having trouble addressing Neo4j via a reverse proxy with NGINX.

The web client works without problems, but I have no idea about the Bolt protocol.

Here's how the web client works:

server {
    listen 80;
    server_name XXX;

    location / {
        proxy_pass http://YYY:7474/;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_buffering off;
    }
}

But how does the Bolt protocol over port 7687 work?

Thanks.

PS: Google translator ftw.

nginx neo4j proxy reverse bolt
Original Q&A
3

There are 3 answers

3
Tarun Lalwani On BEST ANSWER

You need to use nginx compiled with --with-stream. Then you can add below section to your nginx config

stream {
  server {
    listen 7687;
    proxy_pass neo4j:7687;
  }
}

Basically you need to use tcp reverse proxy and not http proxy. The above configuration section will be at top level and not inside http or server block

0
David On

You will need to open port 7687 between your laptop and the server hsoting neo4j.

If you are using let's encrypt and try to connect though SSL. neo4j embedded certificate were not signed by an Authority which was generating the error in my chrome browser.

To make it works, I had to copy my certs in neo4j certificates : 

sudo su 
cp /etc/letsencrypt/live/MYDOMAIN/fullchain.pem /var/lib/neo4j/certificates/neo4j.cert 
cp /etc/letsencrypt/live/MYDOMAIN/privkey.pem /var/lib/neo4j/certificates/neo4j.key 
service neo4j restart
0
joe hoeller On

Here is what works:

worker_processes auto;

events {
    worker_connections 1024;
}

http {
    map $http_upgrade $connection_upgrade {
        "" close;
        default upgrade;
    }
    
    upstream neo4j_bolt {
        server neo4j:7687;
    }
    
    upstream neo4j_insecure {
        server neo4j:7474;
    }
    
    upstream neo4j_secure {
        server neo4j:7473;
    }
    
    server {
        listen 80;
        server_name localhost;
        
        location / {
            proxy_pass http://neo4j_insecure;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            proxy_set_header Host $host;
        }
    }
    
    server {
        listen 443 ssl;
        server_name localhost;
        
        #SSL/https
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_ecdh_curve secp384r1;
        ssl_certificate /etc/nginx/conf.d/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/conf.d/ssl/nginx.key;
        ssl_dhparam /etc/nginx/conf.d/ssl/dhparam.pem;
        
        location / {
            proxy_pass https://neo4j_secure;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
    
    server {
        listen 7687 ssl;
        server_name localhost;
        
        #SSL/https
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_ecdh_curve secp384r1;
        ssl_certificate /etc/nginx/conf.d/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/conf.d/ssl/nginx.key;
        ssl_dhparam /etc/nginx/conf.d/ssl/dhparam.pem;
        
        location / {
            proxy_pass https://neo4j_bolt;
            proxy_http_version 1.1;
            proxy_set_header Connection Upgrade;
            proxy_set_header Host $host;
            proxy_set_header Upgrade $connection_upgrade;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
    
    server {
        listen 7688;
        server_name localhost;
        
        location / {
            proxy_pass http://neo4j_bolt;
            proxy_http_version 1.1;
            proxy_set_header Connection Upgrade;
            proxy_set_header Host $host;
            proxy_set_header Upgrade $connection_upgrade;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
}

Dockerized solution here: https://github.com/joehoeller/nginx-server-neo4j-graph-db

Related Questions in NGINX

Related Questions in NEO4J

Related Questions in PROXY

Related Questions in REVERSE

Related Questions in BOLT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions