search

neo4j / neo4j-browser

Neo4j Browser is the general purpose user interface for working with Neo4j. Query, visualize, administrate and monitor the database.
https://neo4j.com
GNU General Public License v3.0
678 stars 345 forks source link

Invalid(?) mixed content warnings when browser is proxied (via NGINX) #1204

Open Codelica opened 3 years ago

Codelica commented 3 years ago

Steps to reproduce

I'm looking to provide a secure proxy (via NGINX) to the Neo4j browser. Neo4j is running configured as follows:

http service disabled. https service exposed as 127.0.0.1:7473 using a looooong expiration self-signed cert. bolt service exposed as 127.0.0.1:7687

Via the following Docker Compose:

version: '3'

services:
  neo4j:
    container_name: neo4j
    hostname: neo4j
    image: neo4j:latest
    networks:
      - office_databases
    ports:
      - '127.0.0.1:7473:7473'
      - '127.0.0.1:7687:7687'
    volumes:
      - /storage/docker/neo4j/data:/data
    restart: always
    environment:
      NEO4J_AUTH: 'neo4j/someCrazyPassword'
      NEO4J_ACCEPT_LICENSE_AGREEMENT: 'yes'

      NEO4J_dbms_connector_http_enabled: 'false'
      NEO4J_dbms_connector_https_enabled: 'true'
      NEO4J_dbms_connector_bolt_enabled: 'true'

      NEO4J_dbms_connector_https_listen__address: '0.0.0.0:7473'
      NEO4J_dbms_connector_bolt_listen__address: '0.0.0.0:7687'

      NEO4J_dbms_connector_https_advertised__address: 'neo4j.mydomain.com:443'
      NEO4J_dbms_connector_bolt_advertised__address: 'neo4j.mydomain.com:7687'

      NEO4J_dbms_ssl_policy_https_enabled: 'true'
      NEO4J_dbms_ssl_policy_https_base__directory: '/data/certificates'
      NEO4J_dbms_ssl_policy_https_private__key: '/data/certificates/neo4j.key'
      NEO4J_dbms_ssl_policy_https_public__certificate: '/data/certificates/neo4j.cert'

      NEO4j_dbms_connector_bolt_tls__level: 'IGNORE'

networks:
  office_databases:
    external:
      name: office_databases

Then NGINX is setup to proxy the Web UI via :443 for 127.0.0.1:7473 via:

server {
  listen 443 ssl http2;
  server_name neo4j.mydomain.com;
  location / {
    proxy_pass https://127.0.0.1:7473/;
    proxy_ssl_verify off;
    proxy_buffering off;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   https;
  }
  # Sets up SSL and certs
  include conf.d/includes/mydomain-tls-enable.inc;
}

And NGINX is setup to proxy the Bolt socket with TLS on :7687 for 127.0.0.1:7687 via:

stream {
  upstream boltdb {
    server 127.0.0.1:7687;
  }
  server {
    listen 7687 ssl so_keepalive=on ;
    proxy_pass boltdb;
    proxy_connect_timeout 3s;
    proxy_timeout 5s;
    # Sets up SSL and certs
    include streams.d/includes/mydomain-tls-enable.inc;
  }
}

The end result is a secure Neo4j Browser UI at https://neo4j.mydomain.com that can be browsed without any console errors.

Logging into neo4j+s://neo4j.mydomain.com:7687 or bolt+s://neo4j.codelica.com:7687 is also successful. However it also results in endless JS console warnings:

Neo4j driver is configured to use secure WebSocket on a HTTP web page. WebSockets might not work in a mixed content environment. Please consider configuring driver to not use encryption.

The web page being served by the proxy is most definitely HTTPS and is actually proxying an HTTPS Neo4j Browser service. (Originally I tried to proxy the 7474 HTTP Browser service and thought that might be the issue so I moved to HTTPS internally also -- result was the same). That warning seems to be the result of client side protocol checks, but for the life of me I can't see how it doesn't see the page is HTTPS. Relevant code for the warning is here:

https://github.com/neo4j/neo4j-javascript-driver/blob/22c4c59947c17b825d81be3d19bedebf703b76d4/src/internal/browser/browser-channel.js#L329

secureProtocol is abstracted but seems to boil down to roughly:

window.location.protocol && window.location.protocol.toLowerCase().indexOf('https') >= 0

Which is of course true when testing in the broswer console itself. So I'm at a loss. Maybe this is better under the neo4j-javascript-driver repo, but it seems like something else must be at play here? Please feel free to humiliate me if I'm missing something basic or there are some docs to set me straight. I'm new to Neo4j, but have exhausted a lot of searches trying to get the proxy setup to be clean.

Expected behavior

Connect with HTTPS and WSS cleanly, no console warnings.

Actual behavior

Endless console warnings:

Neo4j driver is configured to use secure WebSocket on a HTTP web page. WebSockets might not work in a mixed content environment. Please consider configuring driver to not use encryption.

djuarezg commented 1 year ago

Any idea how to clean those warnings?