Unable to access Neo4j database installed behind Nginx Proxy in AWS Cloud

[abhi2495]

I have been trying to setup neo4j server in public cloud (installed in Amazon AWS EC2, Ubuntu 16 AMI) which I need to access from remote machine. Since I have to access it from a restricted Corporate Network,I decided to set up Nginx as proxy. I followed the Neo4j Doc and bunch of stackoverflow questions.With these I could hit the Neo4j server ,but couldnt connect to it's DB. Here is the Browser Snapshot. Can someone help me out if I am missing something here? What should I do to access the DB?

Network Connector Configuration of Neo4j:

` dbms.connectors.default_listen_address=0.0.0.0 dbms.connectors.default_advertised_address=ec2-xx-xx-xx-xx.compute-1.amazonaws.com

dbms.connector.bolt.enabled=true dbms.connector.bolt.listen_address=:17687 dbms.connector.bolt.advertised_address=:7687

dbms.connector.http.enabled=true dbms.connector.http.listen_address=:17474

dbms.connector.https.enabled=true

`

Neo4j Version: 3.4.1 Operating System: Ubuntu 16.04 API: Java Driver

Steps to reproduce

1. Install Neo4j: sudo apt-get install neo4j=1:3.4.0 in EC2
2. Make necessary changes in /etc/neo4j/neo4j.conf as mentioned above and restart neo4j
3. Install Nginx: sudo apt-get install nginx in EC2
4. Map both communication channels: HTTP and bolt in Nginx Config and restart Nginx 4a. For the HTTP part, I added the following inside the server section of /etc/nginx/sites-available/default this snippet: location /neo4j/ { proxy_pass http://localhost:17474/; } 4b. For the bolt protocol, I amended to /etc/nginx/nginx.conf this snippet: stream { server { listen 7687; proxy_pass localhost:17687; } }
5. Navigate to - http://ec2-xx-xx-xx-xx.compute-1.amazonaws.com/neo4j OR Call the Java Driver to connect to the DataBase

Expected behavior

Should be able to communicate with DB and ask for username, password only (in Browser), and should be able to connect to Db through Java Driver

Actual behavior

In Browser, Showing "Database access not available. Please use :server connect to establish connection. There's a graph waiting for you." Asking for Host. In Java Console, showing "unable to connect to ...,, ensure the database is running and that there is a working network connection to it."

[streamlinebookings]

I am having a very similar issue too. Neo4j service is running behind a nginx proxy (on an EC2 instance) .

I can access the database through the javascript api from my web app, but not through the browser client. I can open the browser client but not connect to the database (through neither http, nor https, nor bolt)

The error reported is
"ServiceUnavailable: WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver. Please use your browsers development console to determine the root cause of the failure. Common reasons include the database being unavailable, using the wrong connection URL or temporary network problems. If you have enabled encryption, ensure your browser is configured to trust the certificate Neo4j is configured to use. WebSocket readyState is: 3"

Other issues report a java version discrepancy but I don't have that. My neo4j version is 3.3.1, java version 8, Ubuntu16.04

All ideas are welcome! Thanks Mark

[twall]

This may be related to a neo4j config setting. At one point I had this working (https is served via cloudfront through nginx to a different EC2 host). I can connect properly via ssh tunnel (localhost:7687) for API access, but the /browser fails to establish a wss: connection, either complaining about certificates or connection refused upon attempt to connect to the server.

This recently stopped working but unfortunately I hadn't saved a snapshot of the config and it was overwritten by the AWS pre-neo4j script.

[sid22]

Has anyone figured this out? We are facing a similar problem here. I have tried with stream in nginx but no avail.

[omkardusane]

I have tried doing this, nginx does not seem to be working well as proxy for bolt server, I ended up opening the 7687 port and allowing bolt server to be directly accessed without nginx. This issue is not related to neo4j browser, it is more related to bolt server and IMO can be resolved by proper nginx setup, if given enough time.

[agniswarm]

+1

[peterpribeli]

Hi, I was trying to setup a neo4j 4.0 instance on a local network and serve it through a domain. I've got both the browser and the python driver to work and thought I'd share my configs and findings here as it may be of help.

I run both neo4j and nginx from docker.
I wanted to run everything through SSL so I obtained the certificates for bolt.domain.com and neo4j.domain.com from Let's encrypt.
First I tried the builtin SSL termination of neo4j and set up bolt and HTTPS runners. The browser did not work but python drivers did.

Then I decided to run both bolt and HTTP unencrypted from the neo4 container and reverse proxy it with SSL termination with nginx. This time the situation flipped. The browser started working but the python driver did not. As it turns out, the browser uses websockets to communicate through bolt and the python driver some other TCP stream.

The working configuration is not the most elegant but seems to work. Run three servers in nginx, two with SSL termination and one TCP stream without.

One host, 192.168.0.1 runs the neo4j instance and has ports 7474 and 7687 open to the other host, 192.168.0.2, which listens on 7688 from the python driver and 7687 from the browser. Here is the neo4j config

dbms.default_listen_address=0.0.0.0 dbms.default_advertised_address=bolt.domain.com # Bolt connector dbms.connector.bolt.enabled=true dbms.connector.bolt.tls_level=OPTIONAL dbms.connector.bolt.listen_address=0.0.0.0:7687 dbms.connector.bolt.advertised_address=bolt.domain.com # HTTP Connector. There can be zero or one HTTP connectors. dbms.connector.http.enabled=true dbms.connector.http.listen_address=0.0.0.0:7474 dbms.connector.http.advertised_address=neo4j.domain # Bolt SSL configuration dbms.ssl.policy.bolt.enabled=true dbms.ssl.policy.bolt.base_directory=certificates/bolt dbms.ssl.policy.bolt.private_key=private.key dbms.ssl.policy.bolt.public_certificate=public.crt

and the nginx config

http { upstream neo4j { server 192.168.0.2:7474; } upstream bolt { server 192.168.0.2:7687; } server { listen 443 ssl; server_name neo4j.domain.com; ssl_certificate /etc/nginx/certificates/https/public.crt; ssl_certificate_key /etc/nginx/certificates/https/private.key; location / { proxy_pass http://neo4j; } } server { listen 7687 ssl; server_name bolt.domain.com; ssl_certificate /etc/nginx/certificates/bolt/public.crt; ssl_certificate_key /etc/nginx/certificates/bolt/private.key; location / { proxy_pass http://bolt; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } stream { server { listen 7688; proxy_pass 192.168.0.2:7687; proxy_timeout 3s; proxy_connect_timeout 1s; } } }

Hope this helps. Cheers.

[daddydrac]

@peterpribeli do you have a gittub repo we can look at, beacuse i cannot reproduce(?)

http { } errors out ans says it cant be there as well.

[daddydrac]

I am not sure how @neo4j expects anyone to test their stuff out before buying if you canbt serve it. They need a working nginx file for ppl to use, end of story.

We were going to evaluate but because we couldnt get it working we are moving on to a free graph db. Guess they lost out on an enterprise lisc'. My advice is to move on - plenty of real open src options w/ better flexibility for serving.

[mvadu]

I was able to get this working with these config:

on server side

dbms.default_listen_address=0.0.0.0
dbms.default_advertised_address=adystech.com 
dbms.connector.bolt.listen_address=:7687
dbms.connector.bolt.advertised_address=:8888

on nginx

stream {

upstream backend {
        hash $remote_addr consistent;
        server ubuntu:7687  max_fails=3 fail_timeout=30s;
    }

server {
        listen 8888 so_keepalive=on ;
        preread_timeout 30s;
        proxy_connect_timeout 1s;
        proxy_timeout 3s;
        proxy_pass backend;
    }
}
 #this is under http/server section
 location /neo4j/ {
                proxy_buffering on;
                proxy_buffers 8 128k;
                proxy_buffer_size 128k;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_http_version 1.1;
                proxy_set_header Connection "";
                proxy_intercept_errors on;
                proxy_pass http://ubuntu:7474/;
                proxy_redirect     default;
                error_page 502 500 /error-50x.html;
                error_page 404 /error-40x.html;
                proxy_cache node_cache;
                proxy_cache_valid 200 302 5s;
                proxy_cache_valid 404 1m;
                proxy_cache_valid 502 1m;
                add_header X-Cache-Status $upstream_cache_status;
        }

[ramagudepu]

I was able to get this working with these config:

on server side

dbms.default_listen_address=0.0.0.0
dbms.default_advertised_address=adystech.com 
dbms.connector.bolt.listen_address=:7687
dbms.connector.bolt.advertised_address=:8888

on nginx

stream {

upstream backend {
        hash $remote_addr consistent;
        server ubuntu:7687  max_fails=3 fail_timeout=30s;
    }

server {
        listen 8888 so_keepalive=on ;
        preread_timeout 30s;
        proxy_connect_timeout 1s;
        proxy_timeout 3s;
        proxy_pass backend;
    }
}
 #this is under http/server section
 location /neo4j/ {
                proxy_buffering on;
                proxy_buffers 8 128k;
                proxy_buffer_size 128k;
                proxy_set_header   Host             $host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_http_version 1.1;
                proxy_set_header Connection "";
                proxy_intercept_errors on;
                proxy_pass http://ubuntu:7474/;
                proxy_redirect     default;
                error_page 502 500 /error-50x.html;
                error_page 404 /error-40x.html;
                proxy_cache node_cache;
                proxy_cache_valid 200 302 5s;
                proxy_cache_valid 404 1m;
                proxy_cache_valid 502 1m;
                add_header X-Cache-Status $upstream_cache_status;
        }

Hi @mvadu thanks for providing the nginx config and neo4j config. I have tried it but i still get the error around WebSocket connection failure. could you please provide your complete nginx config and neo4j config please? so that i can cross check if i have missed anything? Thank you

[daddydrac]

Just use my container & be done w the headaches.

https://github.com/joehoeller/nginx-server-neo4j-graph-db

On Tue, Jul 14, 2020 at 8:17 AM ramagudepu notifications@github.com wrote:

I was able to get this working with these config: on server side

dbms.default_listen_address=0.0.0.0 dbms.default_advertised_address=adystech.com dbms.connector.bolt.listen_address=:7687 dbms.connector.bolt.advertised_address=:8888

on nginx

stream {

upstream backend { hash $remote_addr consistent; server ubuntu:7687 max_fails=3 fail_timeout=30s; }

server { listen 8888 so_keepalive=on ; preread_timeout 30s; proxy_connect_timeout 1s; proxy_timeout 3s; proxy_pass backend; } }

this is under http/server section

location /neo4j/ { proxy_buffering on; proxy_buffers 8 128k; proxy_buffer_size 128k; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_intercept_errors on; proxy_pass http://ubuntu:7474/; proxy_redirect default; error_page 502 500 /error-50x.html; error_page 404 /error-40x.html; proxy_cache node_cache; proxy_cache_valid 200 302 5s; proxy_cache_valid 404 1m; proxy_cache_valid 502 1m; add_header X-Cache-Status $upstream_cache_status; }

Hi @mvadu https://github.com/mvadu thanks for providing the nginx config and neo4j config. I have tried it but i still get the error around WebSocket connection failure. could you please provide your complete nginx config and neo4j config please? so that i can cross check if i have missed anything? Thank you

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/neo4j/neo4j-browser/issues/788#issuecomment-658173626, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABHVQHG4ECN5EQCJXPT4DOLR3RLHNANCNFSM4FGTAHRQ .

[ramagudepu]

Just use my container & be done w the headaches. https://github.com/joehoeller/nginx-server-neo4j-graph-db … On Tue, Jul 14, 2020 at 8:17 AM ramagudepu @.***> wrote: I was able to get this working with these config: on server side dbms.default_listen_address=0.0.0.0 dbms.default_advertised_address=adystech.com dbms.connector.bolt.listen_address=:7687 dbms.connector.bolt.advertised_address=:8888 on nginx stream { upstream backend { hash $remote_addr consistent; server ubuntu:7687 max_fails=3 fail_timeout=30s; } server { listen 8888 so_keepalive=on ; preread_timeout 30s; proxy_connect_timeout 1s; proxy_timeout 3s; proxy_pass backend; } } #this is under http/server section location /neo4j/ { proxy_buffering on; proxy_buffers 8 128k; proxy_buffer_size 128k; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_intercept_errors on; proxy_pass http://ubuntu:7474/; proxy_redirect default; error_page 502 500 /error-50x.html; error_page 404 /error-40x.html; proxy_cache node_cache; proxy_cache_valid 200 302 5s; proxy_cache_valid 404 1m; proxy_cache_valid 502 1m; add_header X-Cache-Status $upstream_cache_status; } Hi @mvadu https://github.com/mvadu thanks for providing the nginx config and neo4j config. I have tried it but i still get the error around WebSocket connection failure. could you please provide your complete nginx config and neo4j config please? so that i can cross check if i have missed anything? Thank you — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#788 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABHVQHG4ECN5EQCJXPT4DOLR3RLHNANCNFSM4FGTAHRQ .

Thank you @joehoeller will try that now.

[ramagudepu]

Hi @joehoeller could you also please share your neo4j configuration file, as my container failed to start and throwing an error saying Address 0.0.0.0:7687 is already in use, cannot bind to it. Thank you

[daddydrac]

That’s not the issue. You can change the port on the docker file and expose a diff one.

Or do:

docker ps -a

Get the name of other container on that port and then type in:

docker rm -f

On Tue, Jul 14, 2020 at 9:02 AM ramagudepu notifications@github.com wrote:

Hi @joehoeller https://github.com/joehoeller could you also please share your neo4j configuration file, as my container failed to start and throwing an error saying Address 0.0.0.0:7687 is already in use, cannot bind to it. Thank you

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/neo4j/neo4j-browser/issues/788#issuecomment-658198560, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABHVQHGX2QH47DLRWOTWLHTR3RQQTANCNFSM4FGTAHRQ .

[ramagudepu]

That’s not the issue. You can change the port on the docker file and expose a diff one. Or do: docker ps -a Get the name of other container on that port and then type in: docker rm -f … On Tue, Jul 14, 2020 at 9:02 AM ramagudepu @.***> wrote: Hi @joehoeller https://github.com/joehoeller could you also please share your neo4j configuration file, as my container failed to start and throwing an error saying Address 0.0.0.0:7687 is already in use, cannot bind to it. Thank you — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#788 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABHVQHGX2QH47DLRWOTWLHTR3RQQTANCNFSM4FGTAHRQ .

Hi @joehoeller, thank you for your reply. I just wanted to let you know a bit more detail on what i am trying to do I have created 2 container instances with in Azure under 1 container group(These are not docker enabled). In 1 container i have neo4j and the other container I have nginx. I have purchased a domain name and assigned it to the container group. when i try and access the browser it is working fine and i can view the web page. But when i try and connect to the neo4j database it is throwing an error saying ServiceUnavailable: WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver. I have been trying to get this working for the past 2-3 weeks but still no luck.

I have also replicated the nginx configuration provided in your github, but still I get the same issue. Thanks

[daddydrac]

Just use my container as is. They need to be on same Docker network.

On Tue, Jul 14, 2020 at 9:44 AM ramagudepu notifications@github.com wrote:

That’s not the issue. You can change the port on the docker file and expose a diff one. Or do: docker ps -a Get the name of other container on that port and then type in: docker rm -f … <#m-6597858560001380575> On Tue, Jul 14, 2020 at 9:02 AM ramagudepu @.***> wrote: Hi @joehoeller https://github.com/joehoeller https://github.com/joehoeller could you also please share your neo4j configuration file, as my container failed to start and throwing an error saying Address 0.0.0.0:7687 is already in use, cannot bind to it. Thank you — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#788 (comment) https://github.com/neo4j/neo4j-browser/issues/788#issuecomment-658198560>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABHVQHGX2QH47DLRWOTWLHTR3RQQTANCNFSM4FGTAHRQ .

Hi @joehoeller https://github.com/joehoeller, thank you for your reply. I just wanted to let you know a bit more detail on what i am trying to do I have created 2 container instances with in Azure under 1 container group(These are not docker enabled). In 1 container i have neo4j and the other container I have nginx. I have purchased a domain name and assigned it to the container group. when i try and access the browser it is working fine and i can view the web page. But when i try and connect to the neo4j database it is throwing an error saying ServiceUnavailable: WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver. I have been trying to get this working for the past 2-3 weeks but still no luck.

I have also replicated the nginx configuration provided in your github, but still I get the same issue. Thanks

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/neo4j/neo4j-browser/issues/788#issuecomment-658222192, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABHVQHAONQARZXERLV53W6LR3RVOHANCNFSM4FGTAHRQ .

[jeromecc]

Hi, I was trying to setup a neo4j 4.0 instance on a local network and serve it through a domain. I've got both the browser and the python driver to work and thought I'd share my configs and findings here as it may be of help.

I run both neo4j and nginx from docker. I wanted to run everything through SSL so I obtained the certificates for bolt.domain.com and neo4j.domain.com from Let's encrypt. First I tried the builtin SSL termination of neo4j and set up bolt and HTTPS runners. The browser did not work but python drivers did.

Then I decided to run both bolt and HTTP unencrypted from the neo4 container and reverse proxy it with SSL termination with nginx. This time the situation flipped. The browser started working but the python driver did not. As it turns out, the browser uses websockets to communicate through bolt and the python driver some other TCP stream.

The working configuration is not the most elegant but seems to work. Run three servers in nginx, two with SSL termination and one TCP stream without.

One host, 192.168.0.1 runs the neo4j instance and has ports 7474 and 7687 open to the other host, 192.168.0.2, which listens on 7688 from the python driver and 7687 from the browser. Here is the neo4j config

dbms.default_listen_address=0.0.0.0 dbms.default_advertised_address=bolt.domain.com

Bolt connector

dbms.connector.bolt.enabled=true dbms.connector.bolt.tls_level=OPTIONAL dbms.connector.bolt.listen_address=0.0.0.0:7687 dbms.connector.bolt.advertised_address=bolt.domain.com

HTTP Connector. There can be zero or one HTTP connectors.

dbms.connector.http.enabled=true dbms.connector.http.listen_address=0.0.0.0:7474 dbms.connector.http.advertised_address=neo4j.domain

Bolt SSL configuration

dbms.ssl.policy.bolt.enabled=true dbms.ssl.policy.bolt.base_directory=certificates/bolt dbms.ssl.policy.bolt.private_key=private.key dbms.ssl.policy.bolt.public_certificate=public.crt

and the nginx config

http { upstream neo4j { server 192.168.0.2:7474; } upstream bolt { server 192.168.0.2:7687; } server { listen 443 ssl; server_name neo4j.domain.com; ssl_certificate /etc/nginx/certificates/https/public.crt; ssl_certificate_key /etc/nginx/certificates/https/private.key; location / { proxy_pass http://neo4j; } } server { listen 7687 ssl; server_name bolt.domain.com; ssl_certificate /etc/nginx/certificates/bolt/public.crt; ssl_certificate_key /etc/nginx/certificates/bolt/private.key; location / { proxy_pass http://bolt; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } stream { server { listen 7688; proxy_pass 192.168.0.2:7687; proxy_timeout 3s; proxy_connect_timeout 1s; } } }

Hope this helps. Cheers.

It helped me a lot on neo4j 4.4 thanks!

I go to https://neo4j.domain.com, then I enter neo4j+s://bolt.domain.com:7688 and my credentials and voilà!

My use case was to tamper with my remote database through the browser while keeping password and data safe from eavesdropping.