I'm having hard time trying to publish my Neo4j server as a public HTTP endpoint. I'm familiar with Apache configuration and basic TCP/IP, but not so expert on reverse proxy configuration.
So far, I managed to do this with Apache configuration (ie, the host acting as proxy and forwarding HTTP requests to internal services):
# Before this I've also a lot of ProxyHTMLLinks directives, which I kept from Apache # examples, but I don't think I need them here # ProxyPass /vbox/ http://192.168.56.101:7474/ <Location /vbox/> ProxyPassReverse / Likely I don't need this either ProxyHTMLEnable On ProxyHTMLURLMap http://192.168.56.101:7474/ /vbox/ ProxyHTMLURLMap / /vbox/ </Location>
192.168.56.101 is a VirtualBox virtual machine, where Neo4j is running, I can reach it directly via http://192.168.56.101:7474, and then the browser is able to connect bolt://192.168.56.101:7687 and allow me to play with Cypher (of course the virtual machine has 7474 and 7687 ports open).
the config above is for my hosting laptop (I'm trying this locally, before going to our real proxy and real Neo4j server), it allows me to reach the Neo4j browser by using the URL http://localhost/vbox/, which correctly forwards the browser to http://localhost/vbox/browser.
So, it works fine for the browser and everything that is plain HTTP (didn't tried HTTPS, but I gues it would go fine too).
At this point I'm stuck with the BOLT connection: what bolt address should I use? I cannot use bolt://192.168.56.101:7687, because in the real network, that will be an internal server, and I want it accessible via the proxy only (ie, the one currently being played by localhost). I've tried this in the localhost Apache:
ProxyPass /vbox/bolt/ http://192.168.56.101:7687/ <Location /vbox/bolt/> ProxyPassReverse / ProxyHTMLEnable On ProxyHTMLURLMap http://192.168.56.101:7687/ /vbox/bolt/ ProxyHTMLURLMap / /vbox/bolt/ </Location>
and then I've tried http://localhost/vbox/bolt/ as connection URL in the browser. Quite expectedly, the message I get back is: "ServiceUnavailable: Failed to fetch".
Finally, without much hope, I tried this too:
ProxyPass /vbox/bolt/ bolt://192.168.56.101:7687/ <Location /vbox/bolt/> ProxyPassReverse / ProxyHTMLEnable On ProxyHTMLURLMap bolt://192.168.56.101:7687/ /vbox/bolt/ ProxyHTMLURLMap / /vbox/bolt/ </Location>
with bolt://localhost:80/vbox/bolt/ as database connection URL. The answer is:
ServiceUnavailable: WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver. Please use your browsers development console to determine the root cause of the failure. Common reasons include the database being unavailable, using the wrong connection URL or temporary network problems. If you have enabled encryption, ensure your browser is configured to trust the certificate Neo4j is configured to use. WebSocket
readyState is: 3
which makes me think Apache doesn't understand the browser attempt to talk BOLT to it. If I try http://localhost:80/vbox/bolt/ as connection URL (against the second Apache config above), I get instead: ServiceUnavailable: Unexpected token < in JSON at position 0. Which makes me think the browser ignores the fact Apache is replying 403/Unauthorized (as I can see via wget).
So, it seems that Apache cannot reverse proxy a protocol it doesn't support (in addition to HTTP(S), it has modules for FTP and, I believe, some others, but none for BOLT), so my only hope is to wrap BOLT over HTTP somehow (or to work with port forwarding at the level of the TCP/IP firewall, but that has very low chances to be accepted by our IT department).
In conclusion, is it even possible via an HTTP proxy? Or do I need to go down to the more general firewall? Or am I missing something?
My understanding is that BOLT is needed both by the browser and clients for several languages (we're interested in the Java ans R drivers).
Note also that I've already seen discussions like this, which barely mentions bolt access. Note also that my Neo4j is already using the advertised_address setting (set to 192.168.56.101).
Thanks in advance for any help.