Running Neo4J (web) behind a reverse proxy and connecting to "bolt://localhost:7687"

2
votes

I am running Neo4J in Docker behind Traefik. The web interface (7474) is exposed on https, which works as expected.

Through the web-interface, I attempt to connect to bolt://localhost:7687, which I would expect to work, after all it's running in that same container. Instead I receive the message:

"ServiceUnavailable: WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver. Please use your browsers development console to determine the root cause of the failure. Common reasons include the database being unavailable, using the wrong connection URL or temporary network problems. If you have enabled encryption, ensure your browser is configured to trust the certificate Neo4j is configured to use. WebSocket readyState is: 3"

The reverse proxy uses an internal certificate signed by our corporate CA. The Neo4J container has the root certificate available. The client connecting also has the root certificate available.

When attempting to connect to localhost:7687 in the container itself, it works as expected; so does Cypher shell.

There were also some posts on GitHub regarding the Java version which could cause these problems - I have tried with Oracle JDK 8, OpenJDK 8 (HotSpot & J9).

Browser also seems unrelated - the described issue reproduces with FF, Chrome & Safari.

1
dockerhttpsneo4jreverse-proxytraefik
What is the result if you access bolt://localhost:7687 directly? - Jeroen Heier
That works as expected. So does Cypher Shell in the container. - darkl0rd

1 Answers

1
votes

I was in the same situation and here is my solution in order to run a Neo4j instance (for Bloodhound in my case) in a docker swarm with Traefik 2.0.2. Due to Traefik's new router concept, it's totally verbose and difficult to read, because you have to define five routers. But at least it works and enables you to access both the webinterface and the actual database via wss and bolt. Maybe it's possible to simplify my configuration.

Furthermore, I specified the redirectScheme middleware and certificates signed by an internal PKI in dynamic config files delivered by Traefik's file provider.

HTH!

version: '3.7'

services:
  neo4j:
    image: neo4j:latest
    networks:
      - traefiknet
    volumes:
      - type: volume
        source: data
        target: /data
      - type: volume
        source: logs
        target: /logs
      - type: volume
        source: conf
        target: /conf
    environment:
      - NEO4J_AUTH=neo4j/somepassword
      - NEO4J_ACCEPT_LICENSE_AGREEMENT=yes
    deploy:
      replicas: 1
      restart_policy:
        condition: any
      placement:
        constraints:
          - node.hostname == node-02
      labels:
        - traefik.http.services.neo4j.loadbalancer.server.port=7474
        - traefik.http.routers.neo4j.rule=Host(`neo4j.dockerswarm.domain.com`)
        - traefik.http.routers.neo4j-secure.rule=Host(`neo4j.dockerswarm.domain.com`)
        - traefik.http.routers.neo4j.service=neo4j
        - traefik.http.routers.neo4j-secure.service=neo4j
        - traefik.http.routers.neo4j.middlewares=httpsredirection@file
        - traefik.http.routers.neo4j-secure.tls=true
        - traefik.http.routers.neo4j.entrypoints=web
        - traefik.http.routers.neo4j-secure.entrypoints=web-secure

        - traefik.http.services.neo4jdb.loadbalancer.server.port=7687
        - traefik.http.routers.neo4jdb.rule=Host(`neo4jdb.dockerswarm.domain.com`)
        - traefik.http.routers.neo4jdb-secure.rule=Host(`neo4jdb.dockerswarm.domain.com`)
        - traefik.http.routers.neo4jdb.service=neo4jdb
        - traefik.http.routers.neo4jdb-secure.service=neo4jdb
        - traefik.http.routers.neo4jdb.middlewares=httpsredirection@file
        - traefik.http.routers.neo4jdb-secure.tls=true
        - traefik.http.routers.neo4jdb.entrypoints=web
        - traefik.http.routers.neo4jdb-secure.entrypoints=web-secure

        - traefik.tcp.services.neo4jdb.loadbalancer.server.port=7687
        - traefik.tcp.routers.neo4jdb.rule=HostSNI(`neo4jdb.dockerswarm.domain.com`)
        - traefik.tcp.routers.neo4jdb.service=neo4jdb
        - traefik.tcp.routers.neo4jdb.tls=true

networks:
  traefiknet:
    external: true

volumes:
  data:
  logs:
  conf: