Secure Neo4j Webadmin using HTTP auth and SSL

Neo4j offers a simple yet useful web interface to manage your database. You can secure it’s web administration interface with SSL. That’s great, but not good enough. If you’re opening the Port to the world, the world is invited to inspect and manipulate your Database. That’s not very nice.

So what we will do about this, is to add an additional layer of security to our setup.
I use NGINX as web proxy here, but the same should apply for every other proxy around.

Update: There’s a Neo4j Plugin out there, which might be a better option for you, depending on your needs: https://github.com/neo4j-contrib/authentication-extension

In the first step we self-sign our own certificate. This should only be done in an development environment!

Our Steps are:

  • Create a certificate to use for SSL access
  • Activate HTTPS in Neo4j
  • Create a credential file
  • Create a NGINX vhost
  • Drink some coffee

Create a certificate to use for SSL access

Ok let’s start by creating the certificates:

mkdir -p /var/ssl/neo4j

# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out /var/ssl/ca.key 4096
openssl req -new -x509 -days 365 -key /var/ssl/ca.key -out /var/ssl/ca.crt

# Create the Server Key, CSR, and Certificate
openssl genrsa -des3 -out /var/ssl/neo4j/server.key 1024
openssl req -new -key /var/ssl/neo4j/server.key -out /var/ssl/neo4j/server.csr

# We're self signing our own server cert here.  This is a no-no in production.
openssl x509 -req -days 365 -in /var/ssl/neo4j/server.csr -CA /var/ssl/ca.crt -CAkey /var/ssl/ca.key -set_serial 01 -out /var/ssl/neo4j/server.crt

@source: blog.nategood.com

Activate HTTPS in Neo4j

Now we have our certificates signed and ready to use.
Next we’ll modify the Neo4j neo4j-server.properties to suite our needs:

org.neo4j.server.webserver.https.enabled=true
org.neo4j.server.webserver.https.port=7473

You should restart your Neo4j instance if running, otherwise start it now.

neo4j restart

Now you can visit https://localhost:7473/webadmin/

Create a credential file

Create a credentials file for nginx basic http authentication:

mkdir /var/auth

USER="Joe"
PASS="s3cR3t"
printf "$USER:$(openssl passwd -crypt $PASS)\n" >> /var/auth/neo4j

# use the group nginx runs as, on my system it's "nginx"
chown root:nginx /var/auth/neo4j
chmod 640 /var/auth/neo4j

Create a NGINX vhost

For the nginx vhost edit your /etc/nginx/nginx.conf:

server {
  listen 443 ssl;
  server_name neo.domain.com;

  ssl on;
  ssl_certificate         /var/ssl/neo4j/server.crt;
  ssl_certificate_key     /var/ssl/neo4j/server.key;

  location / {
    auth_basic "Restriced";
    auth_basic_user_file  /var/auth/neo4j;
    proxy_pass          https://127.0.0.1:7473/;
    proxy_set_header    X-Real-IP         $remote_addr;
    proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header    X_FORWARDED_PROTO https;
    proxy_set_header    Host              $http_host;
    proxy_buffering     off;
    proxy_redirect      off;
  }
}

Drink some coffee

Finally restart your nginx instance and… don’t forget the coffee.

About these ads
Tagged , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: