Using nginx for docker as a reverse proxy for the neo4j bolt protocol
Pre-requesites: Aura Enterprise with Private Link Enabled Why: This allows you to use your own ssl cert and domain name for the aura database
Aura Support also needs to assist with setting (see disclaimer below):
dbms.routing.default_router=SERVER
You can verify this setting with:
call dbms.listConfig() yield name, value, dynamic
where name contains "routing"
return name, value, dynamicThis custom configuration is pending some internal Neo4j approval to become fully supported. Until that is approved you can use it as is but should not expect Sev-1 coverage (this is not suited for production)
Add or generate your ssl cert
openssl req \
-newkey rsa:2048 \
-x509 \
-nodes \
-keyout server.key \
-new \
-out server.crt \
-subj /CN=haklof.corp \
-reqexts SAN \
-extensions SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf '[SAN]\nsubjectAltName=DNS.1:haklof.corp,DNS.2:database.haklof.corp,IP:127.0.0.1')) \
-sha256 \
-days 3650Set your private connecion uri 4d741a64.production-orch-0477.neo4j.io
REMARK: dist.tgz (neo4j workspace dist) is not yet available to the public
docker build -t aura-proxy:v1 ./docker run --rm --name aura-proxy -d -v ./default.conf:/etc/nginx/nginx.conf -p 443:443 aura-proxy:v1Test that you cann connect to the database
./bin/cypher-shell -a neo4j+ssc://haklof.corp:443 -d neo4j -u neo4j -p <password>- You may want to test, step by step with nc to check that you pass each layer
- dnsmasq is your friend for testing / resolving the fake domain (in this example haklof.corp)
- Tidy up docker related stuff that may pose scrutity risks
- nginx best practices and performance
- Make config esier, i.e. pass arguements for PORT, CERTS and AURA_PRIVATE_URI