Neo4j not functional through apache proxy - apache

I am able to run neo4j fine through port 7474 on my server including cypher queries. Though when I access neo4j through the apache proxy it will load just fine but any requests done through cypher will only return an "Unknown error". I have other proxies such as rstudio running just fine.
I have tried the default values on the neo4j website for proxy configuration with no success. I am at a loss for what to try. Please let me know for more information needed, or how I can get additional information on the cypher error.
I tried the sample Query:
CREATE (n {name:"World"}) RETURN "hello", n.name
And this returns "Unknown error" when done through the proxy, but when done through port 7474 it works fine
This is a Linux Ubuntu LTR 12.04.4 machine.
Neo4j 2.1.1
Apache 2.2.22
Sorry if this is vague but I have not found any help for this issue nor do I know what additional information would be relevant.
Thank you.
Update:
It now works with the case provided by Stefan (Thank you!). But I am unsure how to change it from being on the root of my domain to "/database/" in your example you can change it to "/neo4j" How would I change the other parts of this config file for this to function?
As it looks now (non functional with change of proxy from "/"):
ProxyPass /database/ http://localhost:7474/
ProxyPassReverse /database/ http://localhost:7474/
RedirectMatch permanent ^/database /database/
<Location /db/manage>
AddOutputFilterByType SUBSTITUTE application/json
Substitute "s|http://localhost:7474|http://localhost:8080|n"
</Location>
I tried to change the substitute rule from "localhost:8080" to "localhost:8080/database" and to "/database" to no avail.
In closing what worked is to make it a subdomain and still have it on the root. Not sure why this has to be the case, but it is functional. Thank you again Stefan!

Some time ago I've setup a example config for using mod_proxy and mod_substitute, see https://github.com/sarmbruster/vagrant_neo4j_modproxy. See esp the Apache config file.
Be aware that mod_substitute will not work with huge responses > 1M.

Related

Require forward-dns somehost.com returns Unknown Authz provide

I've been trying to set up:
Require forward-dns somehostname.mydns.rocks
to prevent access to a sandbox except for devs. I can't use IPs, since they aren't static, and in theory the forward-dns directive is exactly what I need (used along with a dnynamic dns hostnames of the client machines)
But when I try to use the "Require forward-dns somehostname.mydns.rocks" directive, apache spits out:
.htaccess: Unknown Authz provider: forward-dns"
I feel like Im missing some required step that isn't clear in the docs to get forward-dns working (apache 2.4.6 on centos 7)
P.S. the Require host directive works, and since the host directive first does a reverse dns, followed by a forward dnslookup on the results of the reverse dns lookup, I wold expect forward-dns to just work.
What step could I be missing here?
https://httpd.apache.org/docs/current/en/mod/mod_authz_host.html
says:
The forward-dns provider was addded in 2.4.19
Your apache Version 2.4.6 is too old. Try updating to a newer version.

How to use dejavu for elasticsearch on local running it from opensource.appbase.io

I wanted to use the wonderful dejavu software to audit a local elasticsearch instance.
Wondefull idea, but currently it looks that it's not easy as it should be. But I found a way to do it, and that's what I want to share with Community.
Basically you can run dejavu from the opensource.appbase.io but first you need to set SSL to access your local ES. Here is how I did it in less than 1 hour (saving you other 4 hours of googling/reasearch/try&fail).
This is little bit like issue https://github.com/appbaseio/dejavu/issues/106 but running it from the dejavu's website instead of local extension.
Just in case, I've tested this on Chrome and Firefox, both succesfully. I've done it all in Windows, but I suppose Linux should work because nothing described here is Windows-specific.
Bad news: the google extension fails (no idea because the error reporting does not exist)
More: I don't want to deal with Docker, that is the other "easy" way that is provided.
So this is what I did:
1.- here is the link to the main web site: https://opensource.appbase.io/dejavu/
2.- click to run it live. Here is the link: https://opensource.appbase.io/dejavu/live?default=true
It will start inmediately, but won't be able to get any data. Don't worry.
3.- point it to local, in my case was http://localhost:9200 plus my ES index document. Failed, but don't worry.
If you look at the console and network tools of your browser, dejavu looks to be trying SSL to connect with your ES. Here is where setting SSL on your ES (or in front of it) became required.
There are several ways to do this. In my case (because it was not for production) I've used Apache httpd, specifically the already packaged (portable) version of xampp, so it's just about minutes to have it downloaded and running. I donwloaded from here: https://portableapps.com/apps/development/xampp
4.- after installed Apache, open a new tab in your browser and try the SSL like https://localhost and it will give you a correct warning about the certificate. Just trust on it to check SSL is up and running. Don't worry about the warning.
5.- to set the SSL to redirect ES requests correctly, here you have these simple settings to add in apache config file, then restart apache. I took the idea from here: Elasticsearch with apache2 ssl proxy
<Proxy http://127.0.0.1:9200>
ProxySet connectiontimeout=5 timeout=90
</Proxy>
<LocationMatch "^(/_aliases|.*/_search|.*/_mapping|/_nodes|/_settings)$">
ProxyPassMatch http://127.0.0.1:9200
ProxyPassReverse http://127.0.0.1:9200
</LocationMatch>
6.- now it is required to set the cross-origin authorization at your ES. Add these lines into your elasticsearch.yml file and restart ES. The instructions comes from dejavu's github site: https://github.com/appbaseio/dejavu
http.cors.allow-origin: "https://opensource.appbase.io"
http.cors.enabled: true
http.cors.allow-headers : X-Requested-With,X-Auth-Token,Content-Type,Content-Length,Authorization,Access-Control-Allow-Origin
http.cors.allow-credentials: true
7.- test how is it going: get your index mapping with something like this: https://localhost/your_es_doc_index/_mapping
You will get the JSON maping of your index. Everything is working (Apache and ES)
8.- now, in your dejavu, point it to https://localhost:443 (yes, the port must be set because if not it will assume to do https://localhost:9200, believe it or not). Don't forget to set your ES index document in the "header" box ni dejavu. Now click in "Connect".
After couple of seconds, you will have the list of your types ready and accesible in dejavu

Forwarded Tomcat through Apache uses wrong Context path

Okay let me explain my problem really fast. I have a JEE Programm running on my tomcat server. The server has some user defined in the tomcat-users.xml When i test my programm on my local machine everything works fine.
However if i deploy the .war on my server and i want to access a Rest Endpoint i get a 401 unauthorized error. If i remove the users security check i can work fine with the program. So the URLs and server setup is correct.
I think that the problem is somehow related to the forwarding of tomcat through my apache.
So lets assume i have an apache running on http://myIp.de
then i forwarded tomcat with following apache config:
ProxyRequests off
ProxyPass /tomcat http://localhost:8181/ nocanon
ProxyPassReverse /tomcat http://localhost:8181/
so now i can reach tomcat through: http://myIp.de/tomcat
also i can "speak" to my app via: tomcat/myApp
But somehow the Authentizication now fails. And i think the problem is
somehow related to wrong context path. Because tomcat/manager
also fails to login.
Make your life easier by deploying your app under /tomcat on tomcat too. This way there's no path-translation required. Keep in mind that you'll get all the session cookies tied to a specific path and this path is not necessarily translated once forwarded to the client.
Also, sooner or later you might need
ProxyPreserveHost On
(look it up) or utilize mod_jk to preserve this header (and more information) automatically.
Edit: Following your comment, Basic Auth headers seem not to be forwarded to tomcat as well. I haven't attempted this myself, but all the places that I've looked up seem to imply that there'd be some duplication (e.g. second credentials file for Apache) - that doesn't look good. In this case I'd suggest to try out mod_jk rather than mod_proxy. You'll use the JkMount directive, rather than ProxyPass and need a workers.properties, but mod_jk is a lot better in keeping the full context of the request when forwarding to tomcat. I've had good experience with it so far and have only heard little complaints about it - largely in situations that were pretty huge and complex/complicated anyway. At least you should try if it solves your problems.

Apache Reverse Proxy ReWrite

I have a apache instance setup to reverse proxy an internal application. I have this working using mod_proxy, but the end result is a lack of images and other content due to hard coded paths in the application itself. I think I have two options.
Mod_Rewrite
Mod_HTML
The basic problem is this.
External site: http://external.customer.com (Port 80)
Internal site: http://internal.supplier.com:8080/testcustomer
I need to get apache to proxy the connection, but it must use the full URL when talking to the internal server internal.supplier.com:8080/testcustomer and paths must be rewritten so that images etc will render on the end client.
Can anyone give me some guidance here? help would be much appreciated.
Thanks
That may be becuse you have used absolute paths like src=/app/favicon.jpg and src=/app/icons/smiley.jpg......instead of relative paths like using src="favicon.jpg".
This problem can be solved by adding module mod_proxy_html which helps in parsing html.
Then LoadModule proxy_html in your httpd.conf and then add following directives :-
ProxyHTMLEnable On
OR
SetOutputFilter proxy-html
mod_proxy_hmtl has pre-requisite installs libxml2 and libxml2-devel.You can install it through yum.
If you could share your configuration file then may be we can help more.

apache reverse proxy: how to forward proxy server's HTTP_HOST

Our local development setup requires a box in the DMZ, and each developer has a line in its apache config for proxying. Looks something like:
ProxyPreserveHost on
ProxyPass /user1/ {user1's IP}
ProxyPassReverse /user1/ {user1's IP}
ProxyPass /user2/ {user2's IP}
ProxyPassReverse /user2/ {user2's IP}
#etc
Our public URLs become {DMZ server}/user1, {DMZ server}/user2, etc. The problem is that on the dev's boxes, the value of $_SERVER['HTTP_HOST'] is just {DMZ server}, without the user's subdirectory. The desired behavior is to have /user%/ as the real host name.
I've tried overriding the HOST var, and some rewrite rules, but nothing has worked.
Creating subdomains is not an option.
thank you for any help!
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxypreservehost seems to be the answer.
Im going to take a stab and suggest this:
SetEnvIf Host (.*) custom_host=$1
RequestHeader set X-Custom-Host-Header "%{custom_host}e/%{REQUEST_URI}e/%{QUERY_STRING}e"
That should hopefully set a request header called X-Custom-Host-Header that you can then pickup in PHP. If you want, you can try to override the Host Header, but I'm not sure on the implications of that. The Host header is a special HTTP header and generally only contains the host portion of an HTTP request, not the full request url.
Untested unfortunately, but it would help if you could clarify in a bit more detail what you are looking for.
EDIT, THIRD ANSWER:
Looks like Apache has heard this complaint before and the solution is mod_substitute. You need to use it to rewrite all the URLs returned in the document to insert /user1/.
EDIT, SECOND ANSWER:
Based on the additional information in your comments, I'd say your Apache config on your DMZ server is correct. What you are asking for is to have the developer machines generate URLs that include their context path (which is the J2EE term for something analogous to your /user1/ bit). I don't have any experience with PHP so I don't know if it has such a facility, but a quick search suggests it does not.
Otherwise, you'd have to roll your own function that converts a relative URL to an absolute URL, make that configurable so you can have it add something to the host name, and then force everyone to use that function exclusively for generating URLs. See, for some guidance, "Making your application location independent" in this old (outdated?) PHP best practices article for a solution to the related problem of finding local files.
PREVIOUS ANSWER: (doesn't work, causes redirect loop)
I'm still not clear what you are trying to do or what you mean by "Running on the dev apps are apache and PHP mainly, for hosting various applications", but as an educated guess, have you tried:
ProxyPass /user1/ {user1's IP}/user1/
ProxyPassReverse /user1/ {user1's IP}/user1/
If I were setting up the sort of environment you seem to be wanting to have, I'd want $_SERVER['HTTP_HOST'] to be {DMZ server} on every dev machine so that the dev machine's environment looks just like (or at least more like) production to the code running on it.