[[security-server]]
Securing access to the Neo4j Server
===================================

== Secure the port and remote client connection accepts ==

By default, the Neo4j Server is bundled with a Web server that binds to host +localhost+ on port +7474+, answering only requests from the local machine.

This is configured in the +conf/neo4j-server.properties+ file:

[source]
----
# http port (for all data, administrative, and UI access)
org.neo4j.server.webserver.port=7474

#let the webserver only listen on the specified IP. Default
#is localhost (only accept local connections). Uncomment to allow
#any connection.
#org.neo4j.server.webserver.address=0.0.0.0
---- 

If you need to enable access from external hosts, configure the Web server in the +conf/neo4j-server.properties+ by setting the property +org.neo4j.server.webserver.address=0.0.0.0+ to enable access from any host.

== Arbitrary code execution ==

By default, the Neo4j Server comes with some places where arbitrary code code execution can happen. These are the <<gremlin-plugin>> and the <<rest-api-traverse>> REST endpoints.
To secure these, either disable them completely by removing the offending plugins from the server classpath, or secure access to these URLs through proxies or Authorization Rules.
Also, the http://docs.oracle.com/javase/1.4.2/docs/api/java/lang/SecurityManager.html[Java Security Manager] can be used to secure parts of the codebase.

== HTTPS support ==

The Neo4j server includes built in support for SSL encrypted communication over HTTPS. 
The first time the server starts, it automatically generates a self-signed ssl certificate and a private key.
Because the certificate is self signed, it is not safe to rely on for production use, instead, you should provide your own key and certificate for the server to use.

To provide your own key and certificate, replace the generated key and certificate, or change the neo4j-server.properties file to set the location of your certififacate and key:

[source]
----
# Certificate location (auto generated if the file does not exist)
org.neo4j.server.webserver.https.cert.location=ssl/snakeoil.cert

# Private key location (auto generated if the file does not exist)
org.neo4j.server.webserver.https.key.location=ssl/snakeoil.key
----

Note that the key should be unencrypted. 
Make sure you set correct permissions to the private key, so that only the neo4j server user can read/write it.

You can set what port the https connector should bind to in the same configuration file, as well as turn https off:

[source]
----
# Turn https-support on/off
org.neo4j.server.webserver.https.enabled=true

# https port (for all data, administrative, and UI access)
org.neo4j.server.webserver.https.port=443
----

== Server Authorization Rules ==

Administrators may require more fine-grained security policies in addition to IP-level restrictions on the Web server.  Neo4j server supports 
administrators in allowing or disallowing access the specific aspects of the database based on credentials that users or applications provide.

To facilitate domain-specific authorization policies in Neo4j Server, SecurityRules can be implemented and
registered with the server. This makes scenarios like user and role based security and
authentication against external lookup services possible.

include::enforcing-server-authorization-rules.asciidoc[]
include::using-wildcards-to-target-security-rules.asciidoc[]

== Hosted Scripting ==

[IMPORTANT]
The neo4j server exposes remote scripting functionality by default that allow full access to the underlying system. 
Exposing your server without implementing a security layer poses a substantial security vulnerability.

== Security in Depth ==

Although the Neo4j server has a number of security features built-in (see the above chapters), for sensitive deployments it is often sensible to front against the outside world it with a proxy like Apache `mod_proxy` footnote:[http://httpd.apache.org/docs/2.2/mod/mod_proxy.html].

This provides a number of advantages:

* Control access to the Neo4j server to specific IP addresses, URL patterns and IP ranges. This can be used to make for instance only the +/db/data+ namespace accessible to non-local clients, while the +/db/admin+ URLs only respond to a specific IP address.
+
[source]
---------------
<Proxy *>
  Order Deny,Allow
  Deny from all
  Allow from 192.168.0
</Proxy>
---------------

While equivalent functionality can be implemented with Neo4j's +SecurityRule+ plugins (see above), for operations professionals configuring servers like Apache is often preferable to developing plugins. However it should be noted that where both approaches are used, they will work harmoniously providing the behavior is consistent across proxy server and +SecurityRule+ plugins.

* Run Neo4j Server as a non-root user on a Linux/Unix system on a port < 1000 (e.g. port 80) using 
+
[source]
---------------
ProxyPass /neo4jdb/data http://localhost:7474/db/data
ProxyPassReverse /neo4jdb/data http://localhost:7474/db/data
---------------

* Simple load balancing in a clustered environment to load-balance read load using the Apache `mod_proxy_balancer` footnote:[http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html] plugin
+
[source]
--------------
<Proxy balancer://mycluster>
BalancerMember http://192.168.1.50:80
BalancerMember http://192.168.1.51:80
</Proxy>
ProxyPass /test balancer://mycluster
--------------
