Configure SSL and HTTPS in Nginx and Neo4j

The core tasks to carry out to implement HTTPS and SSL security layers are:

• Configure SSL certificates in Nginx

• Enable client certificate verification

• Configure HTTPS and authentication in Neo4j

Configure SSL certificates in Nginx

Configure TLS certificates in Nginx to enable secure data exchange through the web server.

About TLS certificates

EclecticIQ Intelligence Center configures Nginx to read the TLS private key and certificate files from the /etc/eclecticiq-nginx/ssl directory.

The TLS private key file for EclecticIQ Intelligence Center is eclecticiq-default.privkey.pem, whereas the certificate file is eclecticiq-default.fullchain.pem.

If these files do not exist when EclecticIQ Intelligence Center is installed, the installation procedure generates a localhost self-signed certificate as a temporary workaround.

Warning

Do not use self-signed TSL or SSL certificates in a production environment.

They are meant for development and testing.

They are unsuitable for deployment in a live system.

Set private key and certificate in Nginx

To set your valid TLS private key and certificate files in Nginx:

• Overwrite the eclecticiq-default.privkey.pem and the eclecticiq-default.fullchain.pem files, or the self-signed certificate generated during the installation.

  For example:

  cp /path/to/my/key.pem /etc/eclecticiq-nginx/ssl/eclecticiq-default.privkey.pem
  cp /path/to/my/cert.pem /etc/eclecticiq-nginx/ssl/eclecticiq-default.fullchain.pem
  

Alternatively:

If there is a script that takes care of updating certificates located in a different path:

• Create symbolic links (symlinks) to the location where Nginx looks for these credentials:

  ln -sf /path/to/my/key.pem /etc/eclecticiq-nginx/ssl/eclecticiq-default.privkey.pem
  ln -sf /path/to/my/cert.pem /etc/eclecticiq-nginx/ssl/eclecticiq-default.fullchain.pem
  

Note

Every time the private key or the certificate files change, reload the Nginx service to make the changes effective:

systemctl reload nginx

Enable client certificate verification

Nginx supports client certificate verification through the following directives:

• ssl_client_certificate

• ssl_verify_client

To enable TLS client certificate verification:

1. Create the following file:

   vi /etc/eclecticiq-nginx/locations.conf.d/enable-client-cert-verification.conf
   

2. Add the following lines to the newly created file:

   ssl_client_certificate /etc/nginx/certs/ca.crt;
   ssl_verify_client on;
   

   The ca.crt file is the public key part of the certificate used to sign the client certificates.

   You can obtain this file from a certification authority (CA).

Enable HTTP Strict Transport Security (HSTS)

Enforce HTTP Strict Transport Security (HSTS) in Nginx to allow only secure connections through HTTPS and TLS/SSL.

About HSTS

HTTP Strict Transport Security (HSTS) provides an additional security layer by allowing communication only through HTTPS connections.

You can implement it by adding the Strict-Transport-Security HTTP response header to the web server configuration.

Set Strict-Transport-Security in Nginx

To add the the Strict-Transport-Security HTTP response header to the Nginx configuration:

1. Open /etc/eclecticiq-nginx/sites.conf.d/eclecticiq-default.conf:

   vi /etc/eclecticiq-nginx/sites.conf.d/eclecticiq-default.conf
   

2. Add the following line to the configuration file:

   # max-age=15768000: 6 months
   # max-age=31536000: 1 year
   # max-age=63072000: 2 years
   add_header Strict-Transport-Security "max-age=15768000; includeSubdomains;";
   

3. Save the file and exit.

Enable the service

If necessary, enable, start, and then check the Nginx service:

• Enable the Nginx service to automatically start at system boot:

  systemctl enable nginx
  

• Start the Nginx service:

  systemctl start nginx
  

• Verify that Nginx is up and running by checking the service status:

  systemctl status nginx
  

Configure HTTPS and authentication in Neo4j

If Neo4j is hosted on a server that has network access, it is a good idea to enable secure access and user access control through HTTPS/SSL and an authentication mechanism.

Enable secure access

To enable access to Neo4j through a secure connection:

1. Set the transport protocol to HTTPS.

2. Set a secure port.

3. Provide a valid SSL key and certificate pair.

   On first-time start, Neo4j automatically generates a self-signed SSL certificate and a private key.

   For production environments, replace these files with your own SSL key and certificate.

By default, the neo4j.conf port for HTTPS access is 7473: set it to a different port.

The Neo4j official documentation provides comprehensive instructions and reference on enabling SSL and HTTPS, as well as setting certificates and keys.

These tasks require editing the /etc/eclecticiq-neo4j/neo4j.conf and the /etc/eclecticiq/platform_settings.py configuration files.

• neo4j.conf: define a policy with SSL certificate and key.

• platform_settings.py: add or edit the following parameters, so that EclecticIQ Intelligence Center is aware that communication with Neo4j flows through HTTP and SSL.

  # Replace all sample values with appropriate ones for your environment
  
  # Specify HTTPS and secure port for Neo4j
  NEO4J_URL = "http://127.0.0.1:7473"
  
  # Specify SSL cert for Neo4j
  NEO4J_SSL_VERIFY = "/etc/neo4j/ssl/snakeoil.cert"
  

The port number you assign to NEO4J_URL must be the same as the port number you set in the dbms.connector.https connector in the neo4j.conf configuration file.

The value you assign to NEO4J_SSL_VERIFY must point to the SSL certificate file whose path you set in the dbms.ssl.policy parameter group, where:

• dbms.ssl.policy.${policy-name}.base_directory=etc/neo4j/ssl

• dbms.ssl.policy.${policy-name}.public_certificate=snakeoil.cert

Enable authentication

To enable authentication for Neo4j:

1. Enable authentication in Neo4j.

2. Set the correct Neo4j login user name and password in the Intelligence Center settings file.

These tasks require editing the /etc/eclecticiq-neo4j/neo4j.conf and the /etc/eclecticiq/platform_settings.py configuration files:

1. neo4j.conf: enable authentication and authorization.

   Optionally, you can set an initial password.

2. platform_settings.py: add or edit the following parameters, so that EclecticIQ Intelligence Center can log in to Neo4j with the credentials specified in neo4j.conf:

   # Default Neo4j user name to log in to Neo4j
   NEO4J_USER = "neo4j"
   
   # Default Neo4j password to log in to Neo4j
   NEO4J_PASSWORD = "neo4j"
   

3. Change any default values for user name and password as appropriate.

   Note

   If you do not need to enable authentication, remove the NEO4J_USER parameter, or set it to NEO4J_USER = "".

For more information about Neo4j setup and configuration, see:

• Neo4j default file locations

• Neo4j ports

• Neo4j configuration settings

• Neo4j status codes

• Security checklist

Disable remote shell

• For security reasons, disable the Neo4j remote shell by adding the following line to the /etc/eclecticiq-neo4j/neo4j.conf configuration file:

  # Disable Neo4j remote shell
  dbms.shell.enabled=false
  

Enable the service

1. Enable the Neo4j service to automatically start at system boot:

   systemctl enable neo4j
   

2. Start Neo4j:

   systemctl start neo4j
   

3. Check if Neo4j is running:

   systemctl status neo4j