8.2. セキュリティ

8.2.1. セキュリティに配慮した Neo4j Server へのアクセス

Neo4j in itself does not enforce security on the data level. However, there are different aspects that should be considered when using Neo4j in different scenarios.

8.2.1. セキュリティに配慮した Neo4j Server へのアクセス

The Neo4j server currently does not enforce security on the REST access layer. This should be taken care of by external means. We strongly recommend to front a running Neo4j Server with a proxy like Apache mod_proxy [4]. This provides a number of advatages:

  • Control access to the Neo4j server to specific IP addresses, URL patterns and IP ranges. This can be used to make for instance only the /db/data namespace accessible to non-local clients, while the /db/admin URLs only respond to a specific IP address.

    <Proxy *>
      Order Deny,Allow
      Deny from all
      Allow from 192.168.0
    </Proxy>
  • Run Neo4j Server as a non-root user on a Linux/Unix system on a port < 1000 (e.g. port 80) using

    ProxyPass /neo4jdb/data http://localhost:7474/db/data
    ProxyPassReverse /neo4jdb/data http://localhost:7474/db/data
  • Simple load balancing in a clustered environment to load-balance read load using the Apache mod_proxy_balancer [5] plugin

    <Proxy balancer://mycluster>
    BalancerMember http://192.168.1.50:80
    BalancerMember http://192.168.1.51:80
    </Proxy>
    ProxyPass /test balancer://mycluster