This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.

Root discovery disclosing the internal IP and port of neo4j

ammylovetodie
Node

on ‎09-15-2021 10:51 PM

Hi All,

We have installed the neo4j community version 4.2.3.

Currently, We are facing security issue where when we are send a GET request on / context. we are getting the internal connection detail.

[root@localhost package]# curl -XGET https://localhost:31474/
{
"bolt_routing" : "neo4j://localhost:7687",
"transaction" : "https://localhost:31474/db/{databaseName}/tx",
"bolt_direct" : "bolt://localhost:7687",
"neo4j_version" : "4.2.3",
"neo4j_edition" : "community"
}[root@localhost package]#

is there any way to solve this issue we tried the dbms.security.auth_enabled=true it is working for all the context (e.g. /db etc) but not working for / context.
After enabling the properties still without passing usrename and password we are able to get the response on / context

Thanks
Amritpal Singh

0 Kudos
Comments
andrew_bowman
Neo4j
Neo4j
‎09-27-2021 01:41 PM

Bolt connection info (IP and port) is not something we would consider sensitive. Connection via bolt does require authentication. If you don't want to handle bolt traffic, you can turn off your bolt connector.

Additionally, you can configure what http paths are allowed vs which require authentication:

ammylovetodie
Node
‎09-29-2021 06:05 AM

Thankyou so much Andrew. its helped me a lots.

Regards
Amritpal Singh

Version history
Last update:
‎09-15-2021 10:51 PM
Updated by:
Contributors