3.7. Configure Neo4j connectors

This section describes how to configure connectors for Neo4j.

Neo4j supports clients using either the Bolt binary protocol or HTTP/HTTPS. There are three different Neo4j connectors that are configured by default:

Table 3.3. Default connectors and their ports
Connector name Protocol Default port number

dbms.connector.bolt

Bolt

7687

dbms.connector.http

HTTP

7474

dbms.connector.https

HTTPS

7473

When configuring the HTTPS connector, see also Section 8.2, “SSL framework” for details on how to work with SSL certificates.

3.7.1. Additional options for Neo4j connectors

Some additional options are available for the connectors. They are summarized in the table below and subsequently explained in more detail.

Table 3.4. Configuration options for connectors
Option name Default Description

enabled

true

Allows the client connector to be enabled or disabled.

listen_address

127.0.0.1:<connector-default-port>

The address for incoming connections.

advertised_address

localhost:<connector-default-port>

The address that clients should use for this connector.

tls_level

OPTIONAL

Allows the connector to accept enrypted and/or unencrypted connections.

enabled

The enabled setting allows the client connector to be enabled or disabled. When disabled, Neo4j does not listen for incoming connections on the relevant port. For example, set the following to disable the HTTPS connector:

dbms.connector.https.enabled=false

It is not possible to disable the HTTP connector.

To prevent clients from connecting to HTTP, you should block the HTTP port with the firewall, or configure listen_address for the http connector to only listen on the loopback interface (127.0.0.1), thereby preventing connections from remote clients.

listen_address

The listen_address setting specifies how Neo4j listens for incoming connections. It consists of two parts; an IP address (e.g. 127.0.0.1 or 0.0.0.0) and a port number (e.g. 7687), and is expressed in the format <ip-address>:<port-number>.

Example 3.2. Specify listen_address for the Bolt connector

To listen for Bolt connections on all network interfaces (0.0.0.0) and on port 7000, set the listen_address for the Bolt connector:

dbms.connector.bolt.listen_address=0.0.0.0:7000
advertised_address

The advertised_address setting specifies the address that clients should use for this connector. This is useful in a Causal Cluster as it allows each server to correctly advertise addresses of the other servers in the cluster. The advertised address consists of two parts; an address (fully qualified domain name, hostname, or IP address) and a port number (e.g. 7687), and is expressed in the format <address>:<port-number>.

If routing traffic via a proxy, or if port mappings are in use, it is possible to specify advertised_address for each connector individually. For example, if port 7687 on the Neo4j Server is mapped from port 9000 on the external network, specify the advertised_address for the Bolt connector:

dbms.connector.bolt.advertised_address=<server-name>:9000

tls_level

The tls_level setting is only available for the bolt connector. It defines whether this Bolt connector will accept encrypted and/or unencrypted client connections. The values that tls_level setting accept are described in the table below:

Table 3.5. Available values to tls_level
Name Description

REQUIRED

Only encrypted client connections will be accepted by this connector. All unencrypted connections will be rejected.

OPTIONAL

Either encrypted or unencrypted client connections are accepted by this connector.

DISABLED

Only unencrypted client connections are accepted by this connector. All encrypted connections will be rejected.

3.7.2. Additional options for Bolt connectors

See Section 10.4, “Bolt thread pool configuration” to learn more about Bolt thread pooling and how to configure it on the connector level.

3.7.3. Defaults for addresses

The two configuration settings, dbms.connectors.default_listen_address and dbms.connectors.default_advertised_address, can be used to specify the IP address and address parts of listen_address and advertised_address, respectively. Setting a default value will apply to all the connectors, unless specifically configured for a certain connector.

Table 3.6. Defaults for addresses
Option name Default Description

dbms.connectors.default_listen_address

127.0.0.1

The default IP address for listen_address for all connectors.

dbms.connectors.default_advertised_address

localhost

The default address for advertised_address for all connectors.

default_listen_address

The listen address consists of two parts; an IP address (e.g. 127.0.0.1 or 0.0.0.0) and a port number (e.g. 7687). If the IP address part of the listen_address is not specified, the interface is inherited from the shared setting default_listen_address.

Example 3.3. Specify listen_address for the Bolt connector

To listen for Bolt connections on all network interfaces (0.0.0.0) and on port 7000, set the listen_address for the Bolt connector:

dbms.connector.bolt.listen_address=0.0.0.0:7000

This is equivalent to specifying the IP address by using the default_listen_address setting, and then specifying the port number for the Bolt connector.

dbms.connectors.default_listen_address=0.0.0.0

dbms.connector.bolt.listen_address=:7000
default_advertised_address

The advertised address consists of two parts; an address (fully qualified domain name, hostname, or IP address) and a port number (e.g. 7687). If the address part of the advertised_address is not specified, the interface is inherited from the shared setting default_advertised_address.

Example 3.4. Specify advertised_address for the Bolt connector

Specify the address that clients should use for the Bolt connector:

dbms.connector.bolt.advertised_address=server1:9000

This is equivalent to specifying the address by using the default_advertised_address setting, and then specifying the port number for the Bolt connector.

dbms.connectors.default_advertised_address=server1

dbms.connector.bolt.advertised_address=:9000