neo4j.conf

1. #*****************************************************************
2. # Neo4j configuration
3. #
4. # For more details and a complete list of settings, please see
5. # https://neo4j.com/docs/operations-manual/current/reference/configuration-settings/
6. #*****************************************************************
7.  
8. # The name of the database to mount
9. #dbms.active_database=graph.db
10.  
11. # Paths of directories in the installation.
12. dbms.directories.data=/var/lib/neo4j/data
13. dbms.directories.plugins=/var/lib/neo4j/plugins
14. dbms.directories.certificates=/var/lib/neo4j/certificates
15. dbms.directories.logs=/var/log/neo4j
16. dbms.directories.lib=/usr/share/neo4j/lib
17. dbms.directories.run=/var/run/neo4j
18.  
19. # This setting constrains all `LOAD CSV` import files to be under the `import` directory. Remove or comment it out to
20. # allow files to be loaded from anywhere in the filesystem; this introduces possible security problems. See the
21. # `LOAD CSV` section of the manual for details.
22. dbms.directories.import=/var/lib/neo4j/import
23.  
24. # Whether requests to Neo4j are authenticated.
25. # To disable authentication, uncomment this line
26. #dbms.security.auth_enabled=false
27.  
28. # Enable this to be able to upgrade a store from an older version.
29. #dbms.allow_upgrade=true
30.  
31. # Java Heap Size: by default the Java heap size is dynamically
32. # calculated based on available system resources.
33. # Uncomment these lines to set specific initial and maximum
34. # heap size.
35. #dbms.memory.heap.initial_size=512m
36. #dbms.memory.heap.max_size=512m
37.  
38. # The amount of memory to use for mapping the store files, in bytes (or
39. # kilobytes with the 'k' suffix, megabytes with 'm' and gigabytes with 'g').
40. # If Neo4j is running on a dedicated server, then it is generally recommended
41. # to leave about 2-4 gigabytes for the operating system, give the JVM enough
42. # heap to hold all your transaction state and query context, and then leave the
43. # rest for the page cache.
44. # The default page cache memory assumes the machine is dedicated to running
45. # Neo4j, and is heuristically set to 50% of RAM minus the max Java heap size.
46. #dbms.memory.pagecache.size=10g
47.  
48. #*****************************************************************
49. # Network connector configuration
50. #*****************************************************************
51.  
52. # With default configuration Neo4j only accepts local connections.
53. # To accept non-local connections, uncomment this line:
54. #dbms.connectors.default_listen_address=0.0.0.0
55.  
56. # You can also choose a specific network interface, and configure a non-default
57. # port for each connector, by setting their individual listen_address.
58.  
59. # The address at which this server can be reached by its clients. This may be the server's IP address or DNS name, or
60. # it may be the address of a reverse proxy which sits in front of the server. This setting may be overridden for
61. # individual connectors below.
62. #dbms.connectors.default_advertised_address=localhost
63.  
64. # You can also choose a specific advertised hostname or IP address, and
65. # configure an advertised port for each connector, by setting their
66. # individual advertised_address.
67.  
68. # Bolt connector
69. dbms.connector.bolt.enabled=true
70. #dbms.connector.bolt.tls_level=OPTIONAL
71. #dbms.connector.bolt.listen_address=:7687
72.  
73. # HTTP Connector. There can be zero or one HTTP connectors.
74. dbms.connector.http.enabled=true
75. #dbms.connector.http.listen_address=:7474
76.  
77. # HTTPS Connector. There can be zero or one HTTPS connectors.
78. dbms.connector.https.enabled=true
79. #dbms.connector.https.listen_address=:7473
80.  
81. # Number of Neo4j worker threads.
82. #dbms.threads.worker_count=
83.  
84. #*****************************************************************
85. # SSL system configuration
86. #*****************************************************************
87.  
88. # Names of the SSL policies to be used for the respective components.
89.  
90. # The legacy policy is a special policy which is not defined in
91. # the policy configuration section, but rather derives from
92. # dbms.directories.certificates and associated files
93. # (by default: neo4j.key and neo4j.cert). Its use will be deprecated.
94.  
95. # The policies to be used for connectors.
96. #
97. # N.B: Note that a connector must be configured to support/require
98. # SSL/TLS for the policy to actually be utilized.
99. #
100. # see: dbms.connector.*.tls_level
101.  
102. #bolt.ssl_policy=legacy
103. #https.ssl_policy=legacy
104.  
105. #*****************************************************************
106. # SSL policy configuration
107. #*****************************************************************
108.  
109. # Each policy is configured under a separate namespace, e.g.
110. # dbms.ssl.policy.<policyname>.*
111. #
112. # The example settings below are for a new policy named 'default'.
113.  
114. # The base directory for cryptographic objects. Each policy will by
115. # default look for its associated objects (keys, certificates, ...)
116. # under the base directory.
117. #
118. # Every such setting can be overridden using a full path to
119. # the respective object, but every policy will by default look
120. # for cryptographic objects in its base location.
121. #
122. # Mandatory setting
123.  
124. #dbms.ssl.policy.default.base_directory=certificates/default
125.  
126. # Allows the generation of a fresh private key and a self-signed
127. # certificate if none are found in the expected locations. It is
128. # recommended to turn this off again after keys have been generated.
129. #
130. # Keys should in general be generated and distributed offline
131. # by a trusted certificate authority (CA) and not by utilizing
132. # this mode.
133.  
134. #dbms.ssl.policy.default.allow_key_generation=false
135.  
136. # Enabling this makes it so that this policy ignores the contents
137. # of the trusted_dir and simply resorts to trusting everything.
138. #
139. # Use of this mode is discouraged. It would offer encryption but no security.
140.  
141. #dbms.ssl.policy.default.trust_all=false
142.  
143. # The private key for the default SSL policy. By default a file
144. # named private.key is expected under the base directory of the policy.
145. # It is mandatory that a key can be found or generated.
146.  
147. #dbms.ssl.policy.default.private_key=
148.  
149. # The private key for the default SSL policy. By default a file
150. # named public.crt is expected under the base directory of the policy.
151. # It is mandatory that a certificate can be found or generated.
152.  
153. #dbms.ssl.policy.default.public_certificate=
154.  
155. # The certificates of trusted parties. By default a directory named
156. # 'trusted' is expected under the base directory of the policy. It is
157. # mandatory to create the directory so that it exists, because it cannot
158. # be auto-created (for security purposes).
159. #
160. # To enforce client authentication client_auth must be set to 'require'!
161.  
162. #dbms.ssl.policy.default.trusted_dir=
163.  
164. # Client authentication setting. Values: none, optional, require
165. # The default is to require client authentication.
166. #
167. # Servers are always authenticated unless explicitly overridden
168. # using the trust_all setting. In a mutual authentication setup this
169. # should be kept at the default of require and trusted certificates
170. # must be installed in the trusted_dir.
171.  
172. #dbms.ssl.policy.default.client_auth=require
173.  
174. # It is possible to verify the hostname that the client uses
175. # to connect to the remote server. In order for this to work, the server public
176. # certificate must have a valid CN and/or matching Subject Alternative Names.
177.  
178. # Note that this is irrelevant on host side connections (sockets receiving
179. # connections).
180.  
181. # To enable hostname verification client side on nodes, set this to true.
182.  
183. #dbms.ssl.policy.default.verify_hostname=false
184.  
185. # A comma-separated list of allowed TLS versions.
186. # By default only TLSv1.2 is allowed.
187.  
188. #dbms.ssl.policy.default.tls_versions=
189.  
190. # A comma-separated list of allowed ciphers.
191. # The default ciphers are the defaults of the JVM platform.
192.  
193. #dbms.ssl.policy.default.ciphers=
194.  
195. #*****************************************************************
196. # Logging configuration
197. #*****************************************************************
198.  
199. # To enable HTTP logging, uncomment this line
200. #dbms.logs.http.enabled=true
201.  
202. # Number of HTTP logs to keep.
203. #dbms.logs.http.rotation.keep_number=5
204.  
205. # Size of each HTTP log that is kept.
206. #dbms.logs.http.rotation.size=20m
207.  
208. # To enable GC Logging, uncomment this line
209. #dbms.logs.gc.enabled=true
210.  
211. # GC Logging Options
212. # see http://docs.oracle.com/cd/E19957-01/819-0084-10/pt_tuningjava.html#wp57013 for more information.
213. #dbms.logs.gc.options=-XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintGCApplicationStoppedTime -XX:+PrintPromotionFailure -XX:+PrintTenuringDistribution
214.  
215. # For Java 9 and newer GC Logging Options
216. # see https://docs.oracle.com/javase/10/tools/java.htm#JSWOR-GUID-BE93ABDC-999C-4CB5-A88B-1994AAAC74D5
217. #dbms.logs.gc.options=-Xlog:gc*,safepoint,age*=trace
218.  
219. # Number of GC logs to keep.
220. #dbms.logs.gc.rotation.keep_number=5
221.  
222. # Size of each GC log that is kept.
223. #dbms.logs.gc.rotation.size=20m
224.  
225. # Log level for the debug log. One of DEBUG, INFO, WARN and ERROR. Be aware that logging at DEBUG level can be very verbose.
226. #dbms.logs.debug.level=INFO
227.  
228. # Size threshold for rotation of the debug log. If set to zero then no rotation will occur. Accepts a binary suffix "k",
229. # "m" or "g".
230. #dbms.logs.debug.rotation.size=20m
231.  
232. # Maximum number of history files for the internal log.
233. #dbms.logs.debug.rotation.keep_number=7
234.  
235. #*****************************************************************
236. # Miscellaneous configuration
237. #*****************************************************************
238.  
239. # Enable this to specify a parser other than the default one.
240. #cypher.default_language_version=2.3
241.  
242. # Determines if Cypher will allow using file URLs when loading data using
243. # `LOAD CSV`. Setting this value to `false` will cause Neo4j to fail `LOAD CSV`
244. # clauses that load data from the file system.
245. #dbms.security.allow_csv_import_from_file_urls=true
246.  
247.  
248. # Value of the Access-Control-Allow-Origin header sent over any HTTP or HTTPS
249. # connector. This defaults to '*', which allows broadest compatibility. Note
250. # that any URI provided here limits HTTP/HTTPS access to that URI only.
251. #dbms.security.http_access_control_allow_origin=*
252.  
253. # Value of the HTTP Strict-Transport-Security (HSTS) response header. This header
254. # tells browsers that a webpage should only be accessed using HTTPS instead of HTTP.
255. # It is attached to every HTTPS response. Setting is not set by default so
256. # 'Strict-Transport-Security' header is not sent. Value is expected to contain
257. # directives like 'max-age', 'includeSubDomains' and 'preload'.
258. #dbms.security.http_strict_transport_security=
259.  
260. # Retention policy for transaction logs needed to perform recovery and backups.
261. dbms.tx_log.rotation.retention_policy=1 days
262.  
263. # Only allow read operations from this Neo4j instance. This mode still requires
264. # write access to the directory for lock purposes.
265. #dbms.read_only=false
266.  
267. # Comma separated list of JAX-RS packages containing JAX-RS resources, one
268. # package name for each mountpoint. The listed package names will be loaded
269. # under the mountpoints specified. Uncomment this line to mount the
270. # org.neo4j.examples.server.unmanaged.HelloWorldResource.java from
271. # neo4j-server-examples under /examples/unmanaged, resulting in a final URL of
272. # http://localhost:7474/examples/unmanaged/helloworld/{nodeId}
273. #dbms.unmanaged_extension_classes=org.neo4j.examples.server.unmanaged=/examples/unmanaged
274.  
275. # A comma separated list of procedures and user defined functions that are allowed
276. # full access to the database through unsupported/insecure internal APIs.
277. #dbms.security.procedures.unrestricted=my.extensions.example,my.procedures.*
278.  
279. # A comma separated list of procedures to be loaded by default.
280. # Leaving this unconfigured will load all procedures found.
281. #dbms.security.procedures.whitelist=apoc.coll.*,apoc.load.*
282.  
283. #********************************************************************
284. # JVM Parameters
285. #********************************************************************
286.  
287. # G1GC generally strikes a good balance between throughput and tail
288. # latency, without too much tuning.
289. dbms.jvm.additional=-XX:+UseG1GC
290.  
291. # Have common exceptions keep producing stack traces, so they can be
292. # debugged regardless of how often logs are rotated.
293. dbms.jvm.additional=-XX:-OmitStackTraceInFastThrow
294.  
295. # Make sure that `initmemory` is not only allocated, but committed to
296. # the process, before starting the database. This reduces memory
297. # fragmentation, increasing the effectiveness of transparent huge
298. # pages. It also reduces the possibility of seeing performance drop
299. # due to heap-growing GC events, where a decrease in available page
300. # cache leads to an increase in mean IO response time.
301. # Try reducing the heap memory, if this flag degrades performance.
302. dbms.jvm.additional=-XX:+AlwaysPreTouch
303.  
304. # Trust that non-static final fields are really final.
305. # This allows more optimizations and improves overall performance.
306. # NOTE: Disable this if you use embedded mode, or have extensions or dependencies that may use reflection or
307. # serialization to change the value of final fields!
308. dbms.jvm.additional=-XX:+UnlockExperimentalVMOptions
309. dbms.jvm.additional=-XX:+TrustFinalNonStaticFields
310.  
311. # Disable explicit garbage collection, which is occasionally invoked by the JDK itself.
312. dbms.jvm.additional=-XX:+DisableExplicitGC
313.  
314. # Remote JMX monitoring, uncomment and adjust the following lines as needed. Absolute paths to jmx.access and
315. # jmx.password files are required.
316. # Also make sure to update the jmx.access and jmx.password files with appropriate permission roles and passwords,
317. # the shipped configuration contains only a read only role called 'monitor' with password 'Neo4j'.
318. # For more details, see: http://download.oracle.com/javase/8/docs/technotes/guides/management/agent.html
319. # On Unix based systems the jmx.password file needs to be owned by the user that will run the server,
320. # and have permissions set to 0600.
321. # For details on setting these file permissions on Windows see:
322. # http://docs.oracle.com/javase/8/docs/technotes/guides/management/security-windows.html
323. #dbms.jvm.additional=-Dcom.sun.management.jmxremote.port=3637
324. #dbms.jvm.additional=-Dcom.sun.management.jmxremote.authenticate=true
325. #dbms.jvm.additional=-Dcom.sun.management.jmxremote.ssl=false
326. #dbms.jvm.additional=-Dcom.sun.management.jmxremote.password.file=/absolute/path/to/conf/jmx.password
327. #dbms.jvm.additional=-Dcom.sun.management.jmxremote.access.file=/absolute/path/to/conf/jmx.access
328.  
329. # Some systems cannot discover host name automatically, and need this line configured:
330. #dbms.jvm.additional=-Djava.rmi.server.hostname=$THE_NEO4J_SERVER_HOSTNAME
331.  
332. # Expand Diffie Hellman (DH) key size from default 1024 to 2048 for DH-RSA cipher suites used in server TLS handshakes.
333. # This is to protect the server from any potential passive eavesdropping.
334. dbms.jvm.additional=-Djdk.tls.ephemeralDHKeySize=2048
335.  
336. # This mitigates a DDoS vector.
337. dbms.jvm.additional=-Djdk.tls.rejectClientInitiatedRenegotiation=true
338.  
339. # This filter prevents deserialization of arbitrary objects via java object serialization, addressing potential vulnerabilities.
340. # By default this filter whitelists all neo4j classes, as well as classes from the hazelcast library and the java standard library.
341. # These defaults should only be modified by expert users!
342. # For more details (including filter syntax) see: https://openjdk.java.net/jeps/290
343. #dbms.jvm.additional=-Djdk.serialFilter=java.**;org.neo4j.**;com.neo4j.**;com.hazelcast.**;net.sf.ehcache.Element;com.sun.proxy.*;org.openjdk.jmh.**;!*
344.  
345. #********************************************************************
346. # Wrapper Windows NT/2000/XP Service Properties
347. #********************************************************************
348. # WARNING - Do not modify any of these properties when an application
349. # using this configuration file has been installed as a service.
350. # Please uninstall the service before modifying this section. The
351. # service can then be reinstalled.
352.  
353. # Name of the service
354. dbms.windows_service_name=neo4j
355.  
356. #********************************************************************
357. # Other Neo4j system properties
358. #********************************************************************
359. dbms.jvm.additional=-Dunsupported.dbms.udc.source=debian