You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Host header has value as resolved IP address and port insted of hostname:
LOAD CSV WITH HEADERS FROM "http://servername:9000/test.csv?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ACCESSKEY%2F20240216%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240216T064332Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=112eaebab28be522d1ed4b7c0adb9a929337ebe9a847d705e333fae3b8b31337"`
makes following HTTP request:
GET /test.csv?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ACCESSKEY%2F20240216%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240216T064332Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=112eaebab28be522d1ed4b7c0adb9a929337ebe9a847d705e333fae3b8b31337 HTTP/1.1
User-Agent: NeoLoadCSV_Java/17.0.10+7
Host: 10.229.14.29:9000 <---- BAD value
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Causes invalid response because unexpected Host header value:
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><Key>test.csv</Key><BucketName>neo4j</BucketName><Resource>/test.csv</Resource><RequestId>17B444F268862189</RequestId><HostId>0cc3fecb-7862-44fa-aa60-e073c8a964ad</HostId></Error>
The text was updated successfully, but these errors were encountered:
I can see that neo4j does substitute the resolved ip when using http to avoid an extra DNS lookup and minimise the possibility of DNS spoofing, but is the error below not related to the combination of using HTTP and Amz-SignedHeaders, Amz-Signature parameters? Have you tried using HTTPS?
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><Key>test.csv</Key><BucketName>neo4j</BucketName><Resource>/test.csv</Resource><RequestId>17B444F268862189</RequestId><HostId>0cc3fecb-7862-44fa-aa60-e073c8a964ad</HostId></Error>
error SignatureDoesNotMatch is the result of unexpected value of Host header (X-Amz-SignedHeaders=host in URI Search Params) because the value is different then what has been signed.
hi @tomasherout, thanks for your on-going patience. This could take some time as we are discussing internally how best to proceed in the most secure way. In the meanwhile, your options are to stick with HTTPS, or to use neo4j version <=5.15 if possible.
Neo4j when loads CSV data over HTTP does set invalid HTTP Host header (IP:port instead of hostname from URL).
Steps to reproduce
Run
LOAD CSV WITH HEADERS FROM "http://hostname/path/file.csv" AS row RETURN count(*)
Expected behavior
HTTP GET request must contain header
Host
with value hostname (instead of resolved IP addresss)., for example request by curl:Actual behavior
Host
header has value as resolved IP address and port insted of hostname:makes following HTTP request:
Causes invalid response because unexpected Host header value:
The text was updated successfully, but these errors were encountered: