Putting a single Tutor service behind a VPN (hypothetical)

Background: I’m working on a plugin to bring CourseGraph to Tutor. A “CourseGraph” is just a Neo4j instance that has been populated with a DAG representation of all the courses in an Open edX instance, allowing site operators to make queries like “how many blocks of each type are in my course?” or “what are the IDs of all Sequence blocks which have HTML blocks are direct children?” The queries can be executed from a Web interface that Neo4j exposes.

Problem: Neo4j Community Edition leaves a lot to be desired in terms of authentication and authorization:

  • SSO is not available, so Neo4j auth cannot be connected with LMS or any other auth provider.
  • All Neo4j users are admins, and thus can read and write the entire course graph, as well as create new Neo4j admin users.
  • 2FA is not available, so basic username/password auth would be all that is protecting an instance’s potentially-private course content from the outside world.

When I worked at edX, we solved this by just putting the Neo4j instance behind an employees-only VPN and disabling Neo4j’s builtin authentication system, giving us the level of data security we needed.

I am considering recommending that users of my CourseGraph plugin do the same.

Question: Given that Tutor exposes all its services through Caddy, is it possible to put a single Tutor-deployed service behind a VPN? Does that even make sense? (Please excuse my lack of ops knowledge here :slight_smile: )

2 Likes

I’m not sure that I fully understand the implications of moving Neo4J behind a VPN; the default proxy behaviour is all-or-nothing: with ENABLE_WEB_PROXY=true (the default) Caddy will be considered as the only web proxy. WIth ENABLE_WEB_PROXY=false it is assumed that the system administrator does all the hard work of configuring a separate proxy.

What other plugins do is to introduce custom settings that toggle the deployment of individual components. For instance, in Cairn, there is the CAIRN_RUN_CLICKHOUSE setting: Overhang.IO | Tutor Plugins - cairn When set to false, users can point to a separate, self-hosted Clickhouse cluster. Maybe you can do something similar with Neo4J?

1 Like

Thanks @regis, that helps a lot. I ended up adding a COURSEGRAPH_RUN_NEO4J setting like you suggested.