ChirpStack 4 with https nginx proxy and firewall

bosavage · August 4, 2023, 4:38pm

We have ChirpStack v4 running in docker containers. In order to use SSL, we have a CA cert and an nginx reverse proxy. That works fine, we access the dashboard using https on port 443.

The problem comes when we add our second requirement - using a firewall.
ChirpStack is installed on a RHEL 8 server.

We enable firewalld and open up the following ports:
80 TCP
443 TCP
8080 TCP
8090 TCP
5432 TCP
1883 TCP
6379 TCP
1700 UDP

When we try to access the dashboard now, we only get a frozen login screen (after a long delay). Examining the javascript console show that prior to the login rendering (then freezing), we get the following error. Has anyone experienced this and can share what steps we are missing?

Thanks and regards,
Peter

API error:
Object { message: "no authorization provided", stack: "F@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1400041\nVt@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1423063\n5935/qt/<@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1422881\nWe@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1408965\nUe@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1408771\nPt@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1416915\n5935/r.W@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1418021\n5935/r.R@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1417998\nEventHandlerNonNull*Tt@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1415273\nYt@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1425396\n5935/Kt.prototype.X/e<@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1426612\n5935/Kt.prototype.X@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1426632\n5990/i.api.TenantServiceClient.prototype.list@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:607533\nn/e.list@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:2431543\nvalue@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:2582353\nys@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1773341\nPl@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1790221\n6813/t.unstable_runWithPriority@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1861802\nKo@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1732088\nkl@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1786958\nbl@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1783042\ngl@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1780165\neu@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1796304\n4463/au/<@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1797694\nRl@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1783195\nau@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1797679\n4463/t.render@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:1805156\n@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:3366624\n@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:3366723\n@https://chirpstack.sl.cloud9.ibm.com/static/js/main.a719fdd3.js:2:3366727\n", code: 16, metadata: {…} }
code: 16

bosavage · August 8, 2023, 5:01pm

We thought it might be the nginx proxy, but tested it with the firewall on without the proxy wit the same results.

Without the firewall everything works as expected. Are there any other ports we are failing to open? These are the only ports we reference in setting the ChirpStack configuration.

Thanks

brocaar · August 10, 2023, 8:26am

If NGINX is serving ChirpStack using TLS, then opening firewall port 443 should be sufficient for showing the dashboard (you still need to open the MQTT and UDP ports for gw communication).

If that doesn’t work, then it is very likely that your firewall is not properly configured.

bosavage · August 10, 2023, 11:43am

Thank you for getting back to us.

By NGINX serving ChirpStack TLS, we’re using a cert from our trusted CA and configuring a simple reverse proxy

server {
  listen 80;
  listen [::]:80;
  server_name xxxxxx.com;
  return 301 https://$server_name$request_uri;

}

server {
  ssl on;
  listen  443 ssl;
  add_header Strict-Transport-Security "max-age=31536000" always;
  listen  [::]:443 ssl;
  ssl_protocols TLSv1.3;
  server_name xxxxxx.com;
  ssl_certificate /chirpstack/ssl/chirpstack.pem;
  ssl_certificate_key /chirpstack/ssl/chirpstack.key;
  
  location / {
    proxy_pass http://xxxxxx.com:8080;
    proxy_http_version 1.1;
    proxy_ssl_server_name on;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    index index.html;

    
  }
  location /docs/ 
  {
     proxy_pass http://xxxxxx.com:8090/;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
     proxy_set_header Host $host;
     proxy_set_header X-Forwarded-Proto $scheme;
  }
  error_page 500 502 503 504 /50x.html;
 }

And on the firewall are opening 1700/UDP and 1883/TCP. This being the case, we will continue to research the firewall itself.

lamac · August 10, 2023, 2:55pm

I use this config:

# Chirpstack primary listener and redirect
server {
  listen 80;
  server_name chirpstack.domain.com;
  return 301 https://$host$request_uri;
}

# Chirpstack ssl config
server {
  listen 443 ssl http2;
  server_name chirpstack.domain.com;

  #  ssl_session_cache shared:SSL:10m;
  #  ssl_session_timeout 10m;

  ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
  
  #  proxy_cache chirpstack_cache;
  #  proxy_cache_key "$scheme$request_method$host$request_uri";
  #  proxy_cache_valid 200 7d;
  #  proxy_cache_valid 404 1m;
  #  proxy_cache_bypass $http_pragma;
  #  proxy_cache_revalidate on;
  #  proxy_cache_min_uses 2;
  #  proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
  #  gzip on;
	
  location / {
  http2_push_preload on;
  proxy_pass http://127.0.0.1:8080;
  proxy_set_header Host $host;
  proxy_set_header Connection "upgrade";
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  add_header X-Http-Version $server_protocol;
  proxy_buffering on;
  proxy_buffer_size 8k;
  proxy_buffers 2048 8k;
  }
}

And i opened only 2 ports: 80 and 443

bosavage · August 10, 2023, 6:53pm

Thanks for the replies, much appreciated - it appears our issue lies with the firewall itself.