Hi, I installed chirpstack V4.8.1.
I don’t found in Chirpstack documentation or in this forum a solution to migrate the chispstack http application in secure proto.
I understand in any topics (2022) that there was no solution but now the V4 is now well implemented and I would like to know what is the best practice to make that.
Many thanks in advance ! 
Common practice is to use a reverse-proxy / load-balancer like Traefik or NGINX + Certbot. Personally I use Traefik for all the TLS on Chirpstack.
At the bottom of this thread is my configuration: How to Secure MQTT Messages on ChirpStack to Prevent Unauthorized Access? - #21 by Liam_Philipp
Thank you so much Philipp for your reply.
This server is hosted in cloud. It would be a shame to subscribe a proxy or create a new VM just for this specific need .
I think I am not the first and not the last witch need this process in chirpstack V4.
@brocaar, would it be possible to add this in the next version ? This would be a very positive point for this chirpstack V4 !
Thank’s a lot in advance
That’s fair. I’ll just say though that if you used the docker Chirpstack install Traefik really is not hard to set up, just install it and all the configuration is done in your docker-compose.yml. That saves you all the headaches with self-signed certs for things like the MQTT broker as well.
Yes thank’s Philipp, but we don’t use docker in this topology. I’m sure it is not difficult to set it ! 
It would be very interesting for us and for many others to can set self-signed / signed cert in chirpstack SRV directly.
I hope, this request will be taken into account. Again many thanks for this solution which is a real added value for us and this community.
I’m still waiting to hear whether this request will be taken into account by admin in future versions. Thank’s a lot.
if you are on debian install of chirpstack, this is en exemple but you must adapt it.
for certs use certbot or your certs
sudo apt install nginx
sudo nano /etc/nginx/sites-available/chirpStack
server {
listen 443 ssl;
server_name chirpstack.my.domaine;
ssl_certificate /etc/ssl/certs/my.domaine.pem;
ssl_certificate_key /etc/ssl/private/my.domaine.key;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
# WebSocket configuration
location /api.InternalService {
grpc_pass grpc://localhost:8080;
}
location / {
proxy_pass http://localhost:8080/;
}
}
ln -s /etc/nginx/sites-available/chirpStack /etc/nginx/sites-enabled/chirpStack
rm /etc/nginx/sites-enabled/default
systemctl reload nginx.service
then change bind ip by 127.0.0.1 for suppress direct accès in http.
by editing /etc/chirpstack/chirpstack.toml
replace line bind=“0.0.0.0:8080” by bind=“127.0.0.1:8080” in [api] section
nano /etc/chirpstack/chirpstack.toml
....
# API interface configuration.
[api]
# interface:port to bind the API interface to.
bind="127.0.0.1:8080"
....
systemctl restart chirpstack.service
Thank you Guillaume !
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.