Chirpstack v4 over IIS reverse proxy

Hi there.

I’ve been testing chirpstack v4 with directly NATing to that VM.
Now we went to production, and I set up reverse proxy on my win 2019 machine using IIS.
Everything works fine except grpc.
I can’t get it to work, it doesn’t work over https nor http.
Is there anything specific I need to configure in reverse proxy for grpc to work?
It works fine without reverse proxy.

Make sure you’re using http2 for the grpc connection. I use traefik as a reverse-proxy and had to configure the following line for the API to work:

- "traefik.http.services.chirpstack.loadbalancer.server.scheme=h2c"

Which forces the lodabalancer to use http2 cleartext.

1 Like

It uses http2 as default:


and this is full web.config file:

Everything works except grpc…

Anybody has some solution? Or similar problem/solution with other web server beside windows internet information services? Maybe I can translate solution to IIS reverse proxy settings…

I’m not familiar with this technology but a quick google seems to suggest that this is a known issue and IIS does not support HTTP/2 for gRPC: Grpc.Web - Hosting issues under IIS or Application Service Plan · Issue #759 · grpc/grpc-dotnet · GitHub

I hate to spout AI slop but this is GPTs response, you may find something useful here:

Yes, this is a known challenge: gRPC does not work properly through IIS reverse proxy out of the box. The core issue is that IIS (even with ARR and URL Rewrite) doesn’t support HTTP/2 fully in a reverse proxy scenario, which gRPC requires.

Here’s a breakdown of the problem and what you can do:


:mag: Why gRPC fails through IIS:

  1. gRPC uses HTTP/2, and IIS only supports HTTP/2 in limited contexts.
  2. IIS with ARR (Application Request Routing) still proxies requests using HTTP/1.1 to the backend, breaking gRPC.
  3. WebSockets and gRPC-Web are not handled by default either unless explicitly configured (and still may not work properly).

:white_check_mark: Possible Solutions

1. Use gRPC-Web instead of native gRPC

  • ChirpStack v4’s web interface uses gRPC-Web to talk to the backend.
  • Make sure your frontend is using gRPC-Web, which translates HTTP/2 calls into HTTP/1.1-compatible requests, so it can work through IIS.
  • But this only applies to browsers—non-browser clients (like CLI tools or custom apps) won’t benefit.

2. Bypass IIS for gRPC

  • Expose a separate port (like :8080 or :50051) for raw gRPC traffic.
  • Use IIS only for HTTP/gRPC-Web and serve gRPC on a different interface/port, or behind a proxy that supports HTTP/2 (like NGINX or HAProxy).

3. Use a gRPC-aware reverse proxy

IIS is not ideal for gRPC. Consider using:

  • NGINX (with HTTP/2 and gRPC support)
  • Envoy proxy – specifically built for gRPC
  • HAProxy (newer versions support HTTP/2 and gRPC)

Example for NGINX:

nginx

CopyEdit

server {
    listen 443 ssl http2;
    server_name chirpstack.example.com;

    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/privkey.pem;

    location / {
        grpc_pass grpc://localhost:50051;
        error_page 502 = /error502grpc;
    }
}

:hammer_and_wrench: What you can try if you’re stuck with IIS:

While not recommended, here’s what some people attempt:

  • Use ARR and URL Rewrite, and try gRPC-Web only.
  • Set web: grpc-web interface in Chirpstack’s chirpstack.toml and only use web clients.

I’ve been googling too and talking to chatgpt and deepseek.
IIS actually has http2 and it works out of the box, even on the logs I see request was using http2.

They also gave me multiple advices to add some headers and it doesn’t work.
It doesn’t work even from chirpstack UI app, trying to see live frames on gateways/end devices doesn’t work.
If I dont find any solution I will have to go with nginx, but I’d rather stick to this because everything else works just fine :smiley: