gRPC over Nginx proxy

ChirpStack Application Server
1

We are trying to use the gRPC API for a Chirpstack V3 instance (we cannot update it to V4 yet due to our production infrastructure). The instance runs on a VM and is accessible on port 443 behind an NGINX reverse proxy.

We have looked at the following resources for help:

We’ve tried updating our nginx configuration with the grpc_pass option like so:

server {

    listen 443 ssl http2;
    server_name localhost;

    ssl_certificate /path/to/cert.crt;
    ssl_certificate_key /path/to/cert.prv;

    # WebSocket configuration
    location ~ ^/api/(gateways|devices)/(\w+)/(frames|events)$ {
        proxy_pass http://localhost:8080/api/$1/$2/$3;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }

    location / {
        grpc_pass grpc://localhost:8080;
    }
}

but we are still getting the following error when we try to connect to the instance over gRPC:

unable to authenticate to IP:443: rpc error: code = Unavailable desc = error reading from server: EOF

What are we missing in our configuration to make this work? Thank you.

2

Today I enabled port 8080 on the VM for testing purposes, and gRPC works using it, so it must be something missing in our nginx config.

3

i face the same problem when usinig python grpc client.

if i use grpc.insecure_channel(server) i must use host:port and the port must not be 443, if i have to use 443, maybe have to use secure client.
grpc.secure_channel(server, grpc.ssl_channel_credentials(trusted_certs))

4

The grpc_pass is for ChirpStack v4. For ChirpStack v3 the REST API is used + Websockets for the live events / frames.

You would need something like this:


		location ~ ^/api/(gateways|devices)/(\w+)/(frames|events)$ {
			proxy_pass http://127.0.0.1:8080/api/$1/$2/$3;
			proxy_http_version 1.1;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "Upgrade";
			proxy_read_timeout 86400s;
			proxy_send_timeout 86400s;
		}

		location / {
			proxy_pass http://localhost:8080;
		}
5

Hi, could it be that you have enabled TLS on Chirpstack? I created the thread you linked before. You have to disable TLS in Chirpstack and only enable it in nginx.

6

Sorry, just to confirm, does that mean there is no way to use the GRPC API for Chirpstack V3 over nginx?

7

Are those the TLS options under [application_server.external_api]? If so, I have TLS disabled, but am still getting the same issue. When connecting over grpc, were you providing any sort of certificates or credentials?

9

After having some more time to look into the issue, I figured it out. There were two issues that prevented this from working:

  1. I was using an insecure gRPC connection to connect to an Nginx server that had SSL certs setup.
    I had to use cred, err := credentials.NewClientTLSFromFile("path_to_cert", "")
    and
    grpc.Dial(grpcHost, grpc.WithTransportCredentials(cred))
    to have Nginx accept the connection.

  2. The gRPC API endpoint was incorrect. The correct location for Chirpstack V3 is as follows:

location ~* /api(\.) {
	    grpc_pass grpc://localhost:8080;
}

Once I’ve made these changes, I was able to connect over gRPC on port 443.

Note: also make sure to enable http2 in Nginx like this:

 server {
        listen 443 ssl http2;
        ...
}
10

This topic was automatically closed after 90 days. New replies are no longer allowed.