gRPC over Nginx proxy

teterski · December 11, 2024, 9:11pm

We are trying to use the gRPC API for a Chirpstack V3 instance (we cannot update it to V4 yet due to our production infrastructure). The instance runs on a VM and is accessible on port 443 behind an NGINX reverse proxy.

We have looked at the following resources for help:

github.com

chirpstack/chirpstack-ansible-playbook/blob/master/roles/chirpstack/templates/chirpstack.nginx#L21


      
          	listen 443 ssl http2;
          	server_name {{ chirpstack.fqdn }};
          	{% if chirpstack.letsencrypt.request %}
          	ssl_certificate /etc/letsencrypt/live/{{ chirpstack.fqdn }}/fullchain.pem;
          	ssl_certificate_key /etc/letsencrypt/live/{{ chirpstack.fqdn }}/privkey.pem;
          	{% else %}
          	ssl_certificate /etc/nginx/certs/chirpstack.pem;
          	ssl_certificate_key /etc/nginx/certs/chirpstack-key.pem;
          	{% endif %}
          
          	location ^~ /api { 
          		grpc_pass grpc://localhost:8080; 
          	} 
          
          	location / {
          		proxy_pass http://localhost:8080;
          	}
          }

We’ve tried updating our nginx configuration with the grpc_pass option like so:

server {

    listen 443 ssl http2;
    server_name localhost;

    ssl_certificate /path/to/cert.crt;
    ssl_certificate_key /path/to/cert.prv;

    # WebSocket configuration
    location ~ ^/api/(gateways|devices)/(\w+)/(frames|events)$ {
        proxy_pass http://localhost:8080/api/$1/$2/$3;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }

    location / {
        grpc_pass grpc://localhost:8080;
    }
}

but we are still getting the following error when we try to connect to the instance over gRPC:

unable to authenticate to IP:443: rpc error: code = Unavailable desc = error reading from server: EOF

What are we missing in our configuration to make this work? Thank you.

teterski · December 12, 2024, 4:35pm

Today I enabled port 8080 on the VM for testing purposes, and gRPC works using it, so it must be something missing in our nginx config.

zeara · December 13, 2024, 8:01am

i face the same problem when usinig python grpc client.

if i use grpc.insecure_channel(server) i must use host:port and the port must not be 443, if i have to use 443, maybe have to use secure client.
grpc.secure_channel(server, grpc.ssl_channel_credentials(trusted_certs))

brocaar · December 16, 2024, 12:29pm

The grpc_pass is for ChirpStack v4. For ChirpStack v3 the REST API is used + Websockets for the live events / frames.

You would need something like this:


		location ~ ^/api/(gateways|devices)/(\w+)/(frames|events)$ {
			proxy_pass http://127.0.0.1:8080/api/$1/$2/$3;
			proxy_http_version 1.1;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "Upgrade";
			proxy_read_timeout 86400s;
			proxy_send_timeout 86400s;
		}

		location / {
			proxy_pass http://localhost:8080;
		}

a28b · December 18, 2024, 11:22pm

Hi, could it be that you have enabled TLS on Chirpstack? I created the thread you linked before. You have to disable TLS in Chirpstack and only enable it in nginx.

teterski · January 10, 2025, 11:04pm

Sorry, just to confirm, does that mean there is no way to use the GRPC API for Chirpstack V3 over nginx?

teterski · January 10, 2025, 11:17pm

Are those the TLS options under [application_server.external_api]? If so, I have TLS disabled, but am still getting the same issue. When connecting over grpc, were you providing any sort of certificates or credentials?