Has SSL for the Web UI been implemented yet for the Web UI? I found year old posts which state that this hasn’t been added yet. I can’t find the configuration anywhere.
Its not, typically I see people using NGINX for the securing the web interface. I am using Traefik and it is working well.
1 Like
Same experience. I like Traefik for TLS termination, but Nginx is very popular when paired with Kubernetes.
Didn‘t you have problems with traefik? I switched to nginx, because traefik had problems with the grpc stream. This problem caused not to load whole stream in the ui event and frame log.
Negative. I don’t remember all the configuration details in my head, but no showstoppers.
I believe this should work when using Traefik:
services:
chirpstack:
loadbalancer:
servers:
- url: h2c://chirpstack:8080
1 Like
Thanks, I will try that.
Thanks for your advice, can you give me some tips on how to implement it? I have chirpstack 4.6 running on a PI (chirpstack-gateway-os-4.3.2-full-bcm27xx-bcm2709-rpi-2-squashfs-factory.img.gz) where does the proxy come into play? Many thanks.
Traefik can be used to automatically generate certificates from Lets Encrypt and use them to secure incoming traffic (such as HTTPS on the web interface, it can handle TLS for connections to the MQTT broker so you don’t need to handle self signed certs, etc…). The installation process is simple and you can find it on their website, then all the configuration is done in your docker-compose.yml file. Here’s an example of my testing servers Traefik setup, just know I’ve made a few changes from base chirpstack (namely ports) so this wont just work on your server:
services:
reverse-proxy:
# The official v3 Traefik docker image
image: traefik:v3.0
command:
# Dashboard and Log
#- "--api.insecure=true"
#- "--log.level=DEBUG"
# Setup Docker Provider
- "--providers.docker=true"
# Make Containers not Exposed to WAN
- "--providers.docker.exposedbydefault=false"
# Set Entrypoints
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.mqtt.address=:8883"
# Create TLS Resolver for Chirptack Web Interface + Mosquitto Broker
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.myresolver.acme.email=*******"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
restart: unless-stopped
ports:
# The HTTP port (gets redirected to HTTPS)
- "80:80"
# The HTTPs port
- "443:443"
# The MQTT port
- "8883:8883"
# The Traefik dashboard port (enabled by --api.insecure=true)
# - "8080:8080"
volumes:
# Allows Traefik to listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
# Mount Certificate Folder
- ./letsencrypt:/letsencrypt
labels:
# Enable Traefik
- "traefik.enable=true"
networks:
default:
chirpstack:
image: chirpstack/chirpstack:4.7.0
command: -c /etc/chirpstack
restart: unless-stopped
volumes:
# Mount Configuration
- ./configuration/chirpstack:/etc/chirpstack
# Mount Device Profiles
- ./lorawan-devices:/opt/lorawan-devices
depends_on:
- postgres
- mosquitto
- redis
environment:
- MQTT_BROKER_HOST=mosquitto
- REDIS_HOST=redis
- POSTGRESQL_HOST=postgres
labels:
# Enable Traefik
- "traefik.enable=true"
# Redirect traffic from HTTP to HTTPS
- "traefik.http.middlewares.myredirect.redirectscheme.scheme=https"
- "traefik.http.routers.chirpstack.middlewares=myredirect"
# Set HTTP Entrypoint and URL path
- "traefik.http.routers.chirpstack.rule=Host(`chirpstack.server.com`)"
- "traefik.http.routers.chirpstack.entrypoints=web"
# Point Router at Chirpstack Container
- "traefik.http.routers.chirpstack.service=chirpstack@docker"
# Set HTTPS Entrypoint and URL path
- "traefik.http.routers.chirpstack-secure.entrypoints=websecure"
- "traefik.http.routers.chirpstack-secure.rule=Host(`chirpstack.server.com`)"
# Enable TLS
- "traefik.http.routers.chirpstack-secure.tls.certresolver=myresolver"
- "traefik.http.routers.chirpstack-secure.tls=true"
# Set Backend Port
- "traefik.http.services.chirpstack.loadbalancer.server.port=8081"
- "traefik.http.services.chirpstack.loadbalancer.server.scheme=h2c"
networks:
default:
mosquitto:
image: eclipse-mosquitto:2
restart: unless-stopped
volumes:
- ./configuration/mosquitto/config/:/mosquitto/config/
labels:
# Create MQTT router
- "traefik.enable=true"
- "traefik.tcp.routers.mosquitto.rule=HostSNI(`chirpstack.server.com`)"
- "traefik.tcp.routers.mosquitto.entrypoints=mqtt"
# Add TLS to MQTT router
- "traefik.tcp.routers.mosquitto.tls=true"
- "traefik.tcp.routers.mosquitto.tls.certresolver=myresolver"
# Route to Mosquitto's Internal Unencrypted Port
- "traefik.tcp.services.mosquitto.loadbalancer.server.port=1884"
networks:
default:
postgres:
image: postgres:14-alpine
restart: unless-stopped
volumes:
- ./configuration/postgresql/initdb:/docker-entrypoint-initdb.d
- postgresqldata:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=root
networks:
default:
redis:
image: redis:7-alpine
restart: unless-stopped
command: redis-server --save 300 1 --save 60 100 --appendonly no
volumes:
- redisdata:/data
networks:
default:
volumes:
postgresqldata:
redisdata:
networks:
default:
3 Likes
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.