TLS and SSL for https access to the API webinterface on 8080

mcollon · October 14, 2022, 9:16am

Where does one configure HTTPS access to the API web interface, running on 8080?

The V4 configuration, according to https://www.chirpstack.io/docs/chirpstack/configuration.html has in [api] only bind and secret parameters to set.

bconway · October 14, 2022, 1:30pm

You’re looking for the backend_interfaces section further down. You could also do TLS termination in a proxy like Traefik or Nginx, which is my preferred deployment approach.

matt21 · December 23, 2022, 8:11am

For my use case I don’t want to set up a proxy if I can avoid it - in v3 it was very conveniently solved.
Yesterday I tried to set it up in v4 (docker), but I didn’t succeed.

In v3 I was using:
docker-compose.yml

  chirpstack-application-server:
    image: chirpstack/chirpstack-application-server:3
    ports:
       - 443:8080

and in chirpstack-application-server.toml

  [application_server.external_api]
  bind="0.0.0.0:8080"
  jwt_secret="verysecret"

 # http server TLS certificate (optional)
 tls_cert="...../chirpstack-application-server-api-server.pem"

 # http server TLS key (optional)
 tls_key="...../chirpstack-application-server-api-server-key.pem"

In v4 I configured:

# API interface configuration.
[api]
  # interface:port to bind the API interface to.
  bind="0.0.0.0:8080"
 secret="my-secret....."

[backend_interfaces]
  # interface:port to bind the Backend Interfaces API to.
  bind="0.0.0.0:8081"
  ca_cert="...../my_ca.crt"
  tls_cert= "...../chirpstack-application-server-api-server.pem"
  tls_key="...../chirpstack-application-server-api-server-key.pem"

In docker-compose.yml I was trying to map the ports:
- 443:8080 → no connection (obviously 8080 is no TLS endpoint)
- 443:8081 → no connection
The bind port in [api] and [backend_interfaces] obvioulsy have to be different ones, otherwise the container doesn’t start (port already bound).

Anyone got an idea what I’m missing to make it work or isn’t it supported in v4 anymore?

brocaar · January 9, 2023, 2:41pm

It is currently not supported, but I’m open to accept pull-requests for this

matt21 · January 9, 2023, 9:29pm

Hey,
Thanks for clarifying. I took the longer path using traefik to secure my installation.

system · April 9, 2023, 9:29pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.