TLS Support by Reverse-Proxy for Basicstation (#241)

bastienvty · web-flow · commit cf07eab61e0a · 2025-05-13T11:23:37.000+01:00
diff --git a/cmd/chirpstack-gateway-bridge/cmd/configfile.go b/cmd/chirpstack-gateway-bridge/cmd/configfile.go
@@ -111,6 +111,12 @@ type="{{ .Backend.Type }}"
   # ip:port to bind the Websocket listener to.
   bind="{{ .Backend.BasicStation.Bind }}"
 
+  # TLS support by a Reverse-Proxy
+  #
+  # When set to true, the websocket listener will use TLS to secure the connections
+  # between the gateways and a reverse-proxy (optional).
+  tls_support_proxy={{ .Backend.BasicStation.TLSSupportProxy }}
+
   # TLS certificate and key files.
   #
   # When set, the websocket listener will use TLS to secure the connections
diff --git a/internal/backend/basicstation/backend.go b/internal/backend/basicstation/backend.go
@@ -41,9 +41,10 @@ var upgrader = websocket.Upgrader{
 type Backend struct {
 	sync.RWMutex
 
-	caCert  string
-	tlsCert string
-	tlsKey  string
+	tlsSupportProxy bool
+	caCert          string
+	tlsCert         string
+	tlsKey          string
 
 	server   *http.Server
 	ln       net.Listener
@@ -84,9 +85,10 @@ func NewBackend(conf config.Config) (*Backend, error) {
 			gateways: make(map[lorawan.EUI64]*connection),
 		},
 
-		caCert:  conf.Backend.BasicStation.CACert,
-		tlsCert: conf.Backend.BasicStation.TLSCert,
-		tlsKey:  conf.Backend.BasicStation.TLSKey,
+		tlsSupportProxy: conf.Backend.BasicStation.TLSSupportProxy,
+		caCert:          conf.Backend.BasicStation.CACert,
+		tlsCert:         conf.Backend.BasicStation.TLSCert,
+		tlsKey:          conf.Backend.BasicStation.TLSKey,
 
 		statsInterval:    conf.Backend.BasicStation.StatsInterval,
 		pingInterval:     conf.Backend.BasicStation.PingInterval,
@@ -262,14 +264,19 @@ func (b *Backend) RawPacketForwarderCommand(pl *gw.RawPacketForwarderCommand) er
 func (b *Backend) Start() error {
 	go func() {
 		log.WithFields(log.Fields{
-			"bind":     b.ln.Addr(),
-			"ca_cert":  b.caCert,
-			"tls_cert": b.tlsCert,
-			"tls_key":  b.tlsKey,
+			"bind":              b.ln.Addr(),
+			"tls_support_proxy": b.tlsSupportProxy,
+			"ca_cert":           b.caCert,
+			"tls_cert":          b.tlsCert,
+			"tls_key":           b.tlsKey,
 		}).Info("backend/basicstation: starting websocket listener")
 
 		if b.tlsCert == "" && b.tlsKey == "" && b.caCert == "" {
 			// no tls
+			if b.tlsSupportProxy {
+				log.Info("backend/basicstation: TLS support handled by reverse-proxy")
+				b.scheme = "wss"
+			}
 			if err := b.server.Serve(b.ln); err != nil && !b.isClosed {
 				log.WithError(err).Fatal("backend/basicstation: server error")
 			}
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -29,6 +29,7 @@ type Config struct {
 
 		BasicStation struct {
 			Bind             string                     `mapstructure:"bind"`
+			TLSSupportProxy  bool                       `mapstructure:"tls_support_proxy"`
 			TLSCert          string                     `mapstructure:"tls_cert"`
 			TLSKey           string                     `mapstructure:"tls_key"`
 			CACert           string                     `mapstructure:"ca_cert"`
