From dd1a34dcea03ce1b3026d29f2c89a9df37be25ca Mon Sep 17 00:00:00 2001 From: Bastien Veuthey Date: Thu, 3 Oct 2024 12:03:00 +0200 Subject: [PATCH 1/3] add tls support with config variable --- .../cmd/configfile.go | 6 +++++ internal/backend/basicstation/backend.go | 25 ++++++++++++------- internal/config/config.go | 1 + 3 files changed, 23 insertions(+), 9 deletions(-) diff --git a/cmd/chirpstack-gateway-bridge/cmd/configfile.go b/cmd/chirpstack-gateway-bridge/cmd/configfile.go index 0eeb9e9d..e25c2b51 100644 --- a/cmd/chirpstack-gateway-bridge/cmd/configfile.go +++ b/cmd/chirpstack-gateway-bridge/cmd/configfile.go @@ -111,6 +111,12 @@ type="{{ .Backend.Type }}" # ip:port to bind the Websocket listener to. bind="{{ .Backend.BasicStation.Bind }}" + # TLS support. + # + # When set to true, the websocket listener will use TLS to secure the connections + # between the gateways and ChirpStack Gateway Bridge. + tls_support={{ .Backend.BasicStation.TLSSupport }} + # TLS certificate and key files. # # When set, the websocket listener will use TLS to secure the connections diff --git a/internal/backend/basicstation/backend.go b/internal/backend/basicstation/backend.go index 308ba0b1..0701de5c 100644 --- a/internal/backend/basicstation/backend.go +++ b/internal/backend/basicstation/backend.go @@ -41,9 +41,10 @@ var upgrader = websocket.Upgrader{ type Backend struct { sync.RWMutex - caCert string - tlsCert string - tlsKey string + tlsSupport bool + caCert string + tlsCert string + tlsKey string server *http.Server ln net.Listener @@ -84,9 +85,10 @@ func NewBackend(conf config.Config) (*Backend, error) { gateways: make(map[lorawan.EUI64]*connection), }, - caCert: conf.Backend.BasicStation.CACert, - tlsCert: conf.Backend.BasicStation.TLSCert, - tlsKey: conf.Backend.BasicStation.TLSKey, + tlsSupport: conf.Backend.BasicStation.TLSSupport, + caCert: conf.Backend.BasicStation.CACert, + tlsCert: conf.Backend.BasicStation.TLSCert, + tlsKey: conf.Backend.BasicStation.TLSKey, statsInterval: conf.Backend.BasicStation.StatsInterval, pingInterval: conf.Backend.BasicStation.PingInterval, @@ -263,12 +265,13 @@ func (b *Backend) Start() error { go func() { log.WithFields(log.Fields{ "bind": b.ln.Addr(), + "tls": b.tlsSupport, "ca_cert": b.caCert, "tls_cert": b.tlsCert, "tls_key": b.tlsKey, }).Info("backend/basicstation: starting websocket listener") - if b.tlsCert == "" && b.tlsKey == "" && b.caCert == "" { + if !b.tlsSupport { // b.tlsCert == "" && b.tlsKey == "" && b.caCert == "" // no tls if err := b.server.Serve(b.ln); err != nil && !b.isClosed { log.WithError(err).Fatal("backend/basicstation: server error") @@ -276,8 +279,12 @@ func (b *Backend) Start() error { } else { // tls b.scheme = "wss" - if err := b.server.ServeTLS(b.ln, b.tlsCert, b.tlsKey); err != nil && !b.isClosed { - log.WithError(err).Fatal("backend/basicstation: server error") + if b.tlsCert == "" && b.tlsKey == "" && b.caCert == "" { + log.Warn("backend/basicstation: TLS is enabled, but no certificate or CA certificate configured.") + } else { + if err := b.server.ServeTLS(b.ln, b.tlsCert, b.tlsKey); err != nil && !b.isClosed { + log.WithError(err).Fatal("backend/basicstation: server error") + } } } }() diff --git a/internal/config/config.go b/internal/config/config.go index d201bca4..828a72e0 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -29,6 +29,7 @@ type Config struct { BasicStation struct { Bind string `mapstructure:"bind"` + TLSSupport bool `mapstructure:"tls_support"` TLSCert string `mapstructure:"tls_cert"` TLSKey string `mapstructure:"tls_key"` CACert string `mapstructure:"ca_cert"` From 46f2e687b3420d0360e30e803e4fdfbe61a96af5 Mon Sep 17 00:00:00 2001 From: Bastien Veuthey Date: Thu, 3 Oct 2024 12:27:23 +0200 Subject: [PATCH 2/3] serve http server --- internal/backend/basicstation/backend.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/internal/backend/basicstation/backend.go b/internal/backend/basicstation/backend.go index 0701de5c..844a9ecc 100644 --- a/internal/backend/basicstation/backend.go +++ b/internal/backend/basicstation/backend.go @@ -271,7 +271,7 @@ func (b *Backend) Start() error { "tls_key": b.tlsKey, }).Info("backend/basicstation: starting websocket listener") - if !b.tlsSupport { // b.tlsCert == "" && b.tlsKey == "" && b.caCert == "" + if !b.tlsSupport { // no tls if err := b.server.Serve(b.ln); err != nil && !b.isClosed { log.WithError(err).Fatal("backend/basicstation: server error") @@ -279,8 +279,11 @@ func (b *Backend) Start() error { } else { // tls b.scheme = "wss" - if b.tlsCert == "" && b.tlsKey == "" && b.caCert == "" { - log.Warn("backend/basicstation: TLS is enabled, but no certificate or CA certificate configured.") + if b.tlsCert == "" && b.tlsKey == "" { + log.Warn("backend/basicstation: TLS is enabled, but no certificate and key configured. TLS will not be used.") + if err := b.server.Serve(b.ln); err != nil && !b.isClosed { + log.WithError(err).Fatal("backend/basicstation: server error") + } } else { if err := b.server.ServeTLS(b.ln, b.tlsCert, b.tlsKey); err != nil && !b.isClosed { log.WithError(err).Fatal("backend/basicstation: server error") From ed8fc4398e6adfbba8237cb99389e5db46da86e9 Mon Sep 17 00:00:00 2001 From: Bastien Veuthey Date: Thu, 3 Oct 2024 12:58:43 +0200 Subject: [PATCH 3/3] add compatibility with previous version + change name of config variable --- .../cmd/configfile.go | 6 +-- internal/backend/basicstation/backend.go | 43 +++++++++---------- internal/config/config.go | 2 +- 3 files changed, 24 insertions(+), 27 deletions(-) diff --git a/cmd/chirpstack-gateway-bridge/cmd/configfile.go b/cmd/chirpstack-gateway-bridge/cmd/configfile.go index e25c2b51..53162613 100644 --- a/cmd/chirpstack-gateway-bridge/cmd/configfile.go +++ b/cmd/chirpstack-gateway-bridge/cmd/configfile.go @@ -111,11 +111,11 @@ type="{{ .Backend.Type }}" # ip:port to bind the Websocket listener to. bind="{{ .Backend.BasicStation.Bind }}" - # TLS support. + # TLS support by a Reverse-Proxy # # When set to true, the websocket listener will use TLS to secure the connections - # between the gateways and ChirpStack Gateway Bridge. - tls_support={{ .Backend.BasicStation.TLSSupport }} + # between the gateways and a reverse-proxy (optional). + tls_support_proxy={{ .Backend.BasicStation.TLSSupportProxy }} # TLS certificate and key files. # diff --git a/internal/backend/basicstation/backend.go b/internal/backend/basicstation/backend.go index 844a9ecc..11f07427 100644 --- a/internal/backend/basicstation/backend.go +++ b/internal/backend/basicstation/backend.go @@ -41,10 +41,10 @@ var upgrader = websocket.Upgrader{ type Backend struct { sync.RWMutex - tlsSupport bool - caCert string - tlsCert string - tlsKey string + tlsSupportProxy bool + caCert string + tlsCert string + tlsKey string server *http.Server ln net.Listener @@ -85,10 +85,10 @@ func NewBackend(conf config.Config) (*Backend, error) { gateways: make(map[lorawan.EUI64]*connection), }, - tlsSupport: conf.Backend.BasicStation.TLSSupport, - caCert: conf.Backend.BasicStation.CACert, - tlsCert: conf.Backend.BasicStation.TLSCert, - tlsKey: conf.Backend.BasicStation.TLSKey, + tlsSupportProxy: conf.Backend.BasicStation.TLSSupportProxy, + caCert: conf.Backend.BasicStation.CACert, + tlsCert: conf.Backend.BasicStation.TLSCert, + tlsKey: conf.Backend.BasicStation.TLSKey, statsInterval: conf.Backend.BasicStation.StatsInterval, pingInterval: conf.Backend.BasicStation.PingInterval, @@ -264,30 +264,27 @@ func (b *Backend) RawPacketForwarderCommand(pl *gw.RawPacketForwarderCommand) er func (b *Backend) Start() error { go func() { log.WithFields(log.Fields{ - "bind": b.ln.Addr(), - "tls": b.tlsSupport, - "ca_cert": b.caCert, - "tls_cert": b.tlsCert, - "tls_key": b.tlsKey, + "bind": b.ln.Addr(), + "tls_support_proxy": b.tlsSupportProxy, + "ca_cert": b.caCert, + "tls_cert": b.tlsCert, + "tls_key": b.tlsKey, }).Info("backend/basicstation: starting websocket listener") - if !b.tlsSupport { + if b.tlsCert == "" && b.tlsKey == "" && b.caCert == "" { // no tls + if b.tlsSupportProxy { + log.Info("backend/basicstation: TLS support handled by reverse-proxy") + b.scheme = "wss" + } if err := b.server.Serve(b.ln); err != nil && !b.isClosed { log.WithError(err).Fatal("backend/basicstation: server error") } } else { // tls b.scheme = "wss" - if b.tlsCert == "" && b.tlsKey == "" { - log.Warn("backend/basicstation: TLS is enabled, but no certificate and key configured. TLS will not be used.") - if err := b.server.Serve(b.ln); err != nil && !b.isClosed { - log.WithError(err).Fatal("backend/basicstation: server error") - } - } else { - if err := b.server.ServeTLS(b.ln, b.tlsCert, b.tlsKey); err != nil && !b.isClosed { - log.WithError(err).Fatal("backend/basicstation: server error") - } + if err := b.server.ServeTLS(b.ln, b.tlsCert, b.tlsKey); err != nil && !b.isClosed { + log.WithError(err).Fatal("backend/basicstation: server error") } } }() diff --git a/internal/config/config.go b/internal/config/config.go index 828a72e0..e75f895d 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -29,7 +29,7 @@ type Config struct { BasicStation struct { Bind string `mapstructure:"bind"` - TLSSupport bool `mapstructure:"tls_support"` + TLSSupportProxy bool `mapstructure:"tls_support_proxy"` TLSCert string `mapstructure:"tls_cert"` TLSKey string `mapstructure:"tls_key"` CACert string `mapstructure:"ca_cert"`