Configure The Thing Stack behind a reverse proxy

Hello,

I would like to configure The Things Stack behind a reverse proxy for the web console (to prevent web attack, the console is available on internet).
More specifically, our reverse proxy is an apache stack with mod_proxy and mod_security to filter inbound request (L7 firewall).
Moreover, I would like that the other ports (used for communication between the gateways and the application) don’t pass through the proxy.
I’m unable to configure FQDN correctly in my ‘ttn-lw-stack-docker.yml’ file.
Whare are parameters to configure with the proxy FQDN and other with server FQDN ?
Is it possible to have an example config file for my environment ?
I tried to replace only FQDN in web URL (https://the-things-stack.umons.ac.be/) with the proxy URL and keep server URL for other parameters but it doesn’t work !
Sorry if the post already exists !

Here is my config :

# Identity Server configuration
# Email configuration for "the-things-stack.umons.ac.be"
is:
  email:
    sender-name: 'The Things Stack'
    sender-address: 'the-things-stack@apps.umons.ac.be'
    network:
      name: 'The Things Stack'
      console-url: 'https://the-things-stack.umons.ac.be/console'
      identity-server-url: 'https://the-things-stack.umons.ac.be/oauth'
      provider: smtp
      smtp:
        address:  'xxx'
        #        username: ''             # enter SMTP server username
        #        password: ''             # enter SMTP server password

  # Web UI configuration for "the-things-stack.umons.ac.be":
  oauth:
    ui:
      canonical-url: 'https://the-things-stack.umons.ac.be/oauth'
      is:
        base-url: 'https://the-things-stack.umons.ac.be/api/v3'

# HTTP server configuration
http:
  cookie:
    block-key: 'xxx'                # generate 32 bytes (openssl rand -hex 32)
    hash-key: 'xxx'                 # generate 64 bytes (openssl rand -hex 64)
  metrics:
    password: 'xxx'               # choose a password
  pprof:
    password: 'xxx'                 # choose a password

# If using custom certificates:
tls:
  source: file
  root-ca: /run/secrets/ca.pem
  certificate: /run/secrets/cert.pem
  key: /run/secrets/key.pem

# Let's encrypt for "the-things-stack.umons.ac.be"
#tls:
#  source: 'acme'
#  acme:
#    dir: '/var/lib/acme'
#    email: 'you@the-things-stack.umons.ac.be'
#    hosts: ['the-things-stack.umons.ac.be']
#    default-host: 'the-things-stack.umons.ac.be'

# If Gateway Server enabled, defaults for "the-things-stack.umons.ac.be":
gs:
  mqtt:
    public-address: 'the-things-stack.umons.ac.be:1882'
    public-tls-address: 'the-things-stack.umons.ac.be:8882'
  mqtt-v2:
    public-address: 'the-things-stack.umons.ac.be:1881'
    public-tls-address: 'the-things-stack.umons.ac.be:8881'

# If Gateway Configuration Server enabled, defaults for "the-things-stack.umons.ac.be":
gcs:
  basic-station:
    default:
      lns-uri: 'wss://the-things-stack.umons.ac.be:8887'
  the-things-gateway:
    default:
      mqtt-server: 'mqtts://the-things-stack.umons.ac.be:8881'

# Web UI configuration for "the-things-stack.umons.ac.be":
console:
  ui:
    canonical-url: 'https://the-things-stack.umons.ac.be/console'
    is:
      base-url: 'https://the-things-stack.umons.ac.be/api/v3'
    gs:
      base-url: 'https://the-things-stack.umons.ac.be/api/v3'
    gcs:
      base-url: 'https://the-things-stack.umons.ac.be/api/v3'
    ns:
      base-url: 'https://the-things-stack.umons.ac.be/api/v3'
    as:
      base-url: 'https://the-things-stack.umons.ac.be/api/v3'
    js:
      base-url: 'https://the-things-stack.umons.ac.be/api/v3'
    qrg:
      base-url: 'https://the-things-stack.umons.ac.be/api/v3'
    edtc:
      base-url: 'https://the-things-stack.umons.ac.be/api/v3'

  oauth:
    authorize-url: 'https://the-things-stack.umons.ac.be/oauth/authorize'
    token-url: 'https://the-things-stack.umons.ac.be/oauth/token'
    logout-url: 'https://the-things-stack.umons.ac.be/oauth/logout'
    client-id: 'console'
    client-secret: 'xxx'          # choose or generate a secret

# If Application Server enabled, defaults for "the-things-stack.umons.ac.be":
as:
  mqtt:
    public-address: 'the-things-stack.umons.ac.be:1883'
    public-tls-address: 'the-things-stack.umons.ac.be:8883'
  webhooks:
    downlink:
            public-address: 'the-things-stack.umons.ac.be:1885/api/v3'

# If Device Claiming Server enabled, defaults for "the-things-stack.umons.ac.be":
dcs:
  oauth:
    authorize-url: 'https://the-things-stack.umons.ac.be/oauth/authorize'
    token-url: 'https://the-things-stack.umons.ac.be/oauth/token'
    logout-url: 'https://the-things-stack.umons.ac.be/oauth/logout'
    client-id: 'device-claiming'
    client-secret: 'xxx'          # choose or generate a secret
  ui:
    canonical-url: 'https://the-things-stack.umons.ac.be/claim'
    as:
      base-url: 'https://the-things-stack.umons.ac.be/api/v3'
    dcs:
      base-url: 'https://the-things-stack.umons.ac.be/api/v3'
    is:
      base-url: 'https://the-things-stack.umons.ac.be/api/v3'
    ns:
      base-url: 'https://the-things-stack.umons.ac.be/api/v3'

grpc:
  trusted-proxies: 'xxx,xxxx,xxx,xxx'

Thank you for your help !

Regards,

Maxence Danvain

Did you search? I see answers …

Have you got the stack working before you try the combinations that could be implemented?

Hello,

Thank for your help.
There is a post but for a proxy and not a reverse proxy : Setting up TTN Server Stack behind web proxy - TTN Network and Services / v2 Backend - The Things Network

I think it’s not my case.

Maxence

But it might move you forward.

Like answering questions like “have you got the basics working?”

A colleague made a “simple” POC (without a proxy) with just a server, a gateway and a lora sensor.

I’m trying to put his POC on a production server but also improve security.
I already have a working “the things stack” installation on an Ubuntu server (thank to his documentation).
A testing gateway is already configured on the stack.

image1898×880 85.1 KB

An issue appears when I try to provision a lora sensor.

image1449×926 49.2 KB

image1402×188 9.67 KB

An error in xhr request…

image1901×567 44.6 KB

I think it’s a mistake with FQDN in my ‘ttn-lw-stack-docker.yml’ file.
I don’t know why I have “localhost” in my xhr request except an error with FQDN in my config file…
My environement is more complicated than the POC with the proxy…

And we have detail!

Have you read the section about not having a FQDN for the stack aka running it as localhost which has varied means depending on if it’s inside the Docker container or outside it but you are running the console on the same machine - and in your case, is that localhost to the proxy and then on to the outside of the container?

In the first instance, after reading about localhost in the instructions, I’d use an IP address as a minimum or to reduce the brain load, a DNS entry that points to an internal address. That will then work on any machine on your internal network.

Then you can put something in the way of the console URL.

Not entirely clear how it will improve security as you’d have to figure out all the potential endpoints and deny everything else.

Here’s the last Slack discussion on proxies - found using the search!

Plus there is an issue today on a similar topic, which wouldn’t be yours because we all know we don’t double post, about the JoinEUI which may help.