Highlighted
Veteran Member
Posts: 6,252
Registered: ‎02-09-2010
Kudos: 2818
Solutions: 39

UCRM and UNMS https same host/wan ip?

Does anyway know of a way to run UCRM and UNMS on the same host both with SSL?

 

Problem, UNMS *requires* 80 and 443.  UCRM can be changed *BUT* not if I want SSL for customers to pay their past due bills.  So I have a single host, single public IP, and I need these ports split.

 

Was thinking I might run separate VMs for each and maybe an nginx reverse proxy with SSL passthrough in front forwarding by domain, ie if http/https ucrm.domain.com then to 10.0.0.10 and if unms.domain.com then 10.0.0.11.

 

Hoping someone else has run through this so I'm not experimenting.

 

would be using letsuncrypt for cert

 

Thanks.

Ubiquiti Employee
Posts: 4,163
Registered: ‎12-10-2015
Kudos: 1472
Solutions: 315

Re: UCRM and UNMS https same host/wan ip?

Hi @rebelwireless
you don't need 2 VMs, you can run both UCRM and UNMS on the same machine. (Just choose different non-standard ports for each app, eg 8443 for UCRM and 9443 for UNMS, do the same for http port, e.g. 8080 and 9080 - Then both can live on the same machine)

Then, create a webserver (nginx) forwarding the requests to machineIP:8443 or to machineIP:9443 depending on the requested domain (e.g. unms.yourdomain.com -> machineIP:9443)
Veteran Member
Posts: 6,252
Registered: ‎02-09-2010
Kudos: 2818
Solutions: 39

Re: UCRM and UNMS https same host/wan ip?


wrote:
Hi @rebelwireless
you don't need 2 VMs, you can run both UCRM and UNMS on the same machine. (Just choose different non-standard ports for each app, eg 8443 for UCRM and 9443 for UNMS, do the same for http port, e.g. 8080 and 9080 - Then both can live on the same machine)

Then, create a webserver (nginx) forwarding the requests to machineIP:8443 or to machineIP:9443 depending on the requested domain (e.g. unms.yourdomain.com -> machineIP:9443)

I think you missed the point.  UNMS requires standard ports according to the installer, and though UCRM can have these changed it CANNOT have them changed if using letsencrypt.

Ubiquiti Employee
Posts: 3,611
Registered: ‎09-08-2017
Kudos: 1389
Solutions: 272

Re: UCRM and UNMS https same host/wan ip?


wrote:

wrote:
Hi @rebelwireless
you don't need 2 VMs, you can run both UCRM and UNMS on the same machine. (Just choose different non-standard ports for each app, eg 8443 for UCRM and 9443 for UNMS, do the same for http port, e.g. 8080 and 9080 - Then both can live on the same machine)

Then, create a webserver (nginx) forwarding the requests to machineIP:8443 or to machineIP:9443 depending on the requested domain (e.g. unms.yourdomain.com -> machineIP:9443)

I think you missed the point.  UNMS requires standard ports according to the installer, and though UCRM can have these changed it CANNOT have them changed if using letsencrypt.


@rebelwireless  Hello Daniel. Please allow me to jump in. UNMS can be installed with a custom HTTP(S) port as well, but you are right that it still need open port 80 for LetsEncrypt to work.

Currently, there is no easy solution to this situation so we asked our developers for help. They came up with an idea of installing both UCRM and UNMS on nonstandard ports and nginx on port 443. Then create two domain names each with its own LE certificate. Create configuration in nginx that will redirect to UNMS or UCRM according to previously created hostnames. 

 

Of course, this is only valid if you need to solve this situation right now. If you can wait we will come up with more elegant solution directly implemented to our programs.

UBNT_Alternate_Logo.png
UNMS Support - If you want to report an issue please use this guide.

Check out our ever-evolving Help Center for answers to many common questions!

New Member
Posts: 2
Registered: ‎07-23-2018

Re: UCRM and UNMS https same host/wan ip?

Is there any news on this? 

Ubiquiti Employee
Posts: 3,611
Registered: ‎09-08-2017
Kudos: 1389
Solutions: 272

Re: UCRM and UNMS https same host/wan ip?

@TrilleNet  Hello Kasper. No new info right now. I believe the solution I outlined in my post above will be the best solution for using a single certificate for both programs on one server until we complete the integration of UCRM with UNMS. 

UBNT_Alternate_Logo.png
UNMS Support - If you want to report an issue please use this guide.

Check out our ever-evolving Help Center for answers to many common questions!

Veteran Member
Posts: 6,252
Registered: ‎02-09-2010
Kudos: 2818
Solutions: 39

Re: UCRM and UNMS https same host/wan ip?

@UBNT-Radek I think the nginx reverse proxy is a perfectly elegant model, but I think ubiquiti should have a deployment system that handles it.  Specifically, create a ubnt-reverseproxy docker image that does this automatically.

Veteran Member
Posts: 6,232
Registered: ‎07-03-2008
Kudos: 1971
Solutions: 151

Re: UCRM and UNMS https same host/wan ip?


@UBNT-Radek wrote:
If you can wait we will come up with more elegant solution directly implemented to our programs.

 Thank you.  This would be very helpful as part of the forthcoming UNMS & UCRM integration.

 

Veteran Member
Posts: 4,736
Registered: ‎05-19-2009
Kudos: 901
Solutions: 27

Re: UCRM and UNMS https same host/wan ip?

@UBNT-Radek

 

 

is there a how-to anywhere for nginx working with UCRM and UNMS?

 

 

This is a major issue for us right now as I'm told UCRM online bill pay will ONLY WORK ON PORT 443

 

and our UNMS Server is on port 443 because we wanted to be ready for lets encrypt and we now have over 600 devices on the UNMS Server lots of devices behind NAT so Rediscover not really an option

 

 

anyone have any more ideas for this issue?

Veteran Member
Posts: 6,252
Registered: ‎02-09-2010
Kudos: 2818
Solutions: 39

Re: UCRM and UNMS https same host/wan ip?

Nginx reverse proxy with vhost.  That will let the requested domain/fqdn get directed to the right spot.  Nothing unique about UNMS/UCRM combo 

Veteran Member
Posts: 4,736
Registered: ‎05-19-2009
Kudos: 901
Solutions: 27

Re: UCRM and UNMS https same host/wan ip?

Sorry think I'm still missing something site says it dose a load balancing on port 443 so dose that mean the public IP will some times open UCRM and some times open UNMS randomly? How do I point it to the correct severs?

 

Sorry not finding any good how-to guides on this

Veteran Member
Posts: 6,252
Registered: ‎02-09-2010
Kudos: 2818
Solutions: 39

Re: UCRM and UNMS https same host/wan ip?

you don't want load balancing.  just proxypass. something like this:

 

server {
listen 443 ssl;
server_name unms.domain.com;
ssl on;

location / {
proxy_pass https://unms.domain.com;
}
}
server {
listen 443 ssl;
server_name ucrm.domain.com;
ssl on;

location / {
proxy_pass https://ucrm.domain.com;
}
}

the nginx server needs dns entries to hit ucrm/unms urls and it's going to terminate it's own ssl this way so you'd run letsencrypt right on the nginx server.

 

you'd also need entries for port 80 traffic...

Veteran Member
Posts: 4,736
Registered: ‎05-19-2009
Kudos: 901
Solutions: 27

Re: UCRM and UNMS https same host/wan ip?

if UNMS is already on port 443 is this going to make an issue?

 

 

I can't find any nginx how-to's to make it listen for 443 and 80 at the same time for letsincrypt 

 

also our issue is

 

UNMS is already using port 443 

UCRM is on 8080

 

is can I still map 443 to localhost:443 and localhost:8080 as 443 is already in use?

 

 

Veteran Member
Posts: 6,252
Registered: ‎02-09-2010
Kudos: 2818
Solutions: 39

Re: UCRM and UNMS https same host/wan ip?

you need to re-read those ports.  8080 is an unencrypted listener.

 

In nginx, you just add server {} sections for each:

 

server {
    listen 80;
    server_name unms.domain.com;
    ssl on;

    location / {
        proxy_pass              http://unms.domain.com;
    }
}
server {
    listen 443 ssl;
    server_name unms.domain.com;
    ssl on;

    location / {
        proxy_pass              https://unms.domain.com;
    }
}

server {
    listen 80;
    server_name ucrm.domain.com;
    ssl on;

    location / {
        proxy_pass              http://ucrm.domain.com;
    }
}
server {
    listen 443 ssl;
    server_name ucrm.domain.com;
    ssl on;

    location / {
        proxy_pass              https://ucrm.domain.com;
    }
}

 

Veteran Member
Posts: 4,736
Registered: ‎05-19-2009
Kudos: 901
Solutions: 27

Re: UCRM and UNMS https same host/wan ip?

proxy_pass              https://ucrm.domain.com;
 

it really that simple? the how-to's I'm finding saying 

 

proxy_pass              127.0.0.1:8080;
proxy_pass              127.0.0.1:443;

 

 

so from what you are saying I need to get the Domain Name pointed to Servers public IP before I can get started on getting this working?

 

 

Thank you for all the code by the way your the only help I have on this so far

Veteran Member
Posts: 4,736
Registered: ‎05-19-2009
Kudos: 901
Solutions: 27

Re: UCRM and UNMS https same host/wan ip?

ok so I just ran the top command and UNMS is already running nginx  so do I edit the nginx config file that UNMS already installed?

Veteran Member
Posts: 6,252
Registered: ‎02-09-2010
Kudos: 2818
Solutions: 39

Re: UCRM and UNMS https same host/wan ip?

yeah, you need to get the FQDN pointed to the nginx machine.  You will also need to download and run the letsencrypt installer on the nginx machine and run it.  That will setup certs for you.

 

It's going to work like this.

 

from the internet, ucrm.domain.com hits nginx which has an SSL cert so the client is happy.  Nginx turns around and connects to ucrm.domain.com via the local /etc/hosts or your DNS system.

 

The big hurdle here is getting letsencrypt to play ball.  If you skip that part and generate your own cert and load that into nginx you can avoid it.

 

also, you can point nginx at the ucrm IP address and port directly and tell it to ignore the SSL error

ssl_verify_client off;

that might be your simplest solution.

 

 

 

Veteran Member
Posts: 6,252
Registered: ‎02-09-2010
Kudos: 2818
Solutions: 39

Re: UCRM and UNMS https same host/wan ip?


@900mhzdude wrote:

ok so I just ran the top command and UNMS is already running nginx  so do I edit the nginx config file that UNMS already installed?


if you want, but I'd run nginx on a completely separate VM.  If you run it locally, you have to install UNMS and UCRM and change BOTH of their ports away from 80 and 443.  Then in nginx set the proxy address to localhost:alternate_port 

 

Veteran Member
Posts: 4,736
Registered: ‎05-19-2009
Kudos: 901
Solutions: 27

Re: UCRM and UNMS https same host/wan ip?

if there was just an easy way to get UNMS off of port 443 and not change the key on 700 devices 

I would be perfectly happy as we really only want UCRM public at this time but no one ever told us we needed 443 for UCRM to work for online bill pay.. (UCRM Guide has since updated to 443 is required)

Veteran Member
Posts: 6,252
Registered: ‎02-09-2010
Kudos: 2818
Solutions: 39

Re: UCRM and UNMS https same host/wan ip?

Just run everything , public and private, through the reverse proxy.