Reply
Regular Member
Posts: 687
Registered: ‎01-23-2016
Kudos: 131
Solutions: 12

All unifi controller ports behind reverse proxy

Anybody ever tried putting all of unifi controller ports behind a reverse proxy ?
Concrete case, have a client that hosts a controller in a datacenter.
Policy says no single server may be reachable directly from internet on any ports.

The have about 30 smaller and bigger sites around europe.

Of course the standard admin ports are a breeze, STUN and others have proven problematic
Regular Member
Posts: 687
Registered: ‎01-23-2016
Kudos: 131
Solutions: 12

Re: All unifi controller ports behind reverse proxy

Bump anyone ??

@UBNT-jeff... do you have any clue if this would be possible ?
Regular Member
Posts: 687
Registered: ‎01-23-2016
Kudos: 131
Solutions: 12

Re: All unifi controller ports behind reverse proxy

Bump anyone ?
Ubiquiti Employee
Posts: 3,910
Registered: ‎01-11-2016
Kudos: 1160
Solutions: 29

Re: All unifi controller ports behind reverse proxy

@audio-catalyst Our HTTP is not 100% standard yet, so while I can't give a reason why it wouldn't work, I also haven't tried it myself. But it's worth a try Man Happy
Want to try out new features or fixes before they're released as Stable? Sign up for Beta here: https://help.ubnt.com/hc/en-us/articles/204908664-How-To-Signup-for-Beta-Access
Having connectivity issues? See: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
Regular Member
Posts: 687
Registered: ‎01-23-2016
Kudos: 131
Solutions: 12

Re: All unifi controller ports behind reverse proxy

Gonna try, and will report back Man Happy
Emerging Member
Posts: 61
Registered: ‎04-11-2017
Kudos: 7
Solutions: 1

Re: All unifi controller ports behind reverse proxy

Hi,

 

I have running alls default ports over nginx but not stun. Got no problems running two unifi controllers over the same public ip. Really need a solution for the stun port but nginx is just capable of dns (udp) loadbalancing. Maybe it is posible with ha-proxy because at the moment only one of the controllers has a pat for stun.

Regular Member
Posts: 687
Registered: ‎01-23-2016
Kudos: 131
Solutions: 12

Re: All unifi controller ports behind reverse proxy

I concure, havent been able to get stun working.

Now looking at a different, and more secure, reverse proxy, to see if i can get it working through that.

If interested : www.hiawatha-webserver.org
Member
Posts: 139
Registered: ‎06-13-2013
Kudos: 60
Solutions: 1

Re: All unifi controller ports behind reverse proxy

Anyone ever manage to get this done?

 

Could NGINX compiled with stream module work for the UDP STUN traffic?

 

Did anyone successfully get the Infom traffic to proxy through NGINX?

Regular Member
Posts: 687
Registered: ‎01-23-2016
Kudos: 131
Solutions: 12

Re: All unifi controller ports behind reverse proxy

sure, have it running here, on 2 nginx'es running vrrp
Member
Posts: 139
Registered: ‎06-13-2013
Kudos: 60
Solutions: 1

Re: All unifi controller ports behind reverse proxy

Would you mind sharing your NGINX Configuration for the Inform and STUN portions?

 

 

Emerging Member
Posts: 61
Registered: ‎04-11-2017
Kudos: 7
Solutions: 1

Re: All unifi controller ports behind reverse proxy

I did no implemented this for unifi yet but with latest nginx I was able to proxy udp voip traffic without any problems. It is currently on my agenda and should work just fine. You need to use version 1.15.x. 

Regular Member
Posts: 687
Registered: ‎01-23-2016
Kudos: 131
Solutions: 12

Re: All unifi controller ports behind reverse proxy

make very sure you install the nginx-extras packages

 

below the site configb:

 

server {
server_name unifi.fqdn.ext;
listen 80;
return 301 https://unifi.fqdn.ext$request_uri;
}
server {
server_name unifi.fqdn.ext;
listen 8880;
return 301 https://unifi.fqdn.ext$request_uri;
}
server {
server_name unifi.fqdn.ext;
listen 8443;
return 301 https://unifi.fqdn.ext$request_uri;
}

server {
server_name unifi.fqdn.ext;
listen 8080;
return 301 https://unifi.fqdn.ext$request_uri;
}


server {
server_name unifi.fqdn.ext;
listen 443 ssl http2; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/fqdn.nl/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/fqdn.nl/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_session_cache sharedMan FrustratedSL:10m;
access_log /var/log/nginx/unifi.fqdn.ext.access.log combined;
error_log /var/log/nginx/unifi.fqdn.ext.error.log;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options DENY;
proxy_cache my-cache;
proxy_cache_bypass $http_cache_control;
#proxy_store on;
location / {
include /etc/nginx/proxy_params;

proxy_pass https://192.168.x.x:8443$request_uri;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}

#server {
# listen 8880;
# server_name unifi.fqdn.ext;

# location / {
# include /etc/nginx/proxy_params;
#
# proxy_pass https://192.168.x.x:8443$request_uri;
#
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
#
# }

#server {
# listen 8843 ssl;
# server_name unifi.fqdn.ext;
#
# ssl_certificate /etc/letsencrypt/live/fqdn.nl/fullchain.pem; # managed by Certbot
# ssl_certificate_key /etc/letsencrypt/live/fqdn.nl/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# # ssl_session_cache sharedMan FrustratedSL:10m;
# #ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384Man Very HappyHE-RSA-AES128-GCM-SHA256Man Very HappyHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHAMan Very HappyHE-RSA-AES128-SHA256Man Very HappyHE-RSA-AES128-SHAMan Very HappyHE-DSS-AES128-SHA256Man Very HappyHE-RSA-AES256-SHA256Man Very HappyHE-DSS-AES256-SHAMan Very HappyHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIAMan Very HappyES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# #ssl_session_timeout 1d;
# #ssl_session_cache sharedMan FrustratedSL:50m;
# #ssl_stapling on;
# #ssl_stapling_verify on;
# add_header Strict-Transport-Security max-age=15768000;
#
# location / {
# proxy_pass http://192.168.x.16:8843/;
# include /etc/nginx/proxy_params;
# }
#
}

Member
Posts: 139
Registered: ‎06-13-2013
Kudos: 60
Solutions: 1

Re: All unifi controller ports behind reverse proxy

Thanks for sharing this.

 

I'm a bit confused on how the inform URL is working on 8080, as it appears you are redirecting it to 443 then passing that back to the Unifi server on 8443?    Can you clarify how this works?

 

Also how are you handling the the UDP STUN packets, do you have that in a different configuration file perhaps?

 

Thanks again for your time, and willingness to share this.

 

Regards,

 

Jason

 

 

Emerging Member
Posts: 61
Registered: ‎04-11-2017
Kudos: 7
Solutions: 1

Re: All unifi controller ports behind reverse proxy

Yeah, this cannot work. He may has seperate pat for anything else. This part is just for the webservice to be available via proxy but not inform or stun.

Regarding stun you have to ise the stream module outside of the http block. At the moment I habe no time to post my config due to vacation but have a look at the stream module with ssl_preread servername.

It wont work to just post a config without any further knowledge about nginx.

Cheers, Timo
Regular Member
Posts: 687
Registered: ‎01-23-2016
Kudos: 131
Solutions: 12

Re: All unifi controller ports behind reverse proxy

i suggest you guys do a bit of searching through the forums or the internet

 

i can very much assure you this DOES work, and has done so for the better part of 1 year :

 

nginx.conf

 


events {
    worker_connections 768;
    multi_accept on;
}

stream {
     include /etc/nginx/stream.conf.d/*.conf;
 }

http {

    ##
    # Basic Settings
    ##
    set_real_ip_from 127.0.0.1;
    real_ip_header X-Forwarded-For;
        server_tokens off;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_names_hash_bucket_size 64;
    server_name_in_redirect off;
    more_set_headers "Server: SimpelHTTPServer";
    #more_clear_headers   "Content-Type: ";
    #more_clear_headers   "Accept-Ranges: ";    
    #more_clear_headers   "Content-Length: ";

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    ##
        # Gzip Settings
        ##
        gzip on;
        gzip_disable "msie6";
    gzip_vary on;
        gzip_proxied expired no-cache no-store private auth;
        #compression level
        gzip_comp_level 6;
        gzip_min_length 1000;
        gzip_buffers 16 8k;
        gzip_http_version 1.1;
        # files to gzip
       # Compress all output labeled with one of the following MIME-types.
      # text/html is always compressed by gzip module.
      # Default: text/html
      gzip_types
            application/atom+xml
            application/javascript
            application/json
            application/ld+json
            application/manifest+json
            application/rss+xml
            application/vnd.geo+json
            application/vnd.ms-fontobject
            application/x-font-ttf
            application/x-web-app-manifest+json
            application/xhtml+xml
            application/xml
            font/opentype
            image/bmp
            image/svg+xml
            image/x-icon
            text/cache-manifest
            text/css
            text/plain
            text/vcard
            text/vnd.rim.location.xloc
            text/vtt
            text/x-component
        text/x-cross-domain-policy;         

        ##
        # Caching settings
        ##
        proxy_cache_path  /nginx-cache levels=1:2 keys_zone=my-cache:60m max_size=1G inactive=600m;
        proxy_cache_key "$scheme$request_method$host$request_uri$is_args$args";
    proxy_cache_valid 200 302 10m;
    proxy_cache_valid 404 1m;
        #proxy_temp_path /nginx-cache;

    ##
    # Virtual Host Configs
    ##
    ##
    # Harding options
    ############################################################################
        add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    ############################################################################

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

 

 

be aware there is more config in the includes, which i for obvious reasons, will not share

 

 

Member
Posts: 139
Registered: ‎06-13-2013
Kudos: 60
Solutions: 1

Re: All unifi controller ports behind reverse proxy

Would you mind posting the Port 8080 Inform, and STUN UDP Portion.

 

I'm assuming they are under this include.

 

stream {
     include /etc/nginx/stream.conf.d/*.conf;
 }

 

I have Nginx compiled from source and I have included some of the Stream modules in the current build.   So I'm hoping some examples on the Stream configs, I can get this sorted out.   

 

I'm actually going to recompile from the latest stable version to the latest Mainline version so I can get some additional functionality around having RAW TCP and HTTP/S traffic be able reside on the same port, for another application I'm also attempting to Proxy through this same NGINX server.   So if there is something specific that you think I might be missing in the modules I can add them.

 

Highlighted
Member
Posts: 139
Registered: ‎06-13-2013
Kudos: 60
Solutions: 1

Re: All unifi controller ports behind reverse proxy

In case someone else comes across this and is interested.   I was able to get this working with NGINX.

 

You'll need to compile NGINX from source and make sure you add the relevant Stream Modules.    I have a bunch of different Include config files beyond what is shown here, so where this code goes may vary depending on how you have things setup.    There's obviously a lot more involved with setting up the SSL certificates and NGINX but this is the configuration that is specifically relevant to getting the entire Unifi Controller working behind NGINX proxy    Can confirm, Speedtests, Debug Terminals, and everything seems to be fully functional, performance is good, was able to fine tune SSL settings to get an A+ Qualsys Labs SSL ratings.  

 

This section needs to be in inside your HTTP context ie - HTTP { }

 

server {
    listen xxx.xxx.xxx.xxx:443 ssl http2;
    server_name unifi.yourdomain.com;
    ssl_certificate /etc/nginx/acme.sh/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/nginx/acme.sh/yourdomain.com/key.pem;

# Include global SSL settings
    include /etc/nginx/conf.d/ssl;

    location  /  {
         proxy_pass      https://xxx.xxx.xxx.xxx:8443/;
         proxy_redirect  https://xxx.xxx.xxx.xxx:8443/ /;
         proxy_buffering off;

         proxy_read_timeout 60s;

         proxy_set_header          Host            $host;
         proxy_set_header          X-Real-IP       $remote_addr;
         proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;

         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "Upgrade";
  }
}

 

This section needs to be outside the HTTP context and in your Stream Context ie -  Stream { }

 

 

 

# Unifi STUN UDP Traffic

upstream unifi_stun { server xxx.xxx.xxx.xxx:3478; } server { listen 3478 udp; proxy_pass unifi_stun; proxy_responses 1; error_log /var/log/nginx/unifi_stun.log; } # Unifi Inform Traffic upstream unifi_inform { server xxx.xxx.xxx.xxx:8080; } server { listen 8080; proxy_pass unifi_inform; error_log /var/log/nginx/unifi_inform.log; }

 

Reply