Reply
Highlighted
Emerging Member
Posts: 58
Registered: ‎08-08-2014
Kudos: 6
Solutions: 3
Accepted Solution

UniFi Controller, AWS, and SSL.

Hello Community,

 

I wish to note that I've searched the forums before porting this thread. I've looked on the Internet and followed every relevant suggestion. Ubiquiti support is frustrating. I welcome any positive suggestion offered by the community here!

 

History

 

I have a UniFi Controller (Version 3.2.1) deployed to an AWS instance with an elastic IP address of XX.XX.XXX.XX. I've registered www.example.com that's parked with GoDaddy and created an A Record mapping a subdomain unifi.example.com to XX.XX.XXX.XX.

 

I created and installed an SSL certificate on the AWS server for unifi.example.com and can confirm a successful login to https://unifi.example.com:8443/manage. Visits to http://unifi.example.com:8080/ successfully redirect to https://unifi.example.com:8443/manage as well.

 

Ultimately, I would like to direct all HTTP traffic to HTTPS on port 443 - so if an end user types in http://unifi.example.com or https://unifi.example.com they are prompted for login credentials.

 

As a baby step, I am interested in just getting all traffic on port 80 to be redirected to http://unifi.example.com:8080/ then https://unifi.example.com:8443/ and all traffic on port 443 to be redirected to https://unifi.example.com:8443.

 

Attempted Steps

 

I've attempted to modify the system.properties file, restarted the controller, and failed:

 

Changed from:

 

...
# old values
# unifi.http.port=8080
# unifi.https.port=8443

# new values
unifi.http.port=80
unifi.https.port=443
... 

or 

...
# old values
# unifi.http.port=8080
# unifi.https.port=8443

# Attempting to see if ports under 1024 is the issue.
unifi.http.port=8000
unifi.https.port=8443
... 

 

Services always restarted fine. No port binding errors on server.log file. Browser just spins.

 

Second,

 

I've attempted to modify the web.xml file by adding the following security constraints:

 

    <web-resource-name>secured</web-resource-name>
                <url-pattern>/*</url-pattern>
            </web-resource-collection>

 

But I cannot find a server.xml file to add a </Connector> tag. Funny thing too - Ubiquiti Support cannot tell me if the file exists either. It certainly isn't in the expected location of $UNIFI_HOME/conf/. Has this changed in 3.2.1?

 

Third, I've attempted to use IPTables on the AWS server. 

 

sudo iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

 

The hope was that traffic would route to 8080 and then 8443. It did not work so I issued the following command:

sudo iptables -D PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

 

Help please?

 

Thanks,

 

Daniel


Accepted Solutions
Emerging Member
Posts: 58
Registered: ‎08-08-2014
Kudos: 6
Solutions: 3

Re: UniFi Controller, AWS, and SSL.

All,

 

I'm following-up on this thread to provide my resolution for those that might be finding similar challenges as previously described.

 

The answer was to create an Amazon Security Group and apply it to the Ubiquiti AWS instance. 

 

Inbound:

Type
Custom UDP Rule
UDP
3478
0.0.0.0/0
Custom TCP Rule
TCP
8080
0.0.0.0/0
Custom TCP Rule
TCP
8843
0.0.0.0/0
SSH
TCP
22
0.0.0.0/0
HTTP
TCP
80
0.0.0.0/0
Custom TCP Rule
TCP
8880
0.0.0.0/0
Custom TCP Rule
TCP
8443
0.0.0.0/0
HTTPS
TCP
443
0.0.0.0/0

 

Outbound:

 

Type 
All traffic
All
All
0.0.0.0/0

 

Finally, modify the ./var/lib/unifi/system.properties file on the EC2 instance from: 

 

...
# old values
# unifi.http.port=8080
# unifi.https.port=8443

# new values
unifi.http.port=80
unifi.https.port=443
... 

and restart the controller:

 

services unifi restart 

Thanks,

 

D Nguyen.

 

View solution in original post


All Replies
Regular Member
Posts: 692
Registered: ‎04-08-2013
Kudos: 389
Solutions: 65

Re: UniFi Controller, AWS, and SSL.

I don't have an easy way to duplicate this for testing, but here's a few things to look at.

On my (non-AWS) system, a normal install does have Tomcat listening at 8080 and 8443. The associated java process is uid root, so any ports should work. After altering the system.properties file, does «netstat -tlnp» indicate the ports are in use by UniFi? Either with the defaults or the altered ones? Be aware that Tomcat can take several minutes to get going after service start. If the desired ports are in use, what happens if you issue a «curl -Ii http://localhost:80/» e.g.?

Second, I have (v3.2.1) no server.xml either: just /usr/lib/unifi/webapps/ROOT/WEB-INF/web.xml and /usr/lib/unifi/webapps/ROOT/BasicSCPD.xml.

Third, try a -I rather than -A to add the PREROUTING rule. Check the entire PREROUTING rule set (and perhaps more) to see if the rule is preempted by something else. Also, if you are using ufw, augment the rules with the alternate ports you intend to use. Ditto for the instance security group.

Fourth, you could try Apache HTTP Server as a front end using ProxyPass and ProxyPassReverse to redirect to Tomcat. In any case, verify redirects are working using the «curl -Ii» method.

Emerging Member
Posts: 58
Registered: ‎08-08-2014
Kudos: 6
Solutions: 3

Re: UniFi Controller, AWS, and SSL.

All,

 

I'm following-up on this thread to provide my resolution for those that might be finding similar challenges as previously described.

 

The answer was to create an Amazon Security Group and apply it to the Ubiquiti AWS instance. 

 

Inbound:

Type
Custom UDP Rule
UDP
3478
0.0.0.0/0
Custom TCP Rule
TCP
8080
0.0.0.0/0
Custom TCP Rule
TCP
8843
0.0.0.0/0
SSH
TCP
22
0.0.0.0/0
HTTP
TCP
80
0.0.0.0/0
Custom TCP Rule
TCP
8880
0.0.0.0/0
Custom TCP Rule
TCP
8443
0.0.0.0/0
HTTPS
TCP
443
0.0.0.0/0

 

Outbound:

 

Type 
All traffic
All
All
0.0.0.0/0

 

Finally, modify the ./var/lib/unifi/system.properties file on the EC2 instance from: 

 

...
# old values
# unifi.http.port=8080
# unifi.https.port=8443

# new values
unifi.http.port=80
unifi.https.port=443
... 

and restart the controller:

 

services unifi restart 

Thanks,

 

D Nguyen.

 

New Member
Posts: 5
Registered: ‎07-07-2017

Re: UniFi Controller, AWS, and SSL.

Thanks for this. But for all those who might go down this path, this will also change the inform port meaning you'll have to update all the devices connected to the cloud controller to point to https://domain.com:80/inform instead of https://domain.com:8080/inform. Lucky for me I have VPN access to all my sites which allowed me to update the inform urls for each device manually. So just a warning to update those inform urls first. 

Reply