Reply
Emerging Member
Posts: 74
Registered: ‎12-08-2015
Kudos: 37
Solutions: 1

UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTPS server

[ Edited ]

Hello Everyone.

 

Created a 1 shot bash script that does the following

  • Installs the UniFi controller (5.0.7)
  • Installs Nginx
  • Installs the EFF CertBot
  • Requests a Free LetsEncrypt certificate for your domain
  • Installs the certificate into Unifi HTTPS and Nginx
  • Configures Nginx to forward all :80 to :443
  • Configures Nginx to proxy :443 to localhost:8443
  • This script will give your NGINX proxy configuration a A+ rating with SSL Labs

 

Potential Problems:

  • If you already have a Nginx server doing other things running you might want to customise the sites-enabled/default parameter to better suit your installation
  • Slow DH generation. This can be lowered from 4096 to 2048. But thats up to you.
  • LetsEncrypt only offer a certificate valid for 3 months Make sure renewal is working.

Configuration:

  1. Modify the top two variables. NAME is your fqdn you want to setup and EMAIL is used for LetsEncrypt to contact you if your certificate is expiring.
  2. Copy the two blocks separately and create a file in /opt for each
  3. The first block only needs to be run as root when you are doing the setup. A subset of this can be used to enable an existing server for Lets Encrypt.
  4. the second block needs to be run as root on a schedule from 30 to 45 days. This block renews the certificates and updates the UniFi keychain

Test Systems:

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS"
VERSION="16.04 LTS (Xenial Xerus)"

 

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.4 LTS"

VERSION="14.04.4 LTS, Trusty Tahr"

 

INSTALLER SCRIPT save to /opt/le.sh and make executable with chmod +x /opt/le/sh

#!/bin/sh
NAME="my.fqdn.com"
EMAIL="my@email.add"
apt-get update
echo y | apt-get upgrade
cd /opt
rm unifi_sysvinit_all.deb
rm certbot-auto
wget http://dl.ubnt.com/unifi/5.0.7/unifi_sysvinit_all.deb
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
dpkg -i unifi_sysvinit_all.deb
apt-get -f install
echo y | apt-get install nginx

service nginx stop
echo y | ./certbot-auto certonly -d $NAME --standalone --standalone-supported-challenges http-01 --email $EMAIL
service nginx start

service unifi stop
echo aircontrolenterprise | openssl pkcs12 -export -inkey /etc/letsencrypt/live/$NAME/privkey.pem -in /etc/letsencrypt/live/$NAME/cert.pem -name unifi -out /etc/letsencrypt/live/$NAME/keys.p12 -password stdin
echo y | keytool -importkeystore -srckeystore /etc/letsencrypt/live/$NAME/keys.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/unifi/data/keystore -storepass aircontrolenterprise -srcstorepass aircontrolenterprise
service unifi start
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

#NGINX PROXY
service nginx stop
echo "server {\n\
	listen 80;\n\
	server_name $NAME;\n\
	return 301 https://$NAME$request_uri;\n\
	}\n\
	server {\n\
	listen 443 ssl default_server;\n\
	server_name $NAME;\n\
	ssl_dhparam /etc/ssl/certs/dhparam.pem;\n\
	ssl_certificate /etc/letsencrypt/live/$NAME/fullchain.pem;\n\
    ssl_certificate_key /etc/letsencrypt/live/$NAME/privkey.pem;\n\
	ssl_session_cache   shared:SSL:10m;\n\
	ssl_session_timeout 10m;\n\
	keepalive_timeout   300;\n\
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n\
	ssl_prefer_server_ciphers on;\n\
	ssl_stapling on;\n\
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
	add_header Strict-Transport-Security max-age=31536000;\n\
	add_header X-Frame-Options DENY;\n\
	error_log /var/log/unifi/nginx.log;\n\
	proxy_cache off;\n\
	proxy_store off;\n\
	location / {\n\
	proxy_set_header Referer \"\";\n\
	proxy_pass https://localhost:8443;\n\
	}\n\
	}\n\
	" > /etc/nginx/sites-enabled/default
service nginx start

 

Renewal Script save to /opt/le-renew.sh, crontab with 30 12 2 * * /opt/le-renew.sh 

#!/bin/sh
NAME="my.fqdn.com"

service nginx stop
echo y | ./certbot-auto renew --standalone --standalone-supported-challenges http-01
service nginx start

service unifi stop
echo aircontrolenterprise | openssl pkcs12 -export -inkey /etc/letsencrypt/live/$NAME/privkey.pem -in /etc/letsencrypt/live/$NAME/cert.pem -name unifi -out /etc/letsencrypt/live/$NAME/keys.p12 -password stdin
echo y | keytool -importkeystore -srckeystore /etc/letsencrypt/live/$NAME/keys.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/unifi/data/keystore -storepass aircontrolenterprise -srcstorepass aircontrolenterprise
service unifi start

 

 

Comments or Suggestions are welcome.

Member
Posts: 114
Registered: ‎05-22-2014
Kudos: 34
Solutions: 1

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

This looks like quite a useful script indeed !!  Thank you for sharing, going to try this one out as soon as time permits

Member
Posts: 154
Registered: ‎05-30-2015
Kudos: 45
Solutions: 5

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

[ Edited ]

If this works as described (testing it now), this is a wonderful thing and should have a LOT more attention. 

 

*UPDATE*

 

Yep, this thing is awesome. Made deploying a DO droplet for a Unifi instance a snap. Literally. 

 

A question: Can you update the script to add a repository and use apt to install and maintain the Unifi install? This way the script is dynamic to new releases and it wouldn't need to be modified when things are updated in the future here at UBNT. 

 

 

 

 

Colter \'kohl-ter '\ vb : to be Ubiquiti noob.
Colter \'kohl-ter '\ n : The notorious "hold my beer, I got this" guy.
New Member
Posts: 11
Registered: ‎12-13-2015
Kudos: 1

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

[ Edited ]

Remember to setup your firewall if you use this in the cloud!

 

https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used

Emerging Member
Posts: 74
Registered: ‎12-08-2015
Kudos: 37
Solutions: 1

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

[ Edited ]

Here is a basic iptables script to address FreakySquirrels comment.

Permits inbound 8443 globally still to provide compatibility with system generated emails. If used with the LetsEncrypt config above the security warnings will remain seemless.

 

Unless your WAN's Source IP's are defined in ipUNIFI then your AP's may not provision correctly and you will have no guest portal.

 

#!/bin/bash
# BASH IPTABLES FIREWALL SCRIPT
# FOR CLOUD BASED UNIFI CONTROLLERS
# THIS IS A FAIRLY PARANOID CONFIGURATION
# 20/07/2016
# Suggest you read about IPTABLES so that you understand how to implement
# these rules in your own environment.

# this UNIFI Controllers IP Address
SERVER[0]="1.2.3.4"

#PERMIT GLOBAL INBOUND TCP PORTS
inTCP[0]=80
inTCP[2]=443
inTCP[3]=8443


#UNIFI NETWORK PERMITTED PORTS
ufTCP[0]=8080
ufTCP[1]=8443
ufTCP[2]=8880
ufTCP[3]=8843

#Clients to grant full access. These would usually be your trusted home/work connections
CLIENT[0]="100.1.1.1" # Work
CLIENT[1]="120.1.1.1" # Home
CLIENT[2]="121.1.1.1" # Another Server

#UNIFI ROUTED SOURCE ADDRESS If behind a NAT this will be the IP address assigned by your provider
#Add as many as required. Keeping to the standard array definition
ipUNIFI[0]="1.2.3.4" # some network with UniFi AP's behind
ipUNIFI[1]="2.2.3.4" # some network with UniFi AP's behind
ipUNIFI[2]="3.2.3.4" # some network with UniFi AP's behind


iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


for s in "${SERVER[@]}"
do
:
# do whatever on $i
for c in "${CLIENT[@]}"
do
:
iptables -A INPUT -s $c -d $s -j ACCEPT
iptables -A OUTPUT -d $c -s $s -j ACCEPT
done
done

#OUTBOUND REQUEST
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT # PERMIT DNS REQUEST
iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT # PERMIT DNS RESPONSE

echo "inbound TCP Services"
for s in "${SERVER[@]}"
do
:
for u in "${ipUNIFI[@]}"
do
:
echo "Adding Port Mappings for UniFi LAN $u"
for t in "${inTCP[@]}"
do
:
echo "Addin $t/TCP TO FIREWALL INCOMING"
iptables -A OUTPUT -p TCP -s $s -d $u --sport $t --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p TCP -d $u -s $s --sport 513:65535 --dport $t -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -s $u -d $s --sport 513:65535 --dport $t -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -d $s -s $u --sport $t --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
done
done
done


echo "inbound GLOBAL TCP Services"
for s in "${SERVER[@]}"
do
:
for t in "${inTCP[@]}"
do
:
echo "Addin $t/TCP TO FIREWALL INCOMING"
iptables -A OUTPUT -p TCP -s $s -d 0/0 --sport $t --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p TCP -d 0/0 -s $s --sport 513:65535 --dport $t -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -s 0/0 -d $s --sport 513:65535 --dport $t -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -d $s -s 0/0 --sport $t --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
done
done

echo "SendMail"
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT

echo "Permit Related"
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


echo "Block all remaining"
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
Emerging Member
Posts: 74
Registered: ‎12-08-2015
Kudos: 37
Solutions: 1

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP


colter wrote:

 

A question: Can you update the script to add a repository and use apt to install and maintain the Unifi install? This way the script is dynamic to new releases and it wouldn't need to be modified when things are updated in the futur


I deliberately didn't go that route. Ubiquiti's apt repositiories can be disappointing at times. Ive always found using dpkg -i the best way to install the unifi controller. 

 

Ill post a modified version later (updating the existing post) i should address the new version release anyway

New Member
Posts: 11
Registered: ‎12-13-2015
Kudos: 1

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

Greit work Man Happy

Emerging Member
Posts: 74
Registered: ‎12-08-2015
Kudos: 37
Solutions: 1

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

If your after the ubiquiti apt repository installation check out below

 

https://community.ubnt.com/t5/UniFi-Wireless/Ubuntu-single-script-LetsEncrypt-Nginx-Proxy-UniFi-5-Re...

New Member
Posts: 12
Registered: ‎01-21-2016
Solutions: 1

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

Thanks for the guide.

 

I tried your script and so far it works and I can reach the controller with "unifi.mydomain.de" But everytime I try to log into the controller or make any changes when I'm already logged in and use "unifi.mydomain.de" without typing the port number, I get an error message.

 

Any idea why that might be?

Emerging Member
Posts: 74
Registered: ‎12-08-2015
Kudos: 37
Solutions: 1

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

Hi

 

What error message are you seeing?

can you possibly post a screenshot

 

You might want to give the apt repository version a go. It is a little newer.

 

Cheers

Scott

 

New Member
Posts: 12
Registered: ‎01-21-2016
Solutions: 1

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

[ Edited ]

It just says "There was an error", so nothing too specific. 

http://imgur.com/a/3Z0qm

 

I already tried the apt repository and even Ubuntu 14.04, but same result. 

However I just made an interesting discovery. Apparently it works fine in IE, Edge, Firefox but if I'm using Chrome or Vivaldi I get the error messages. What browser are you using?

 

Greetings,

Daniel 

Member
Posts: 268
Registered: ‎12-18-2015
Kudos: 91
Solutions: 3

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

[ Edited ]

Nice script, especially with the SSL certificate piece.

 

I'd suggest adding sources instead of wget'ing, that way, in future "apt update" will also bring the controller (and access point firmware) up to date as well Man Happy

Member
Posts: 154
Registered: ‎05-30-2015
Kudos: 45
Solutions: 5

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

[ Edited ]

@scobber

 

What's the update procedure for this look like? I'm attempting to update the controller and no matter the steps I take, apt or manual wget and dpkg, it breaks everything...

 

 

Colter \'kohl-ter '\ vb : to be Ubiquiti noob.
Colter \'kohl-ter '\ n : The notorious "hold my beer, I got this" guy.
Emerging Member
Posts: 74
Registered: ‎12-08-2015
Kudos: 37
Solutions: 1

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

Hi

 

I would go with

cd /opt
rm unifi_sysvinit_all.deb
wget wget http://dl.ubnt.com/unifi/current release/unifi_sysvinit_all.deb
dpkg -i unifi_sysvinit_all.deb



wait around 10 - 20 minutes before logging in.
There is usually always a database upgrade that takes place during the startup after upgrade, this can take some time depending on the size of the database.

another thing you can do is in /usr/local/unifi/logs (i cannot remember the exact path) you can see where the startup is up to in server.log i believe.

 

New Member
Posts: 5
Registered: ‎12-02-2015
Kudos: 5

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

[ Edited ]

Great post,

 

However with unifi version 5.2.9 I don't seem to get it working with the script as is.

I am able to see the login page by acessing the unifi.mydomain.com.

But when i try to login (with the correct credentials) it seems that an connection with the backend could not be established.

Resulting in a: "Login error There was an error making that request. Please try again later.".

Logging in without the proxy works just fine.

After some googling around I found this post: 

https://community.ubnt.com/t5/UniFi-Wireless/Lets-Encrypt-and-UniFi-controller/m-p/1540577

in which they set additional proxy headers.

I was able to login by adding the following lines in the  "location / { " directive: 

		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

 

this would mean that you would have to change the location directive in the script supplied above:

	location / {\n\
	proxy_set_header Referer \"\";\n\
	proxy_pass https://localhost:8443;\n\
	}\n\

with:

	location / {\n\
	proxy_set_header Referer \"\";\n\
	proxy_pass https://localhost:8443;\n\
proxy_set_header X-Real-IP \$remote_addr;\n\
proxy_set_header X-Forward-For \$proxy_add_x_forwarded_for;\n\
proxy_set_header Host \$host;\n\ }\n\

This would solve the logging in part (I am able to login after enabling these changes).

However after being logged in I see that the websocket connection still fails.

To resolve this you also need to make nginx behave as an proxy for the websockets (source: https://chrislea.com/2013/02/23/proxying-websockets-with-nginx/).

 

So the location directive will look like this when websocket support is added to nginx: 

	location / {\n\
	proxy_set_header Referer \"\";\n\
	proxy_pass https://localhost:8443;\n\
proxy_set_header X-Real-IP $remote_addr;\n\
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;\n\
proxy_set_header Host $host;\n\
proxy_http_version 1.1;\n\
proxy_set_header Upgrade \$http_upgrade;\n\
proxy_set_header Connection \"upgrade\";\n\ }\n\

 

 

so the install script would look like this:

 

#!/bin/sh
NAME="my.fqdn.com"
EMAIL="my@email.add"
apt-get update
echo y | apt-get upgrade
cd /opt
rm unifi_sysvinit_all.deb
rm certbot-auto
wget http://dl.ubnt.com/unifi/5.0.7/unifi_sysvinit_all.deb
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
dpkg -i unifi_sysvinit_all.deb
apt-get -f install
echo y | apt-get install nginx

service nginx stop
echo y | ./certbot-auto certonly -d $NAME --standalone --standalone-supported-challenges http-01 --email $EMAIL
service nginx start

service unifi stop
echo aircontrolenterprise | openssl pkcs12 -export -inkey /etc/letsencrypt/live/$NAME/privkey.pem -in /etc/letsencrypt/live/$NAME/cert.pem -name unifi -out /etc/letsencrypt/live/$NAME/keys.p12 -password stdin
echo y | keytool -importkeystore -srckeystore /etc/letsencrypt/live/$NAME/keys.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/unifi/data/keystore -storepass aircontrolenterprise -srcstorepass aircontrolenterprise
service unifi start
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

#NGINX PROXY
service nginx stop
echo "server {\n\
	listen 80;\n\
	server_name $NAME;\n\
	return 301 https://$NAME$request_uri;\n\
	}\n\
	server {\n\
	listen 443 ssl default_server;\n\
	server_name $NAME;\n\
	ssl_dhparam /etc/ssl/certs/dhparam.pem;\n\
	ssl_certificate /etc/letsencrypt/live/$NAME/fullchain.pem;\n\
        ssl_certificate_key /etc/letsencrypt/live/$NAME/privkey.pem;\n\
	ssl_session_cache   shared:SSL:10m;\n\
	ssl_session_timeout 10m;\n\
	keepalive_timeout   300;\n\
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n\
	ssl_prefer_server_ciphers on;\n\
	ssl_stapling on;\n\
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
	add_header Strict-Transport-Security max-age=31536000;\n\
	add_header X-Frame-Options DENY;\n\
	error_log /var/log/unifi/nginx.log;\n\
	proxy_cache off;\n\
	proxy_store off;\n\
	location / {\n\
	proxy_set_header Referer \"\";\n\
	proxy_pass https://localhost:8443;\n\
proxy_set_header X-Real-IP \$remote_addr;\n\
proxy_set_header X-Forward-For \$proxy_add_x_forwarded_for;\n\
proxy_set_header Host \$host;\n\
proxy_http_version 1.1;\n\
proxy_set_header Upgrade \$http_upgrade;\n\
proxy_set_header Connection \"upgrade\";\n\ }\n\ }\n\ " > /etc/nginx/sites-enabled/default service nginx start

 

edited: to fix minor typo's and addition for solving websocket connect error

New Member
Posts: 19
Registered: ‎05-08-2016
Kudos: 24
Solutions: 1

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

[ Edited ]

I've updated the script slightly for Ubuntu 16.04 (echo is also unreliable at times) to use the official letsencrypt package and also install the latest UniFi controller - so you can quickfire the whole process with an up-to-date installation:

 

#!/bin/sh
# Script source used from https://community.ubnt.com/t5/UniFi-Wireless/UniFi-Ubuntu-16-04-fully-automatic-Installation-NGINX-Proxy-amp/td-p/1596848

# Edit these following 2 lines:
NAME="my.fqdn.com"
EMAIL="my@email.add"

# Comment out the following 4 lines if you already have the UniFi software installed.
# Note - the UniFi software requires at-least 20GiB disk space.
echo "deb http://www.ubnt.com/downloads/unifi/debian unifi5 ubiquiti" > /etc/apt/sources.list.d/unifi.list
echo y | apt-key adv --keyserver keyserver.ubuntu.com --recv C0A52C50
apt update
echo y | apt install unifi

# Script Start...
apt update
echo y | apt upgrade
apt -f install
echo y | apt install nginx letsencrypt

service nginx stop
echo y | letsencrypt certonly -d $NAME --standalone --standalone-supported-challenges http-01 --email $EMAIL
service nginx start

service unifi stop
echo aircontrolenterprise | openssl pkcs12 -export -inkey /etc/letsencrypt/live/$NAME/privkey.pem -in /etc/letsencrypt/live/$NAME/cert.pem -name unifi -out /etc/letsencrypt/live/$NAME/keys.p12 -password stdin
echo y | keytool -importkeystore -srckeystore /etc/letsencrypt/live/$NAME/keys.p12 -srcstoretype pkcs12 -destkeystore /usr/lib/unifi/data/keystore -storepass aircontrolenterprise -srcstorepass aircontrolenterprise
service unifi start
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

#NGINX PROXY
service nginx stop
printf "server_tokens off;\n\
add_header X-Frame-Options SAMEORIGIN;\n\
add_header X-XSS-Protection \"1; mode=block\";\n\
server {\n\
	listen 80;\n\
	server_name $NAME;\n\
	return 301 https://$NAME\$request_uri;\n\
}\n\
server {\n\
	listen 443 ssl default_server http2;\n\
	server_name $NAME;\n\
	ssl_dhparam /etc/ssl/certs/dhparam.pem;\n\
	ssl_certificate /etc/letsencrypt/live/$NAME/fullchain.pem;\n\
	ssl_certificate_key /etc/letsencrypt/live/$NAME/privkey.pem;\n\
	ssl_session_cache   shared:SSL:10m;\n\
	ssl_session_timeout 10m;\n\
	keepalive_timeout   300;\n\
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n\
	ssl_prefer_server_ciphers on;\n\
	ssl_stapling on;\n\
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
	add_header Strict-Transport-Security max-age=31536000;\n\
	add_header X-Frame-Options DENY;\n\
	error_log /var/log/unifi/nginx.log;\n\
	proxy_cache off;\n\
	proxy_store off;\n\
	location / {\n\
		proxy_set_header Referer \"\";\n\
		proxy_pass https://localhost:8443;\n\
		proxy_set_header Host \$host;\n\
		proxy_set_header X-Real-IP \$remote_addr;\n\
		proxy_set_header X-Forward-For \$proxy_add_x_forwarded_for;\n\
		proxy_http_version 1.1;\n\
		proxy_set_header Upgrade \$http_upgrade;\n\
		proxy_set_header Connection \"upgrade\";\n\
	}\n\
}\n\" > /etc/nginx/sites-enabled/default
service nginx start

I have an installation guide on my blog Here. Thanks to the OP for getting me started with this! I originally had a guide to do everything manually which people were having a few issues with.

New Member
Posts: 5
Registered: ‎12-02-2015
Kudos: 5

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

A small update for using the PPA to install unifi. Instead of commenting out the four lines you can check if the PPA has already been added (which is an indication that the script has already been run)

UBNT_PPA="deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti"
if ! grep -q "$UBNT_PPA" /etc/apt/sources.list /etc/apt/sources.list.d/*; then
echo $UBNT_PPA > /etc/apt/sources.list.d/unifi.list echo y | apt-key adv --keyserver keyserver.ubuntu.com --recv C0A52C50
apt update
echo y | apt install unifi
fi
New Member
Posts: 19
Registered: ‎05-08-2016
Kudos: 24
Solutions: 1

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

I was thinking of doing that however thought if the person has manually installed the UniFi software (via dpkg -i /path/to/unifi.deb or via the tarball) they may experience problems or an unwanted upgrade - this way it prevents false positives as believe me - I've seen some strange UniFi software installations...

 

Could possibly edit the script to check for mongodb and the existance of a UniFi database and base it off that as it would prevent an unwanted upgrade.

Emerging Member
Posts: 74
Registered: ‎12-08-2015
Kudos: 37
Solutions: 1

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

[ Edited ]


# find / -name unifi

comes to mind

New Member
Posts: 32
Registered: ‎05-13-2016
Kudos: 1

Re: UniFi Ubuntu 16.04 fully automatic Installation, NGINX Proxy & Lets Encrypt SSL on both HTTP

[ Edited ]

I'm not getting the log in working. Can someone help me in the right direction? Running Ubuntu 16.04 and nginx, Unifi 5.2.29.

 

server {

server_name ubiquiti.mycontroller.com;
access_log /var/log/nginx/ubiquiti.mycontroller.com/access.log.gz combined gzip flush=30m;

listen 80 default_server;
listen [::]:80 default_server;

listen 443 ssl; # managed by Certbot

ssl_certificate /etc/letsencrypt/live/ubiquiti.mycontroller.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ubiquiti.mycontroller.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot

add_header Strict-Transport-Security max-age=31536000;
add_header X-Frame-Options DENY;
error_log /var/log/unifi/nginx.log;
proxy_cache off;
proxy_store off;

location / {
proxy_set_header Referer \"\";
proxy_pass https://localhost:8443;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forward-For \$proxy_add_x_forwarded_for;
proxy_set_header Host \$host;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection \"upgrade\";
}
}

 

Reply