Created
September 4, 2019 20:24
-
-
Save BrianSidebotham/401b1fd21a446196c9db0f030f33244f to your computer and use it in GitHub Desktop.
Unifi Controller SSL reverse proxy for port 443
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| log /dev/log local0 | |
| log /dev/log local1 notice | |
| chroot /var/lib/haproxy | |
| stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | |
| stats timeout 30s | |
| user haproxy | |
| group haproxy | |
| daemon | |
| # Default SSL material locations | |
| ca-base /etc/ssl/certs | |
| crt-base /etc/ssl/private | |
| # Default ciphers to use on SSL-enabled listening sockets. | |
| # For more information, see ciphers(1SSL). This list is from: | |
| # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | |
| # An alternative list with additional directives can be obtained from | |
| # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy | |
| ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS | |
| ssl-default-bind-options no-sslv3 | |
| defaults | |
| log global | |
| mode http | |
| option httplog | |
| option dontlognull | |
| option forwardfor | |
| option http-server-close | |
| timeout connect 5000 | |
| timeout client 50000 | |
| timeout server 50000 | |
| errorfile 400 /etc/haproxy/errors/400.http | |
| errorfile 403 /etc/haproxy/errors/403.http | |
| errorfile 408 /etc/haproxy/errors/408.http | |
| errorfile 500 /etc/haproxy/errors/500.http | |
| errorfile 502 /etc/haproxy/errors/502.http | |
| errorfile 503 /etc/haproxy/errors/503.http | |
| errorfile 504 /etc/haproxy/errors/504.http | |
| frontend www-publc | |
| bind :::80 v4v6 | |
| bind :::443 v4v6 ssl crt /root/unifi.int.bjs.crt | |
| http-request set-header X-Forwarded-Port %[dst_port] | |
| http-request add-header X-Forwarded-Proto https if { ssl_fc } | |
| use_backend unifi if { hdr(Host) -i unifi.int.bjs } | |
| backend unifi | |
| server unifi 127.0.0.1:8443 ssl verify none | |
Thank you for sharing that snippet!
Do you know how to pass the STUN and Inform Port through the HAProxy, so that the host running the unifi controller is not exposed? Or is it only possible with port redirection?
@SchulteMK Unfortunately STUN is a UDP protocol and HAProxy is not able to proxy it, so unfortunately you're not going to be able to do that with HAProxy.
Furthermore, STUN requires unmodified IP headers. You essentially need direct packet-level connection between server and client. You cannot proxy it.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This configuration for haproxy is one of the simplest ways of running a https reverse proxy in front of the ubiquiti unifi controller software. It's a complete pain in the butt to import an SSL certificate into the unifi controller keystore and have it work properly. So this is the easy way.
The certficate file has both the SSL Cert and the private key.