Skip to content

Instantly share code, notes, and snippets.

@BrianSidebotham
Created September 4, 2019 20:24
Show Gist options
  • Save BrianSidebotham/401b1fd21a446196c9db0f030f33244f to your computer and use it in GitHub Desktop.
Save BrianSidebotham/401b1fd21a446196c9db0f030f33244f to your computer and use it in GitHub Desktop.
Unifi Controller SSL reverse proxy for port 443
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend www-publc
bind :::80 v4v6
bind :::443 v4v6 ssl crt /root/unifi.int.bjs.crt
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
use_backend unifi if { hdr(Host) -i unifi.int.bjs }
backend unifi
server unifi 127.0.0.1:8443 ssl verify none
@BrianSidebotham
Copy link
Author

This configuration for haproxy is one of the simplest ways of running a https reverse proxy in front of the ubiquiti unifi controller software. It's a complete pain in the butt to import an SSL certificate into the unifi controller keystore and have it work properly. So this is the easy way.

The certficate file has both the SSL Cert and the private key.

@SchulteMK
Copy link

Thank you for sharing that snippet!
Do you know how to pass the STUN and Inform Port through the HAProxy, so that the host running the unifi controller is not exposed? Or is it only possible with port redirection?

@BrianSidebotham
Copy link
Author

@SchulteMK Unfortunately STUN is a UDP protocol and HAProxy is not able to proxy it, so unfortunately you're not going to be able to do that with HAProxy.

Furthermore, STUN requires unmodified IP headers. You essentially need direct packet-level connection between server and client. You cannot proxy it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment