Last active
March 24, 2024 23:34
-
-
Save jeroenhe/7dfe273277bbbd1c2ea2cb7c647b24fa to your computer and use it in GitHub Desktop.
UniFi Network Controller behind a Traefik reverse proxy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: "2.4" | |
| services: | |
| traefik: | |
| build: . | |
| container_name: traefik | |
| hostname: traefik | |
| restart: unless-stopped | |
| networks: ["proxy"] | |
| ports: | |
| - "443:443" | |
| environment: | |
| - "AWS_HOSTED_ZONE_ID=" | |
| - "AWS_ACCESS_KEY_ID=" | |
| - "AWS_SECRET_ACCESS_KEY=" | |
| volumes: | |
| - type: volume | |
| source: traefik_letsencrypt | |
| target: /letsencrypt | |
| - type: bind | |
| source: /var/run/docker.sock | |
| target: /var/run/docker.sock | |
| labels: | |
| - traefik.enable=false | |
| logging: | |
| driver: "json-file" | |
| options: | |
| max-size: "10m" | |
| max-file: "2" | |
| unifi: | |
| image: linuxserver/unifi-controller:6.0.41-ls90 | |
| container_name: unifi | |
| hostname: unifi | |
| restart: always | |
| networks: ["proxy"] | |
| ports: | |
| # https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used | |
| # Port used for STUN. | |
| - "3478:3478/udp" | |
| # Port used for device and controller communication. | |
| - "8080:8080" | |
| # - "8081:8081" | |
| # Port used for controller GUI/API as seen in a web browser | |
| # - "8443:8443" | |
| # Port used for HTTPS portal redirection. | |
| # - "8843:8843" | |
| # Port used for HTTP portal redirection. | |
| # - "8880:8880" | |
| # Port used for device discovery | |
| - "10001:10001/udp" | |
| environment: | |
| - PGID=65539 | |
| - PUID=1055 | |
| - TZ=Europe/Amsterdam | |
| volumes: | |
| - type: volume | |
| source: unifi_data | |
| target: /usr/lib/unifi/data | |
| healthcheck: | |
| test: ["CMD", "curl", "-f", "http://localhost:8080"] | |
| interval: 30s | |
| timeout: 10s | |
| retries: 5 | |
| labels: | |
| - com.centurylinklabs.watchtower.enable=false | |
| - traefik.enable=true | |
| - traefik.http.routers.unifi.entrypoints=websecure | |
| - traefik.http.routers.unifi.rule=Host(`unificontroller.mydomain.io`) | |
| - traefik.http.routers.unifi.tls=true | |
| - traefik.http.routers.unifi.tls.certresolver=myresolver | |
| - traefik.http.routers.unifi.tls.domains[0].main=unificontroller.mydomain.io | |
| - traefik.http.routers.unifi.tls.domains[0].sans=unificontroller.mydomain.io | |
| - traefik.http.routers.unifi.service=unifi | |
| - traefik.http.routers.unifi.middlewares=unifiHeaders@file | |
| - traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https | |
| - traefik.http.services.unifi.loadbalancer.server.port=8443 | |
| - traefik.http.services.unifi.loadbalancer.server.scheme=https | |
| logging: | |
| driver: "json-file" | |
| options: | |
| max-size: "10m" | |
| max-file: "2" | |
| mem_limit: 1500M | |
| networks: | |
| proxy: | |
| volumes: | |
| traefik_letsencrypt: | |
| unifi_data: | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM traefik:v2.3.2 | |
| COPY traefik.yml /etc/traefik/traefik.yml | |
| RUN mkdir /etc/traefik/conf | |
| COPY tls.yml /etc/traefik/conf | |
| COPY http.yml /etc/traefik/conf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| http: | |
| middlewares: | |
| unifiHeaders: | |
| headers: | |
| customRequestHeaders: | |
| Authorization: "" # Removes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| tls: | |
| options: | |
| default: | |
| minVersion: VersionTLS12 | |
| cipherSuites: | |
| - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" | |
| - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" | |
| - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" | |
| - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" | |
| - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" | |
| - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://gist.github.com/containeroo-gists/0e79fb145252611ee1bb0da2c31f243d | |
| # https://gist.github.com/containeroo-gists/27666fe7d32199f40c01b20f49cc0454 | |
| global: | |
| checkNewVersion: false | |
| sendAnonymousUsage: false | |
| entryPoints: | |
| websecure: | |
| address: ":443" | |
| providers: | |
| docker: | |
| exposedByDefault: false | |
| file: | |
| directory: /etc/traefik/conf | |
| # API and dashboard configuration | |
| api: | |
| dashboard: false | |
| log: | |
| level: INFO | |
| accessLog: | |
| filters: | |
| statusCodes: | |
| - "400-600" | |
| # default format: <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_frontend_name>" "<Traefik_backend_URL>" <request_duration_in_ms>ms | |
| retryAttempts: true | |
| minDuration: "200ms" | |
| certificatesResolvers: | |
| myresolver: | |
| acme: | |
| # Using the Let's Encrypt staging server | |
| #caServer: https://acme-staging-v02.api.letsencrypt.org/directory | |
| #caServer: https://acme-v02.api.letsencrypt.org/directory | |
| email: webmaster@mydomain.io | |
| storage: /letsencrypt/acme.json | |
| dnsChallenge: | |
| provider: route53 | |
| delayBeforeCheck: 0 | |
| resolvers: | |
| - "1.1.1.1:53" | |
| - "8.8.8.8:53" | |
| # https://community.traefik.io/t/insecureskipverify-explanation/2195 | |
| # Required for traefik --> Unifi Controller (:8443) | |
| serversTransport: | |
| insecureSkipVerify: true |
@jeroenhendricksen This is a great example, thanks for contributing!
You are welcome :)
Not sure if you know, but these gists belong to a blog article of mine.
Love it, some great articles on there. I added it to my changedetection box.
You got a star :) Finally a simple, clear and to the point example to get unifi controller behind traefik. Thank you!
Hey Jereon! I started getting this to work and it works very nicely- thank you, especially the http.yml and traefik.yml parts!
On thing I am having some trouble with, and will be spending some time on in the near future, is enabling ssl for access to the guest portal (port 8843) we use. I am guessing it is something simple.
So far I enabled the port in the compose file (uncomment 8443:8443) and tried adding labels along the lines of:
- "traefik.http.routers.unifi-http.entrypoints=web"
- "traefik.http.routers.unifi-http.rule=Host(`${my_unifi_host}`)"
- "traefik.http.routers.unifi-http.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
So, I write this in case you know off the bat how the traefik headers would be for enabling access to 8443.
In any case, I'll update mine when I have it figured out in case it helps others that might be using the guest portal.
Cheers!
- "traefik.http.routers.unifi.service=unifi-https-svc"
- "traefik.http.services.unifi-https-svc.loadbalancer.server.port=8443"
- "traefik.http.services.unifi-https-svc.loadbalancer.server.scheme=https"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@jeroenhendricksen This is a great example, thanks for contributing!