# I had a bit of trouble getting my unifi controller (hosted offsite) to use a proxy/letsencrypt. So here are the fruits of my labor. | |
# The unifi default port is 8443 running on localhost. | |
# License: CC0 (Public Domain) | |
server { | |
# SSL configuration | |
# | |
listen 443 ssl default_server; | |
listen [::]:443 ssl default_server; | |
server_name unifi.hostname.com; | |
# Needed to allow the websockets to forward well. | |
# Information adopted from here: https://community.ubnt.com/t5/EdgeMAX/Access-Edgemax-gui-via-nginx-reverse-proxy-websocket-problem/td-p/1544354 | |
location /wss/ { | |
proxy_pass https://localhost:8443; | |
proxy_http_version 1.1; | |
proxy_buffering off; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "Upgrade"; | |
proxy_read_timeout 86400; | |
} | |
location / { | |
proxy_pass https://localhost:8443/; # The Unifi Controller Port | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; | |
} | |
# Unifi still internally uses its own cert. This was converted to PEM and | |
# is trusted for the sake of this proxy. See here for details: | |
# https://community.ubnt.com/t5/UniFi-Wireless/Lets-Encrypt-and-UniFi-controller/td-p/1406670 | |
ssl_trusted_certificate /etc/nginx/ssl/unifi/unifi-default-selfsign.pem; | |
ssl_certificate /etc/letsencrypt/live/unifi.hostname.com/fullchain.pem; # managed by Certbot | |
ssl_certificate_key /etc/letsencrypt/live/unifi.hostname.com/privkey.pem; # managed by Certbot | |
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |
} | |
server { | |
listen 80; | |
listen [::]:80; | |
server_name unifi.hostname.com; | |
location / { | |
return 301 https://$host$request_uri; | |
} | |
} |
This comment has been minimized.
This comment has been minimized.
Thank you very much for sharing! |
This comment has been minimized.
This comment has been minimized.
also helped me. ty! |
This comment has been minimized.
This comment has been minimized.
This one works for me
|
This comment has been minimized.
This comment has been minimized.
thank you thank you thank you!!!! |
This comment has been minimized.
This comment has been minimized.
This worked for me with one tweak. I am using a stand-alone nginx server for multiple sites. I ended up changing the proxy_pass lines to direct them to my actual internal IP Address. The rest of this setup worked amazingly. THANK YOU!!! |
This comment has been minimized.
This comment has been minimized.
works a fuckin' treat. thx a ton. |
This comment has been minimized.
This comment has been minimized.
This does not work for inform-urls. |
This comment has been minimized.
This comment has been minimized.
Mine was working without the |
This comment has been minimized.
This comment has been minimized.
The https is very important the |
This comment has been minimized.
This comment has been minimized.
After a bunch of trial and error the configuration below is finally how I got the web socket errors to stop. Its a hybrid of my own, @vidia and @tongphe I have the server block repeated twice on different ports for my guest portal which I'm also proxying through nginx.
|
This comment has been minimized.
This comment has been minimized.
I took the original and added this line to the location /wss/ section and it seems to work. |
This comment has been minimized.
This comment has been minimized.
The above is perfectly fine. |
This comment has been minimized.
This comment has been minimized.
Hi guys, may i know if this code works for AP adoption "inform"? |
This comment has been minimized.
This comment has been minimized.
what is everyone doing about the STUN warning, have you been able to solve this? |
This comment has been minimized.
This comment has been minimized.
Thank you to everyone who has responded to this. I will have to go through all of these suggestions and take in whatever new changes are working best for people. I have the posted code deployed currently and haven't noticed any issues, but it is possible I've missed something because I haven't updated it since I posted it initially. @azN2, I do have STUN issues on my box, but my issues seem to be because STUN is binding to ipv6 and not ipv4, which is causing it to not be accessible over ip4 like I want it to be. I haven't found a solution to force it to use ipv4, but I'm mentioning it here in case that bit of info helps you find your own solution. @rexkani, I believe this will work for /inform. I don't believe that will be anything special or different than accessing the controller regularly. |
This comment has been minimized.
This comment has been minimized.
hi @azN2 and @vidia, the code did not work for STUN and inform, these traffics does not run on HTTPS and therefore needs to make use of the nginx "Stream" module. i've leart that from below discussion: another thing that is still missing after adding the stream for STUN and inform is the remote guest captive portal. i seems to be running on 8880? i dont have time to work on it yet. |
This comment has been minimized.
This comment has been minimized.
Thank you. You directed me into the right direction. Here is "my snippet", which basically enables websockets & httpupgrade on / (catchall) instead of splitting between / and /wss. The reason is, that more locations than just /wss need http upgrade
As a little sidenote: If you plan to use HTTP Auth, you need to block forwarding of the auth-data to the unify-controller. Otherwise you will end up with a 400: Bad Request error. Simply add this line to the location block
|
This comment has been minimized.
This comment has been minimized.
This also worked for me. The errors in the user interface disappeared. The return code in Nginx changed from 404 to 101 (Switching protocol). |
This comment has been minimized.
This comment has been minimized.
This was my issue as well. This fixed it for me! |
This comment has been minimized.
This comment has been minimized.
I realize this is for self hosted controller, however, can anyone let me know if you've been able to get nginx reverse proxy working with a Cloud Key Gen 2 Plus? I am able to get to a login screen, but when UniFi attempts to perform the two factor auth, it bombs out. Any help would be appreciated. |
This comment has been minimized.
Thanks for this! It was incredibly helpful.