-
-
Save vidia/fbef2ee643b23848d8b24211d5860b78 to your computer and use it in GitHub Desktop.
# I had a bit of trouble getting my unifi controller (hosted offsite) to use a proxy/letsencrypt. So here are the fruits of my labor. | |
# The unifi default port is 8443 running on localhost. | |
# License: CC0 (Public Domain) | |
server { | |
# SSL configuration | |
# | |
listen 443 ssl default_server; | |
listen [::]:443 ssl default_server; | |
server_name unifi.hostname.com; | |
# Needed to allow the websockets to forward well. | |
# Information adopted from here: https://community.ubnt.com/t5/EdgeMAX/Access-Edgemax-gui-via-nginx-reverse-proxy-websocket-problem/td-p/1544354 | |
location /wss/ { | |
proxy_pass https://localhost:8443; | |
proxy_http_version 1.1; | |
proxy_buffering off; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "Upgrade"; | |
proxy_read_timeout 86400; | |
} | |
location / { | |
proxy_pass https://localhost:8443/; # The Unifi Controller Port | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; | |
} | |
# Unifi still internally uses its own cert. This was converted to PEM and | |
# is trusted for the sake of this proxy. See here for details: | |
# https://community.ubnt.com/t5/UniFi-Wireless/Lets-Encrypt-and-UniFi-controller/td-p/1406670 | |
ssl_trusted_certificate /etc/nginx/ssl/unifi/unifi-default-selfsign.pem; | |
ssl_certificate /etc/letsencrypt/live/unifi.hostname.com/fullchain.pem; # managed by Certbot | |
ssl_certificate_key /etc/letsencrypt/live/unifi.hostname.com/privkey.pem; # managed by Certbot | |
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |
} | |
server { | |
listen 80; | |
listen [::]:80; | |
server_name unifi.hostname.com; | |
location / { | |
return 301 https://$host$request_uri; | |
} | |
} |
and then you need to e.g. bind-mount the certs/keys files from your host to your docker container.
Lets assume, they live on /host-path/to/cert.pem and /host-path/to/key.pem. If you use docker-compose, an except of the config might look like thisvolumes: - '/host-path/to/cert.pem:/container-path/to/cert.pem:ro' - '/host-path/to/key.pem:/container-path/to/key.pem:ro'
Thanks for the reply. I'll give this a try.
I HAVE MOSTLY NO CLUE WHAT I'M TALKING ABOUT!
Welcome to the club :D
I took the original and added this line to the location /wss/ section and it seems to work.
proxy_set_header Origin '';
This also worked for me. The errors in the user interface disappeared. The return code in Nginx changed from 404 to 101 (Switching protocol).
This solved it also for me :) Thx!
Hi, I found myself wanting to do this for putting the Unifi controller inside an iFrame to use with HomeAssistant.
To add it into the iFrame you need to set a few additional headers into both the location /wss/
and location /
parts of the nginx conf.
Here they are:
# Headers required for unifi to work
proxy_hide_header X-Frame-Options;
proxy_hide_header X-XSS-Protection;
proxy_hide_header X-Content-Type-Options;
proxy_cookie_path / "/; secure; SameSite=none";
add_header X-Frame-Options "ALLOWALL";
hi to all, i configure them, but open a white paga without any error.
location /wss/ {
proxy_pass https://192.168.1.5:8443;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400;
}
location / {
proxy_pass https://192.168.1.5:8443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_http_version 1.1;
proxy_set_header Connection "upgrade";
}
If you're using SWAG or a similar docker (nginx with auto letsencrypt/certbot), there's a chance you don't need to explicitly set ssl certs and/or ssl, just include the ssl.conf in this config.
Something like:
include /config/nginx/ssl.conf
Please take this with a huge grain of salt (a mountain of it) as I'm a total noob who's just looking around at how to proxy non http(s) traffic to unifi controler so as to adopt a USG remotely and proxy all the ports/traffic through nginx as securely as possible. I HAVE MOSTLY NO CLUE WHAT I'M TALKING ABOUT!