I’m using the Ubuntu 16.04.3 droplet on DigitalOcean. In the examples below replace YOUR_FQDN with your FQDN; for this to work, it must have a valid hostname verifiable with a public DNS server.
Here’s my example A and CNAME entries on DigitalOcean:
Type Hostname Value CNAME www.testunifi.foo.com testunifi.foo.com. (note the trailing '.') A testunifi.foo.com 107.xx.yy.zz
Enable the firewall and allow inbound ports
Ubuntu doesn’t start the firewall by default so enable that, and forward these ports. If you’re using a cloud provider with off-host network security, like AWS, remember to update the network configuration for these ports.
ufw enable ufw allow ssh # Allow 'informs' ufw allow 8080/tcp # Allow STUN ufw allow 3478/udp # Allow HTTP (forwarded to HTTPS) if you want the redirect ufw allow 80/tcp # Allow HTTPS ufw allow 443/tcp
Install Unifi
Install the Unifi controller software if you don’t already have it.
# Install Unifi apt-get update apt-get upgrade echo deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti > /etc/apt/sources.list.d/100-ubnt.list # Public key of Unifi Developers apt-key adv --keyserver keyserver.ubuntu.com --recv 06E85760C0A52C50 apt-get update apt-get install unifi
Install and configure NGINX
NGINX does the proxying from HTTPS to Unifi (running on 8443), and does all of the SSL handshaking.
# Install nginx and certbot (Ubuntu Xenial 16.04.3) # https://certbot.eff.org/#ubuntuxenial-nginx apt-get install software-properties-common add-apt-repository ppa:certbot/certbot apt-get update apt-get install nginx python-certbot-nginx # Create a DH param file. This takes a while. openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
Create /etc/nginx/conf.d/YOUR_FQDN.conf with approximately this content:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80 ipv6only=on;
listen 443 ssl;
listen [::]:443 ipv6only=on ssl;
server_name YOUR_HOST.com www.YOUR_HOST.com;
client_max_body_size 2G;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
proxy_pass https://localhost:8443;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_buffering off;
}
# These are managed by certbot.
# ssl_certificate /etc/letsencrypt/live/YOUR_FQDN/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/YOUR_FQDN/privkey.pem;
}
The NGINX configuration can be tricky, and be sure to verify the settings with nginx -t -c /etc/nginx/nginc.conf
Create the SSL certificates with certbot
certbot is a tool that reads the NGINX configuration and can easily renew certs and update NGINX configuration. Feel free to use letsencrypt directly if you’re needing a more custom approach.
Create the certificate using this, and you don’t need to forward 80 to 443 since the above configuration does that already. If certbot fails try restarting nginx or take the manual approach:
certbot --nginxReload NGINX and verify HTTPS sessions are valid
Reload nginx one more time, systemctl reload nginx, and try connecting to YOUR_FQDN on 80, which redirects to HTTPS.
Sumber: https://blog.ljdelight.com/nginx-proxy-to-ubiquiti-unifi-controller/