UniFi Controller behind Apache Reverse Proxy (and SSL)

UniFi Controller is some kind of portal that could be used to manage your UniFi Access Point. In this tutorial, we will move UniFi Controller behind Apache Reverse Proxy. The front end should be Apache Web Server. This tutorial is created using Debian 8 as the OS for Apache and UniFi Controller. This tutorial is also assume that you’ve already installed UniFi Controller, Apache Web Server, and could access it’s web panel.

Requirements
Apache is installed and running (using port 80 and 443 if you want to enable SSL)
UniFi Controller could be accessed using its IP address and ports (default is 8443 for SSL based UniFi Controller)

Installing required Apache modules

apt-get install libapache2-mod-proxy-html
a2enmod proxy
a2enmod proxy_http

Edit: January 28 2017. Enable proxy_wstunnel (Credit to Gregoor van Diepen for pointing that out)

a2enmod proxy_wstunnel


service apache2 restart

Required vhost conf
This vhost conf file is using SSL, remove SSL section if you don’t want enable it. UniFi IP is 1.1.1.1 with 8443 as its port.

# Change to *:80 if you don't want to use SSL

ServerName unifi01.example.com

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# Remove this SSL Section if your unifi controller is not using SSL
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
SSLProxyCheckPeerName off

ProxyRequests Off

# We need to proxy websocket too
ProxyPass /wss wss://1.1.1.1:8443/wss
ProxyPassReverse /wss wss://1.1.1.1:8443/wss

ProxyPass / https://1.1.1.1:8443/
ProxyPassReverse / https://1.1.1.1:8443/

# Mod header is usually has been installed as default
# We use this as workaround for login process
Header set Host unifi01.example.com
RequestHeader set Host 1.1.1.1
RequestHeader set Origin https://1.1.1.1:8443
Header unset Referer
RequestHeader unset Referer

# Remove these lines if you don't use SSL
SSLEngine on

SSLCertificateFile /etc/letsencrypt/live/unifi01.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/unifi01.example.com/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/unifi01.example.com/fullchain.pem

Test Apache Configuration

apache2ctl testconfig

If all is well, restart the apache

service apache2 restart

4 thoughts on “UniFi Controller behind Apache Reverse Proxy (and SSL)

  1. Thanks for this post. When I tried it, it didn’t work tough.
    mod header was not enabled, but that was no problem because that can be done with
    ProxyPreserveHost On
    What was a problem was the fact that mod proxy_wstunnel has to be enabled for the 2 ProxyPass wss rules to have effect. Not having mod headers gave an error on your config, but not having mod proxy_wstunnel didn’t

    This is my complete config with sources commented:

    ## https://community.ubnt.com/t5/UniFi-Wireless/Disable-SSL-on-Web-Interface/td-p/1129852
    ## https://tonggoes.ga/unifi-controller-behind-apache-reverse-proxy-and-ssl/
    ## http://stackoverflow.com/questions/38838567/proxy-websocket-wss-to-ws-apache

    ServerName unifi.example1.com
    ServerAlias unifi.example2.com

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =unifi.example1.coml [OR]
    RewriteCond %{SERVER_NAME} =unifi.example2.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

    ServerName unifi.example1.com
    ServerAlias unifi.example2.com

    SSLProxyEngine On
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/unifi.example1.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/unifi.example1.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

    ProxyPass /wss wss://localhost:8443/wss
    ProxyPassReverse /wss wss://localhost:8443/wss
    ProxyPass / https://localhost:8443/
    ProxyPassReverse / https://localhost:8443/

    ProxyPreserveHost on

    1. Yup, thank’s for your input. My config in this post indeed missing wss section. I’ll revise it for future reference. Once again, thank’s for your comment.

  2. Boy, does this ever need to be higher on search results for this topic. Thanks so much! It’s working great now 👍

Leave a Reply

Your email address will not be published. Required fields are marked *

Ads