Ubiquiti Unifi Controller NGINX Reverse Proxy

By default, the Ubiquiti Unifi controller runs on port 8443 for inbound HTTPS requests to the web interface. I instead wanted to change this to listen on the standard HTTPS port (443) and I wanted my own valid SSL to be used to access the web interface. The easiest way for me to do this was by using NGINX as a reverse proxy, I didn’t have to change any Unifi controller settings manually (and try to figure out which file(s) needed to be changed).

Nginx installation

Since I am using Debian to run the Unifi controller I installed NGINX with apt-get

apt-get update nginx-full

NGINX configuration

You will need to update the paths below to suite where your SSL certificate/key is located as well as change the server_name variable to be the correct domain for your installation. Since I am not using this server to host any other vhosts with NGINX I used the default config file.

Replace the content of /etc/nginx/sites-enabled/default with the following contents

server {
  listen 80 default_server;
  listen [::]:80 default_server;

  server_name unifi.mydomain.com;

  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl default_server;
  listen [::]:443 ssl default_server;
  ssl_certificate /etc/nginx/ssl.crt;
  ssl_certificate_key /etc/nginx/ssl.key;

  server_name unifi.mydomain.com;

  location / {
    proxy_set_header    Host $http_host;
    proxy_set_header    X-Forwarded-Host $host;
    proxy_set_header    X-Forwarded-Server $host;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    X-Real-IP $remote_addr;
    proxy_set_header    X-Scheme $scheme;
    proxy_set_header    Referer "";
    proxy_set_header    Upgrade $http_upgrade;
    proxy_set_header    Connection "upgrade";
    proxy_pass          https://127.0.0.1:8443;
  }

}

Restart the NGINX service with systemctl restart nginx and then try browsing to your Unifi domain with HTTP. You should be redirected to the HTTPS site and everything should work.

Controller configuration

There only needs to be a couple of changes in the controller web UI:

  • Settings -> Controller: Set “Controller Hostname/IP” to your domain.
  • Settings -> Guest Control: Set “Redirect using hostname” to your domain. This is only needed if you use the captive portal for guest authentication. If you do use this, I recommend also making sure that the “Enable HTTPS Redirection” option is selected.

Leave a Reply

Your email address will not be published.