Unifi Controller behind Traefik
A proper SSL certificate on the Unifi Controller is more of a cosmetic fix then a security one. The self signed certificate is fine from a security standpoint but enjoying when accessing the controller. I run my controller in a docker container on my swarm and have Traefik for ingress and SSL. Read more about my Traefik setup here.
The setup of Unifi Controller behind any reverse proxy is easy enough. Specially if you have no external access to consider. Still the controller best live in the same physical network as the equipment in my opinion.
There are a number of ports on the controller and several needs to be accessible for the /inform requests from the equipment. My goal was only to have a proper URL like unifi.example.com with a proper SSL certificate for the admin interface. The communication between Traefik and the Unifi Controller will be secured with the self signed certificate on the controller. So first we need to allow Traefik to use self signed certificates. On the setup from my other article, listed above, we just add this command line parameter:
If you have the dashboard enabled you need to switch that from port 8080 to something else, this is the standard port used by the Unifi Controller for it’s /inform calls from all the equipment.
On the Unifi Controller container we need to add the configuration for Traefik. There are a few additions compared to the other containers. I use Traefiks docker label configuration.
deploy: labels: 3 Standard configuration same as all of my containers traefik.enable: 'true' traefik.docker.network: traefik_default traefik.http.routers.unifi.tls: 'true' traefik.http.routers.unifi.rule: Host(`unifi.example.com`) traefik.http.routers.unifi.tls.domains.main: example.com traefik.http.routers.unifi.tls.domains.sans: '*.example.com' traefik.http.routers.unifi.entrypoints: websecure traefik.http.routers.unifi.tls.certresolver: tlsresolver # Make Traefik communicate over SSL with Unifi Controller traefik.http.services.unifi.loadbalancer.server.scheme: https traefik.http.services.unifi.loadbalancer.server.port: '8443'
Since the Unifi Controller needs a lot of ports for it’s operation of the network I just leave them on the ingress network. Unifi doesn’t use any standard ports that I need besides 8080 and I don’t want to add any single point of failures with Traefik, DNS etc to keep the Unifi Controller from operating as independently as it can from my docker swarm. So even if the DNS and Traefik is down I can use one of the swarm IPs :8443 to access my controller.
Complete docker-compose.yaml on Github.