Unifi Controller behind Traefik

A proper SSL certificate on the Unifi Controller is more of a cosmetic fix then a security one. The self signed certificate is fine from a security standpoint but enjoying when accessing the controller. I run my controller in a docker container on my swarm and have Traefik for ingress and SSL. Read more about my Traefik setup here.

The setup of Unifi Controller behind any reverse proxy is easy enough. Specially if you have no external access to consider. Still the controller best live in the same physical network as the equipment in my opinion.

There are a number of ports on the controller and several needs to be accessible for the /inform requests from the equipment. My goal was only to have a proper URL like unifi.example.com with a proper SSL certificate for the admin interface. The communication between Traefik and the Unifi Controller will be secured with the self signed certificate on the controller. So first we need to allow Traefik to use self signed certificates. On the setup from my other article, listed above, we just add this command line parameter:

--serversTransport.insecureSkipVerify=true

If you have the dashboard enabled you need to switch that from port 8080 to something else, this is the standard port used by the Unifi Controller for it’s /inform calls from all the equipment.

On the Unifi Controller container we need to add the configuration for Traefik. There are a few additions compared to the other containers. I use Traefiks docker label configuration.

deploy:
  labels:
    3 Standard configuration same as all of my containers
    traefik.enable: 'true'
    traefik.docker.network: traefik_default
    traefik.http.routers.unifi.tls: 'true'

    traefik.http.routers.unifi.rule: Host(`unifi.example.com`)
    traefik.http.routers.unifi.tls.domains[0].main: example.com
    traefik.http.routers.unifi.tls.domains[0].sans: '*.example.com'
    traefik.http.routers.unifi.entrypoints: websecure
    traefik.http.routers.unifi.tls.certresolver: tlsresolver
    # Make Traefik communicate over SSL with Unifi Controller
    traefik.http.services.unifi.loadbalancer.server.scheme: https
    traefik.http.services.unifi.loadbalancer.server.port: '8443'

Since the Unifi Controller needs a lot of ports for it’s operation of the network I just leave them on the ingress network. Unifi doesn’t use any standard ports that I need besides 8080 and I don’t want to add any single point of failures with Traefik, DNS etc to keep the Unifi Controller from operating as independently as it can from my docker swarm. So even if the DNS and Traefik is down I can use one of the swarm IPs :8443 to access my controller.

Complete docker-compose.yaml on Github.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: