search

goofball222 / unifi

UniFi Docker Container
Apache License 2.0
252 stars 37 forks source link

Bad Request This combination of host and port requires TLS. #138

Closed m4dm4rtig4n closed 9 months ago

m4dm4rtig4n commented 9 months ago

Reporting bugs/issues

Hello,

I have deploy your container in k8s cluster with ingress behind and redirect my ingress to 8443 but i have this error message :

Bad Request
This combination of host and port requires TLS.

I'm in HTTPS, but communication beetwen my ingress (traefik) and Unifi container is n HTTP.

me -> (https) -> ingress -> (http) -> container

It's possible to disable SSL Check if all SSL layer is supported behind container ?

goofball222 commented 9 months ago

You're trying to send unencrypted http requests/traffic from Traefik to UniFi on a https port that requires SSL/TLS, thus the error.

Either send the requests to the UniFi standard http port 8080 or if UniFi is configured to redirect to https, configure Traefik to use https when communicating with the UniFi container(s). In that instance you might also need to set Traefik serversTransport to insecureSkipVerify to disable internal SSL certificate validation.

m4dm4rtig4n commented 9 months ago

Hello @goofball222 i have allready sent it :/

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  labels:
    kustomize.toolkit.fluxcd.io/name: unifi
    kustomize.toolkit.fluxcd.io/namespace: unifi
  name: traefik-insecureskipverify
  namespace: unifi
spec:
  insecureSkipVerify: true

My Chart : Port => 8443

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: ${name}
  annotations:
    fluxcd.io/automated: "true"
spec:
  releaseName: ${name}
  timeout: 1m
  interval: 10m
  chart:
    spec:
      chart: app-template
      version: 2.0.3
      sourceRef:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-infra
      interval: 1m
  values:
    #
    #    DEFAULT VALUE YAML
    #    https://github.com/bjw-s/helm-charts/blob/main/charts/library/common/values.yaml
    #
    service:
      main:
        type: LoadBalancer
        loadBalancerIP: ${loadBalancerIP}
        ports:
          http:
            port: ${port}       
            targetPort: ${port}     
          inform:
            # controller:
            enable: true
            port: 8080
            protocol: TCP
            targetPort: 8080
          portail-http:
            enabled: true
            port: 8880
            protocol: HTTP
            targetPort: 8880
          portail-https:
            enable: true
            port: 8843
            protocol: TCP
            targetPort: 8843
          android:
            enable: true
            port: 6789
            protocol: TCP
            targetPort: 6789
          stun:
            enable: true
            port: 3478
            protocol: UDP
            targetPort: 3478
          syslog:
            enable: true
            port: 5514
            protocol: UDP
            targetPort: 5514
          discovery:
            enable: true
            port: 10001
            protocol: UDP
            targetPort: 10001
    defaultPodOptions:
      dnsConfig:
        options:
          - name: ndots
            value: "1"
      nodeSelector:
        kubernetes.io/arch: amd64
    controllers:
      main:
        enabled: true
        type: statefulset
        replicas: 1
        strategy: RollingUpdate
        rollingUpdate:
          unavailable: 1
          surge: 1
        revisionHistoryLimit: 3
        containers:
          main:
            image:
              repository: ${docker_image}
              tag: 8.0.28 # {"$imagepolicy": "unifi:unifi:tag"}
              pullPolicy: Always
            resources:
              limits:
                memory: 1024Mi
              requests:
            env:
              TZ: Europe/Paris
              RUNAS_UID0: "true"
              UNIFI_UID: "0"
              UNIFI_GID: "0"
              JVM_INIT_HEAP_SIZE:
              JVM_MAX_HEAP_SIZE: 1024M
              UNIFI_DB_NAME: ${name}
              DB_MONGO_LOCAL: false
              DB_MONGO_URI: mongodb://${name}-mongodb/${name}
              STATDB_MONGO_URI: mongodb://${name}-mongodb/${name}_stat            
              UNIFI_HTTPS_REDIRECT: false
            probes:
              liveness:
                enabled: false
              readiness:
                enabled: false
              startup:
                enabled: false
    ingress:
      main:
        enabled: true
        annotations:
          external-dns.alpha.kubernetes.io/target: ${external_domain}
          kubernetes.io/ingress.class: traefik
          cert-manager.io/cluster-issuer: letsencrypt-cloudflare
          traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia@kubernetescrd
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
          traefik.ingress.kubernetes.io/router.tls: "true"
          gethomepage.dev/enabled: "true"
          gethomepage.dev/name: "${name_beautiful}"
          gethomepage.dev/description: "${description}"
          gethomepage.dev/group: "${group}"
          gethomepage.dev/icon: "${icon}"
        hosts:
          - host: ${subdomain}.${external_domain}
            paths:
              - path: /
                pathType: Prefix
                service:
                  name: ${service_name}
                  port: ${port} 
          - host: ${subdomain}.${internal_domain}
            paths:
              - path: /
                pathType: Prefix
                service:
                  name: ${service_name}
                  port: ${port} 
        tls:
          - secretName: ${name}-tls
            hosts:
              - ${subdomain}.${external_domain}
              - ${subdomain}.${internal_domain}
    persistence:
      cert:
        enabled: true
        accessMode: ReadWriteOnce
        size: 1Gi
        globalMounts:
          - path: /usr/lib/unifi/cert
      data:
        enabled: true
        accessMode: ReadWriteOnce
        size: 1Gi
        globalMounts:
          - path: /usr/lib/unifi/data
      logs:
        enabled: true
        accessMode: ReadWriteOnce
        size: 1Gi
        globalMounts:
          - path: /usr/lib/unifi/logs
m4dm4rtig4n commented 8 months ago

I have found solution :) Add this annotation to service (not ingress) to configure destination service in https.

        annotations:
          traefik.ingress.kubernetes.io/service.serversscheme: https

image

m4dm4rtig4n commented 8 months ago

@goofball222 with this solution you keep TLS in full road.