[FEAT] How to provide SSL certificate? How to use behind a proxy?

linuxserver / docker-unifi-network-application

GNU General Public License v3.0

553 stars 41 forks source link

[FEAT] How to provide SSL certificate? How to use behind a proxy? #14

Closed atais closed 9 months ago

atais commented 9 months ago

Is this a new feature request?

[X] I have searched the existing issues

Wanted change

How does one configure SSL with the dockerized image?

My usual approach was to setup an Nginx proxy with SSL configured in front of the unprotected endpoint. Something like:

  server {
    listen 443 ssl http2;
    server_name unifi.endpoint.com;

    include /opt/NGinX/etc/nginx/ssl.conf;

    location / {

      proxy_pass http://UNIFI_IP:8080;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
    }
  }

But here, I noticed it redirects to 8443 on the very first request. And I cannot perform SSL handshake, because Tomcat is using it's own certificates (self-signed?)

What should be the approach here?

Reason for change

Annoying red ssl warning :)

Proposed code change

No response

github-actions[bot] commented 9 months ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

j0nnymoe commented 9 months ago

Just point your proxy to Https and port 8443. Nginx should just ignore the invalid cert.

atais commented 9 months ago

Yes but I want to have a valid certificate

I tried using that guide: https://lg.io/2015/12/13/using-lets-encrypt-to-secure-cloud-hosted-services-like-ubiquitis-mfi-unifi-and-unifi-video.html

But I think the password to keystore has changed:

keytool -importkeystore -deststorepass aircontrolenterprise -destkeypass aircontrolenterprise -destkeystore /var/lib/unifi/keystore -srckeystore /config/certificates/myweb.com.p12 -srcstoretype PKCS12 -alias unifi

Enter source keystore password:  
keytool error: java.io.IOException: keystore password was incorrect

j0nnymoe commented 9 months ago

If you're putting it behind a reverse proxy, you'll have a valid cert as providing everything is going through the reverse proxy, the internal cert will be ignored.

atais commented 9 months ago

Yes, probably that was my missconception

My Nginx working config is:

  server {
    listen 443 ssl default_server;
    server_name unifi.mydomain.com;

    include /opt/NGinX/etc/nginx/ssl.conf;

    location / {
      proxy_pass https://unifi_ip:8443;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";
      proxy_set_header Proxy "";
      proxy_set_header Host $http_host;

    }
  }

and the ssl conf is a copy from https://github.com/linuxserver/docker-swag/blob/b309e1ce45d06556af8b19ee53cafa9cbf192248/root/defaults/ssl.conf

with my certificates obviously.

I tried working with https://github.com/stevejenkins/unifi-linux-utils/blob/master/unifi_ssl_import.sh at first, but I think it was a dead-end