unable to use it under a reverse proxy (ssl)

[ssbarnea]

It seems that the web interface would redirect me automatically to its IP:PORT when I am using it behind a http reverse proxy (haproxy).

The web interface should not forcerfly redirect users to its IP as this would either expose its IP or break the SSL layer.

Using a reverse proxy is also a way to expose it to the internet in a secured way. Apparently this is no possible atm due to this automatic redirection.

[jokay]

I can confirm it works behind a reverse proxy, e.g. traefik.

This is the config I use in my docker-compose.yml for the unifi-video container:

    labels:
      - traefik.enable=true
      - traefik.frontend.rule=Host:unifi-video.mydomain.ch
      - traefik.port=7080
      - traefik.protocol=http

[ssbarnea]

@x-jokay I guess that is working because you build a contriner with it. I already have my haproxy runnning on the router and I configured it to point to the controller. The issue is that the controller has no idea about its own hostname and it redirects to the IP address.

I guess that what I need is a param to give it that tells is about his hostname.

In my case I am not even using a Dockerfile, I just start it with:

docker create \
  --name=nvr \
  -v /opt/data/nvr/config:/var/lib/unifi-video \
  -v /mnt/media/nvr:/var/lib/unifi-video/videos \
  -e PUID=99 \
  -e PGID=100 \
  -e DEBUG=1 \
  --cap-add SYS_ADMIN \
  --cap-add DAC_READ_SEARCH \
  -p 10001:10002 \
  -p 1935:1935 \
  -p 6666:6666 \
  -p 7080:7080 \
  -p 7442:7442 \
  -p 7443:7443 \
  -p 7444:7444 \
  -p 7445:7445 \
  -p 7446:7446 \
  -p 7447:7447 \
  --restart unless-stopped \
  pducharme/unifi-video-controller:latest

The readme does not specify anything regarding setting the hostname, that was what I was looking for.

[jokay]

You can set the hostname of the container by using -h param, see docker run but I don't think this will solve your problem.

If you point your reverse proxy to {docker-host-ip}:7080 it should work.

[ssbarnea]

I added --hostname nvr.example.com and worked like a charm. We should add this to the docs as is high likely that others will look for it.

[jokay]

Nice to hear it's working :)

[ginkel]

I can confirm it works behind a reverse proxy, e.g. traefik.

Does Live View work for you? I only get a fallback to still images behind Traefik even with the hostname set ("Unable to load live stream").

[jokay]

Yes, there seems to be a problem using live view (behind traefik).

I use the UniFi Video app and the RTSP stream but not the live view from the unifi-controller :wink:

[anderskvist]

I have it behind a nginx proxy, works fine, but I had to add a custom vhost for live view to work...

server {
    server_name [myhostname];
    listen 7446 ssl ;
        ... SSL CONFIG
    location / {
        proxy_pass https://unifinvr_unifi-nvr_1:7446;
        proxy_set_header Host [myhostname];
        proxy_ssl_verify off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 300;
            proxy_connect_timeout 300;
    }
}

[ssbarnea]

I can confirm that that I live view does not work, even if I did port-forwarding betweent the IP of the haproxy load-ballancer and the unifi-video container. We still need more investigation....

[derfabianpeter]

Can confirm, too. NVR delivers only locally detected IP addresses for the Live View wss:// connection. Probably a Unifi-thing. With the App it's working flawlessly. We're running it behind Traefik.

[fryfrog]

If anyone wants to create a reverse proxy wiki article and add the details they know/understand to it, that'd be great! :)

[Zegorax]

@derfabianpeter Could you post your Traefik config and labels definitions ?

[jokay]

This is the simplified version of the docker-compose.yml which I used:

version: '3.8'

services:
  unifi-video:
    image: pducharme/unifi-video-controller:latest
    volumes:
      - ./data/data:/var/lib/unifi-video
      - ./data/videos:/videos
    ports:
      - 6666:6666/tcp
      - 7442:7442/tcp
      - 7446:7446/tcp
      - 7555:7555/tcp
    environment:
      - PUID=99
      - PGID=100
      - DEBUG=0
    networks:
      - default
      - proxy
    cap_add:
      - SYS_ADMIN
      - DAC_READ_SEARCH
    labels:
      - traefik.enable=true
      - traefik.http.routers.unifi-video.entrypoints=https
      - traefik.http.routers.unifi-video.tls=true
      - traefik.http.routers.unifi-video.rule=Host(`unifi-video.mydomain.com`)
      - traefik.http.services.unifi-video.loadbalancer.server.port=7080

  proxy:
    image: traefik:2.2
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - 80:80
      - 443:443
    environment:
      - TRAEFIK_ENTRYPOINTS_HTTP=true
      - TRAEFIK_ENTRYPOINTS_HTTP_ADDRESS=:80
      - TRAEFIK_ENTRYPOINTS_HTTPS=true
      - TRAEFIK_ENTRYPOINTS_HTTPS_ADDRESS=:443
      - TRAEFIK_PROVIDERS_DOCKER=true
      - TRAEFIK_PROVIDERS_DOCKER_WATCH=true
      - TRAEFIK_PROVIDERS_DOCKER_NETWORK=proxy
      - TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT=false
    networks:
      - default
      - proxy

networks:
  default:
  proxy:
    external: true

[Zegorax]

@x-jokay Thank you. But how did you manage to solve UniFi's web socket being sent to port 7446 ? It throws some errors because the certificates won't match (443 is managed by Traefik, valid one, 7446 is managed by UniFi, invalid one)

[jokay]

This may be possible now with TCP routers.

I switched the cameras to standalone and use now rtsp-simple-server in combination with VLC (or any compatible RTSP viewer).