I have been trying to host my Unifi Controller on Docker - after many problems I have come to terms that I will just run it natively on my Ubuntu server. No problem. Ideally, I want to have reverse proxy to this local service through Traefik.
Quick sketch:
Running Traefik v2.1.9 with docker-compose with a variety of service (e.g., pihole, portainer) that all work flawlessly.
Unifi is running natively as a service on the docker host, at https://10.0.0.2:8443:
$ systemctl status unifi
● unifi.service - unifi
Loaded: loaded (/lib/systemd/system/unifi.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-03-29 23:14:16 CEST; 11h ago
Process: 19278 ExecStop=/usr/lib/unifi/bin/unifi.init stop (code=exited, status=0/SUCCES
Process: 12416 ExecStart=/usr/lib/unifi/bin/unifi.init start (code=exited, status=0/SUCC
Main PID: 12490 (jsvc)
Tasks: 137 (limit: 4915)
CGroup: /system.slice/unifi.service
├─12490 unifi -cwd /usr/lib/unifi -home /usr/lib/jvm/java-8-openjdk-amd64 -cp /
├─12491 unifi -cwd /usr/lib/unifi -home /usr/lib/jvm/java-8-openjdk-amd64 -cp /
├─12492 unifi -cwd /usr/lib/unifi -home /usr/lib/jvm/java-8-openjdk-amd64 -cp /
├─12515 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -Dfile.encoding=UTF-8 -D
└─12588 bin/mongod --dbpath /usr/lib/unifi/data/db --port 27117 --unixSocketPre
mrt 29 23:14:06 titan systemd[1]: Starting unifi...
mrt 29 23:14:06 titan unifi.init[12416]: * Starting Ubiquiti UniFi Controller unifi
mrt 29 23:14:16 titan unifi.init[12416]: ...done.
mrt 29 23:14:16 titan systemd[1]: Started unifi.
Because Unifi supplies a hard-coded, unchangeable self-signed certificate, I figured I have to use TCP with TLS Passthrough. Fine! This is how I defined my service:
[tcp]
[tcp.services]
[tcp.services.unifi.loadBalancer]
[[tcp.services.unifi.loadBalancer.servers]]
address="10.0.0.2:8443"
[tcp.routers]
[tcp.routers.unifi]
entryPoints = ["https"]
rule = "HostSNI(`unifi.hostname.com`)"
service = "unifi"
[tcp.routers.unifi.tls]
passthrough=true
From the Traefik container, I can ping 10.0.0.2
and do a wget on https://10.0.0.2:8443/
. The service is accessible.
Accessing http://10.0.0.2:8443 results in:
Bad Request
This combination of host and port requires TLS.
Because of this, I have also tried the following.
[[tcp.services.unifi.loadBalancer.servers]]
address="https://10.0.0.2:8443/"
scheme="https"
and
[[tcp.services.unifi.loadBalancer.servers]]
address="https://10.0.0.2:8443/"
and
[[tcp.services.unifi.loadBalancer.servers]]
address="10.0.0.2:8443"
scheme="https"
This does not work, unfortunately.
The server is correctly added, no errors in the logs and it shows up fine in the dashboard. I do see an exclamation mark next to the TCP service. As I understand it, this is because the health check fails. Accessing unifi.hostname.com
results in a 404 Not Found.
I went over the docs and reference several times, but I feel I am at a lost. Is it even possible what I am trying to achieve?
Thanks!