Network
Unifi should be run via a Reverse Proxy, allowing you to isolate and wrap connections in SSL. See NGINX for more details. See Setup Base Proxy Control for basic proxy configuration.
Ports
---
###############################################################################
# Ports Configuration
###############################################################################
# Ports should be managed externally via an OS role.
#
# Reference:
# * https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used
# * https://docs.ansible.com/ansible/latest/collections/community/general/ufw_module.html
ports:
- {proto: 'udp', from_ip: 'any', to_port: 3478, direction: 'in', comment: 'STUN'}
- {proto: 'udp', from_ip: 'any', to_port: 5514, direction: 'in', comment: 'remote syslog capture'}
- {proto: 'udp', from_ip: 'any', to_port: '5656:5699', direction: 'in', comment: 'AP-EDU broadcasting'}
- {proto: 'udp', from_ip: 'any', to_port: 10001, direction: 'in', comment: 'device discovery'}
- {proto: 'udp', from_ip: 'any', to_port: 1900, direction: 'in', comment: 'L2 network discovery'}
- {proto: 'tcp', from_ip: 'any', to_port: 8080, direction: 'in', comment: 'device/application communication'}
- {proto: 'tcp', from_ip: 'any', to_port: 8443, direction: 'in', comment: 'WebUI'}
- {proto: 'tcp', from_ip: 'any', to_port: 8880, direction: 'in', comment: 'HTTP portal redirection'}
- {proto: 'tcp', from_ip: 'any', to_port: 8843, direction: 'in', comment: 'HTTPS portal redirection'}
- {proto: 'tcp', from_ip: 'any', to_port: 6789, direction: 'in', comment: 'unifi mobile speed test'}
- {proto: 'tcp', from_ip: '127.0.0.1', to_ip: '127.0.0.1', to_port: 27117, direction: 'in', comment: 'database communication (localhost only)'}
Using Subdomains
0644 root root
nginx/conf.d/reverse-proxy.conf# Websockets: remap http_upgrade to 'upgrade' or 'close' based on
# connection_upgrade being set.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
server_name unifi.{DOMAIN} unifi;
location / {
proxy_pass https://unifi:8443;
proxy_cache off;
proxy_store off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_read_timeout 36000s;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Referer '';
client_max_body_size 0;
}
}
Using Subpaths
0644 root root
nginx/conf.d/reverse-proxy.conf# Websockets: remap http_upgrade to 'upgrade' or 'close' based on
# connection_upgrade being set.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
location /unifi/ {
proxy_pass https://unifi:8443/;
proxy_cache off;
proxy_store off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_read_timeout 36000s;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Referer '';
client_max_body_size 0;
}
}