Network

Unifi should be run via a Reverse Proxy, allowing you to isolate and wrap connections in SSL. See NGINX for more details. See Setup Base Proxy Control for basic proxy configuration.

Ports

---
###############################################################################
# Ports Configuration
###############################################################################
# Ports should be managed externally via an OS role.
#
# Reference:
# * https://help.ui.com/hc/en-us/articles/218506997-UniFi-Ports-Used
# * https://docs.ansible.com/ansible/latest/collections/community/general/ufw_module.html

ports:
  - {proto: 'udp', from_ip: 'any', to_port: 3478,        direction: 'in', comment: 'STUN'}
  - {proto: 'udp', from_ip: 'any', to_port: 5514,        direction: 'in', comment: 'remote syslog capture'}
  - {proto: 'udp', from_ip: 'any', to_port: '5656:5699', direction: 'in', comment: 'AP-EDU broadcasting'}
  - {proto: 'udp', from_ip: 'any', to_port: 10001,       direction: 'in', comment: 'device discovery'}
  - {proto: 'udp', from_ip: 'any', to_port: 1900,        direction: 'in', comment: 'L2 network discovery'}
  - {proto: 'tcp', from_ip: 'any', to_port: 8080,        direction: 'in', comment: 'device/application communication'}
  - {proto: 'tcp', from_ip: 'any', to_port: 8443,        direction: 'in', comment: 'WebUI'}
  - {proto: 'tcp', from_ip: 'any', to_port: 8880,        direction: 'in', comment: 'HTTP portal redirection'}
  - {proto: 'tcp', from_ip: 'any', to_port: 8843,        direction: 'in', comment: 'HTTPS portal redirection'}
  - {proto: 'tcp', from_ip: 'any', to_port: 6789,        direction: 'in', comment: 'unifi mobile speed test'}
  - {proto: 'tcp', from_ip: '127.0.0.1', to_ip: '127.0.0.1', to_port: 27117, direction: 'in', comment: 'database communication (localhost only)'}

Using Subdomains

0644 root root nginx/conf.d/reverse-proxy.conf
# Websockets: remap http_upgrade to 'upgrade' or 'close' based on
# connection_upgrade being set.
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
  listen                               443 ssl http2;
  server_name                          unifi.{DOMAIN} unifi;

  location / {
    proxy_pass                         https://unifi:8443;

    proxy_cache                        off;
    proxy_store                        off;
    proxy_buffering                    off;
    proxy_http_version                 1.1;
    proxy_read_timeout                 36000s;

    proxy_set_header Host              $http_host;
    proxy_set_header Upgrade           $http_upgrade;
    proxy_set_header Connection        $connection_upgrade;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Referer           '';

    client_max_body_size               0;
  }
}

Using Subpaths

0644 root root nginx/conf.d/reverse-proxy.conf
# Websockets: remap http_upgrade to 'upgrade' or 'close' based on
# connection_upgrade being set.
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
  location /unifi/ {
    proxy_pass                         https://unifi:8443/;

    proxy_cache                        off;
    proxy_store                        off;
    proxy_buffering                    off;
    proxy_http_version                 1.1;
    proxy_read_timeout                 36000s;

    proxy_set_header Host              $http_host;
    proxy_set_header Upgrade           $http_upgrade;
    proxy_set_header Connection        $connection_upgrade;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Referer           '';

    client_max_body_size               0;
  }
}