Setting up a UniFi Controller behind an nginx reverse proxy allows more control over who has access to your web gui, as well as allowing you to not have to specify a port when connecting to your UniFi Controller.
This guide is assuming y0u've already installed UniFi. You don't need to have UniFi already using a Let's Encrypt certificate if you want to use this.
First of all, install nginx:
sudo apt install nginx
Switch to the root user and install acme.sh:
sudo -i curl https://get.acme.sh | sh
Open bash again to be able to use the acme.sh command:
Import your DNS API keys (note: If you're not using Cloudflare, you can read about other DNS integrations here)
export CF_Key="YOUR_API_KEY" export CF_Email="YOUR_EMAIL"
Next, issue the certificate:
acme.sh --issue --dns dns_cf -d unifi.yourdomain.com
Next, you're going to install the certificate. Create the folder, then install the certificate:
mkdir -p /etc/nginx/ssl/unifi.yourdomain.com acme.sh --install-cert -d unifi.yourdomain.com \ --key-file /etc/nginx/ssl/unifi.domain.com/key.pem \ --fullchain-file /etc/nginx/ssl/unifi.domain.com/fullchain.pem \ --reloadcmd "systemctl reload nginx"
Next, you're going to remove the default nginx config:
Next, download the nginx configuration file for UniFi.
curl https://gist.githubusercontent.com/ThePigsMud/c2cc085a201cb41adb8db4b8b50947db/raw/unifi > /etc/nginx/sites-available/unifi
Open this in a text editor such as nano or vim, and replace "yourdomain.com" with your domain name.
Once you're done, you can save and exit out of vim or nano.
Additionally, set up a ssl-params file. If you know what you're doing, you can set up your own, or use mine:
curl https://gist.githubusercontent.com/ThePigsMud/efc6562406a9502831964a4837b5e875/raw/ssl-params.conf > /etc/nginx/snippets/ssl-params.conf
Because my SSL parameters file specifies to only use ECDHE key exchange and not DHE, we do not need to generate DH parameters.
Now you're almost ready to deploy your new nginx configuration. Symlink your unifi configuration to sites-enabled:
ln -s /etc/nginx/sites-available/unifi /etc/nginx/sites-enabled/
systemctl restart nginx
Assuming you followed every step in this guide, you should now be able to access your UniFi controller at your hostname, using a Let's Encrypt certificate, and no port required!