Setting up a UniFi Controller behind an nginx reverse proxy allows more control over who has access to your web gui, as well as allowing you to not have to specify a port when connecting to your UniFi Controller.

This guide is assuming y0u've already installed UniFi. You don't need to have UniFi already using a Let's Encrypt certificate if you want to use this.

First of all, install nginx:

sudo apt install nginx

Switch to the root user and install acme.sh:

sudo -i
curl https://get.acme.sh | sh

Open bash again to be able to use the acme.sh command:

bash

Import your DNS API keys (note: If you're not using Cloudflare, you can read about other DNS integrations here)

export CF_Key="YOUR_API_KEY"
export CF_Email="YOUR_EMAIL"

Next, issue the certificate:

acme.sh --issue --dns dns_cf -d unifi.yourdomain.com

Next, you're going to install the certificate. Create the folder, then install the certificate:

mkdir -p /etc/nginx/ssl/unifi.yourdomain.com

acme.sh --install-cert -d unifi.yourdomain.com \
--key-file /etc/nginx/ssl/unifi.domain.com/key.pem \
--fullchain-file /etc/nginx/ssl/unifi.domain.com/fullchain.pem \
--reloadcmd "systemctl reload nginx"

Next, you're going to remove the default nginx config:

rm /etc/nginx/sites-enabled/default

Next, download the nginx configuration file for UniFi.

curl https://gist.githubusercontent.com/ThePigsMud/c2cc085a201cb41adb8db4b8b50947db/raw/unifi > /etc/nginx/sites-available/unifi

Open this in a text editor such as nano or vim, and replace "yourdomain.com" with your domain name.

nano /etc/nginx/sites-available/unifi

Once you're done, you can save and exit out of vim or nano.

Additionally, set up a ssl-params file. If you know what you're doing, you can set up your own, or use mine:

curl https://gist.githubusercontent.com/ThePigsMud/efc6562406a9502831964a4837b5e875/raw/ssl-params.conf > /etc/nginx/snippets/ssl-params.conf

Because my SSL parameters file specifies to only use ECDHE key exchange and not DHE, we do not need to generate DH parameters.

Now you're almost ready to deploy your new nginx configuration. Symlink your unifi configuration to sites-enabled:

ln -s /etc/nginx/sites-available/unifi /etc/nginx/sites-enabled/

Restart nginx:

systemctl restart nginx

Assuming you followed every step in this guide, you should now be able to access your UniFi controller at your hostname, using a Let's Encrypt certificate, and no port required!