Is there anyone here that can give some guidance?
I am new to AWS and am interested in setting up a UniFi controller.
There are so many names, and I cant figure out which option I should be looking at.
I am use to setting up a Ubuntu droplet on DO and just going from there.
The reason I am looking at AWS is because my usage is lite and I am interested to see if there is a price savings.
You can just google “unifi controller on aws” and there you have the official guide from UI.
UniFi - Install a UniFi Cloud Controller on Amazon Web Services – Ubiquiti Support and Help Center
Cheers
Thanks,
I feel like I had too many words in my search so that result didn’t come up.
Do you have any suggestions on best practices?
The guide, understandably, only outlines the controller install.
Here’s what I have though of
Disabling root login
Settings up key based authentication
Changing the port for ssh login
Setting up let’s encrypt for my domain.
I have also thought about creating a whitelist and MFA but I feel like those are nice to haves.
Tech is just my hobby, so I am not currently up on all the best practices but, this is a project to make me more aware of all the little things to secure a server.
In my VM I only setup auth via ssh-key and disabled password login
I’m still using port 22. There are a lot of malware with very clever port scanning that won’t really care if you are running ssh on port 22 or xxx.
For let’s encrypt, I personally have a reverse proxy (nginx) that manages the certificates. I find it more easy and you don’t have to care about working directly with the controller.
I also use the reverse proxy so that I can access the management interface without using port 8443.
My suggestion is to whitelist the IPs that can connect to 8443 (or you unifi.fqdn.com) or use a VPN to log in.
I would personally avoid to expose the management interface to the internet!
This is the site config I’ve been using on nginx.
# I had a bit of trouble getting my unifi controller (hosted offsite) to use a proxy/letsencrypt. So here are the fruits of my labor.
# The unifi default port is 8443 running on localhost.
# License: CC0 (Public Domain)
server {
# SSL configuration
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name unifi.example.ch;
# Needed to allow the websockets to forward well.
# Information adopted from here: https://community.ubnt.com/t5/EdgeMAX/Access-Edgemax-gui-via-nginx-reverse-proxy-websocket-problem/td-p/1544354
location /wss/ {
#proxy_pass https://localhost:8443;
#proxy_http_version 1.1;
#proxy_buffering off;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection "Upgrade";
#proxy_read_timeout 86400;
proxy_pass https://localhost:8443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Proxy "";
proxy_set_header Host $http_host;
}
location / {
proxy_pass https://localhost:8443/; # The Unifi Controller Port
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
}
# Unifi still internally uses its own cert. This was converted to PEM and
# is trusted for the sake of this proxy. See here for details:
# https://community.ubnt.com/t5/UniFi-Wireless/Lets-Encrypt-and-UniFi-controller/td-p/1406670
ssl_trusted_certificate /etc/nginx/ssl/unifi/unifi-default-selfsign.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/unifi.example.ch/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/unifi.example.ch/privkey.pem; # managed by Certbot
}
server {
listen 80;
listen [::]:80;
server_name unifi.example.ch;
location / {
return 301 https://$host$request_uri;
}
}