Self Hosted UniFi Controller Server and HA Proxy

hpspar05 · August 12, 2020, 1:11pm

I have a self hosted UniFi controller server with Let’s Encrypt already setup and running. Should I be using HA Proxy with my build?

LTS_Tom · August 12, 2020, 2:56pm

if it makes you happy.

hpspar05 · August 12, 2020, 4:20pm

We all have our unique qualities about ourselves and I’m learning that you are unique Tom;).

I’m learning that when I post here that I must ask the right question in order to get a clear unambiguous answer from you or other forum respondents. That said, I’m not looking to have a good feeling about my controller security etc, but get a clear answer to my question. Maybe you answered me in our unique way of speaking to my question and I’m just too much of a newbie to get it or understand your answer.

Let me try again with my question. Is it best security practice to have HA Proxy with a self hosted UniFi controller server?

LTS_Tom · August 12, 2020, 4:38pm

I don’t want people to think I am ignoring them so I usually respond in one way or another. I am not aware of any security issues in either setup but I have never use Let’s Encrypt with the UniFi controller. Unless there is a request for something different, we usually just leave the UnIFi self signed cert in place.

hpspar05 · August 12, 2020, 4:54pm

Ok now I understand you, I was just thinking that having the secure lock for the controller in the browser was best security practice for the controller and pfsense etc.

hpspar05 · August 12, 2020, 4:58pm

I also watched your HA Proxy video thinking that it would be a good thing to do for the controller, but if it’s not needed or is overkill for a home guy like myself, I get your answer much clearer now and thanks once again Tom.

xMAXIMUSx · August 13, 2020, 2:31am

Even with leaving the self signed certificate as is the connection between you and the controller is still encrypted. I know that probably doesn’t sound right because your browser says it’s not secure but if you do a packet capture it is indeed encrypted. If this was a public facing controller I would think to put it in HA proxy in front if you didn’t want to mess with updating the cert in the controller itself but as far as security goes it would be just as vulnerable if you are passing the same ports either from the proxy or from the firewall directly.