Unsure how to get Unifi Controller behind Zoraxy

[gokou340]

I'm in the process of migrating from NPM to Zoraxy and the last thing I need to figure out is how to get my Unifi Controller to work behind Zoraxy.

When Zoraxy is being used and I put in my username and password into Unifi, I get the following: "There was an error making that request. Please try again later."

In NPM and Nginx, I had to add the following previously:

        }
        location / {
                proxy_pass https://IP:8443/;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
                proxy_buffering off;
                proxy_ssl_verify off;
                        }

I'm not familiar enough with Zoraxy to understand how to add these to the connection. I'd like to fully migrate to Zoraxy, and this is my last step.

Any input would be appreciated!

[tobychui]

@gokou340 Would you mind showing me how you setup the proxy for your Controller in Zoraxy?
You will find the config under conf/proxy/*.config in JSON format that corresponding to the HTTP proxy rule you are having trouble with.

[gokou340]

@tobychui Sure thing! Here you go:

{
 "ProxyType": 1,
 "RootOrMatchingDomain": "URLHERE",
 "Domain": "IPHERE:8443",
 "RequireTLS": true,
 "BypassGlobalTLS": false,
 "SkipCertValidations": true,
 "VirtualDirectories": [],
 "UserDefinedHeaders": [],
 "RequireBasicAuth": false,
 "BasicAuthCredentials": [],
 "BasicAuthExceptionRules": [],
 "DefaultSiteOption": 0,
 "DefaultSiteValue": "",
 "Disabled": false

[tobychui]

@gokou340 From your config, I see no issues with the proxy setup.
Zoraxy automatically adds all the required headers to the proxy rule by sniffing HTTP headers and MIME types. So the following headers should be automatically configured and seems SkipCertValidations is set correctly as well.

X-Forwarded-For
X-Forwarded-Proto
X-Real-IP
Upgrade
Connection

Currently zoraxy have no support for proxy_buffering off. But base on your use case, I am adding auto detection for non-streaming responses in the upcoming v3.0.1 builds.

[gokou340]

That sounds good.

Running a trace, I can see that I am getting a 403 Forbidden message when I submit my credentials in the controller:

Request URL:
https://URL/api/login
Request Method:
POST
Status Code:
403 Forbidden
Remote Address:
ZORAXYIP:443
Referrer Policy:
strict-origin-when-cross-origin

Let me know if this is something different than what I am thinking.

[gokou340]

Also, to add, here are some posts about the same error when behind Apache/Nginx:
https://community.ui.com/questions/Controller-v5-11-behind-reverse-proxy-gives-403-on-login/f98c3c5c-74c2-4cd5-80c1-24af498940aa

https://community.ui.com/questions/Controller-behind-Apache-Reverse-Proxy-greater-login-does-not-work/1925d1f7-1b95-4ca6-94dd-2161dcbf77e7

It might help with debugging. If you need me to pull any logs or do anything on my end, let me know!

[tobychui]

@gokou340 Oh, I know what might be the issues. I see the following in the apache config.

ProxyAddHeaders off

Header set Host mydomain.example.it  <-- 
RequestHeader set Host localhost <-- 
Header unset Referer
RequestHeader unset Referer
Header unset Origin
RequestHeader unset Origin

I guess what the Unifi controller want is your client (web browser) to be in the same LAN as the controller itself. So the RequestHeader is telling Unifi controller your browser is inside the same LAN (localhost in this case) and Header overwrite the response to Browser so the browser don't think your connection is being hijacked (by a program running in localhost).

Can you try one more thing to validate if my guess is correct? Create a subdomain (type A) DNS entry point directly to your Unifi controller IP / point a spare domain to your Unifi controller's IP and see if login via a domain works?

If domain direct connection doesn't work, then my guess is correct. I can add a custom mode to "emulate" a local IP request instead of following the standard reverse proxy protocol for web proxy.

[gokou340]

@tobychui
Are you asking me to just create an A Record in my local DNS that points to my Unifi Controller, or are you saying to create something within Zoraxy?

[tobychui]

@gokou340 The DNS A record, and use the domain name (instead of ip address) to connect to your Unifi controller to see if the same error will be shown.

[gokou340]

@tobychui I'm not following, I apologize. With A Records, they can only use an IP Address.

If my controller IP is 192.168.1.50 and my domain name is myhomelab.com, what do I need to setup on my end to run the test that you are trying to see? I have a local Windows DNS as well, if that helps.

Also, if there is an easier way to chat directly, such as Discord, or whatnot, let me know!

[tobychui]

@gokou340 You can send me an email at [email protected] and we can chat directly, but I am in GMT+8 so probably we don't got much time that we can chat directly.

[gokou340]

@tobychui Email sent your way. I will make sure to update this post when we are completed.