Getting a Dockerised site to run behind Traefik reverse proxy

Question

I have Traefik v1.7.6 installed as a Docker container following the instructions in this tutorial.

Everything works fine and that site is accessed at: https://proxy.hostname.com

I want to add a UniFi Controller container to run behind this reverse proxy, but need help with my configuration.

Following this tutorial, I am able to create a functional container and access this site at: https://unifi.hostname.com:8443

Port 8443 is the native web management port that UniFi runs on, but this is where is I need help.

From my understanding I should be able to access this site via Traefik at https://unifi.hostname.com and be directed to the proper 8443 port on the back end. Secondly the benefit of using Let's Encrypt is lost as it only provides a certificate to subdomains on port 443.

Here is my docker-compose.yml file:

version: "3.6"
services:

  unifi:
    hostname: unifi
    image: linuxserver/unifi:latest
    restart: always
    container_name: "unifi"
    volumes:
      - /docker/unifi:/config
    ports:
      - target: 3478
        published: 3478
        protocol: udp
        mode: host
      - target: 10001
        published: 10001
        protocol: udp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
      - target: 8081
        published: 8081
        protocol: tcp
        mode: host
      - target: 8443
        published: 8443
        protocol: tcp
        mode: host
      - target: 8880
        published: 8880
        protocol: tcp
        mode: host
      - target: 6789
        published: 6789
        protocol: tcp
        mode: host
    networks:
      - proxy
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/New_York
    labels:
      - "traefik.enable=true"
      - "traefik.tags=frontend"
      - "traefik.frontend.passHostHeader=true"
      - "traefik.admin.backend=unifi"
      - "traefik.admin.frontend.rule=Host:unifi.hostname.com"
      - "traefik.admin.port=8443"
      - "traefik.admin.protocol=https"

networks:
  proxy:
    external: true

Answer 1

From my own experience, proxying UniFi Controller has been a pain because it uses a baked-in, self-signed certificate. Typically you have to instruct your proxy to ignore invalid certs when it connects to its backend.

I'd suggest that what you want is the InsecureSkipVerify option, which has to be enabled in traefik.toml.

insecureSkipVerify : If set to true invalid SSL certificates are accepted for backends. Note: This disables detection of man-in-the-middle attacks so should only be used on secure backend networks. - https://docs.traefik.io/configuration/commons/