|
| 1 | +<!--- Provide a general summary of your changes in the Title above --> |
| 2 | + |
| 3 | +[linuxserverurl]: https://linuxserver.io |
| 4 | +[][linuxserverurl] |
| 5 | + |
| 6 | + |
| 7 | +<!--- Before submitting a pull request please check the following --> |
| 8 | +* If this is a fix for a typo (in code, documentation, or the README) please file an issue and let us sort it out. We do not need a PR |
| 9 | + * This is not a fix for a typo. |
| 10 | + |
| 11 | +* Ask yourself if this modification is something the whole userbase will benefit from, if this is a specific change for corner case functionality or plugins please look at making a Docker Mod or local script https://blog.linuxserver.io/2019/09/14/customizing-our-containers/ |
| 12 | + * I think this modification is something the whole userbase could benefit from, giving more flexibility inside the container itself without having to copy pasta the entire init script for a docker mod to work. |
| 13 | +* That if the PR is addressing an existing issue include, closes #<issue number> , in the body of the PR commit message |
| 14 | + * It does not address an existing issue, but it does come out of the want to specify a self signed certificate so a reverse proxy can use that to encrypt the traffic between the two applications. |
| 15 | +<!-- You have included links to any files / patches etc your PR may be using in the body of the PR commit message --> |
| 16 | +<!--- We maintain a changelog of major revisions to the container at the end of readme-vars.yml in the root of this repository, please add your changes there if appropriate --> |
| 17 | + |
| 18 | + |
| 19 | +<!--- Coding guidelines: --> |
| 20 | +<!--- 1. Installed packages in the Dockerfiles should be in alphabetical order --> |
| 21 | +<!--- 2. Changes to Dockerfile should be replicated in Dockerfile.armhf and Dockerfile.aarch64 if applicable --> |
| 22 | +<!--- 3. Indentation style (tabs vs 4 spaces vs 1 space) should match the rest of the document --> |
| 23 | +<!--- 4. Readme is auto generated from readme-vars.yml, make your changes there --> |
| 24 | + |
| 25 | +------------------------------ |
| 26 | + |
| 27 | + - [x] I have read the [contributing](https://github.com/linuxserver/docker-unifi-network-application/blob/main/.github/CONTRIBUTING.md) guideline and understand that I have made the correct modifications |
| 28 | + |
| 29 | +------------------------------ |
| 30 | + |
| 31 | +<!--- We welcome all PR’s though this doesn’t guarantee it will be accepted. --> |
| 32 | + |
| 33 | +## Description: |
| 34 | +<!--- Describe your changes in detail --> |
| 35 | +On the first initialization of the unifi network application via this application, it checks to see if there is a mounted keystore.jks file if there is, the script will proceed to importing that jks into the keystore. Rather then auto generating a unique key that is pretty hard to modify once the container is created if using kubernetes, or a different certificate that wasn't generated. |
| 36 | + |
| 37 | +## Benefits of this PR and context: |
| 38 | +<!--- Please explain why we should accept this PR. If this fixes an outstanding bug, please reference the issue # --> |
| 39 | +The benefits of this PR are in my opinion allow for no hack arounds to occur to get this to work with a reverse proxy that isn't traefik and encrypt the traffic via tls from the proxy to the controller. |
| 40 | +This allows users to bring their own certificates as long as they are signed appropriately and will work with unifi. |
| 41 | +An example of this is cert-manager. |
| 42 | + |
| 43 | +```yaml |
| 44 | +apiVersion: cert-manager.io/v1 |
| 45 | +kind: Certificate |
| 46 | +metadata: |
| 47 | + name: self-signed-svc-cert |
| 48 | +spec: |
| 49 | + dnsNames: |
| 50 | + - {your-domain-name} |
| 51 | + secretName: unifi-signed-cert |
| 52 | + commonName: unifi |
| 53 | + issuerRef: |
| 54 | + name: self-signed-ca-issuer |
| 55 | + kind: ClusterIssuer |
| 56 | + group: cert-manager.io |
| 57 | + keystores: |
| 58 | + jks: |
| 59 | + alias: unifi |
| 60 | + create: true |
| 61 | + # This is really just aircontrolenterprise as it has to be. |
| 62 | + passwordSecretRef: |
| 63 | + name: unifi-keystore |
| 64 | + key: password |
| 65 | +``` |
| 66 | +
|
| 67 | +This allows the user to create a self signed certificate that allows them to use this on a reverse proxy application for example. NGINX that is using the gatewapi implementation `BackendTLSPolicy`. |
| 68 | + |
| 69 | +This is largely because there is no way at all to turn off insecure ski verfication for some ingress implementations. |
| 70 | +https://docs.linuxserver.io/images/docker-unifi-network-application/#strict-reverse-proxies |
| 71 | + |
| 72 | +This solves this problem altogether. |
| 73 | +https://docs.linuxserver.io/images/docker-unifi-network-application/#strict-reverse-proxies |
| 74 | + |
| 75 | +Users can now bring their own certificate and not have to worry about configuring it after the fact. |
| 76 | +## How Has This Been Tested? |
| 77 | +<!--- Please describe in detail how you tested your changes. --> |
| 78 | +<!--- Include details of your testing environment, and the tests you ran to --> |
| 79 | +<!--- see how your change affects other areas of the code, etc. --> |
| 80 | + |
| 81 | + |
| 82 | +## Source / References: |
| 83 | +<!--- Please include any forum posts/github links relevant to the PR --> |
0 commit comments