I just went through installing the Unifi controller on a cloud server, and while there were a number of good tutorials out there, many of them were out of date or had gotchas that took a while to figure out. Since I documented the install for myself anyway, I figured I might as well share the knowledge.
Sources: this is very closely based on the excellent tutorial provided by Jeff Ferguson for ver. 3.2.1, updated to use the new repository locations, to separate out the security info from the basic install, and to fix a particularly frustrating issue described here.
Step 1: Create the cloud server instance
DigitalOcean provides an excellent cloud platform, and at $5/month for the smallest "Droplet," which is sufficient for a Unifi controller, it's a bargain.
Click this link to set up a new server with DigitalOcean, and you'll get $10 credit (2 free months!), and I'll get some referral credit if you stay with them for a while.
Detailed steps:
Create an account, confirm your email, and enter billing information
Click "Create Droplet"
Choose the $5/month size, a region near you, and the Ubuntu 14.04 x64 image
Provide a hostname, like "unifi-controller" or whatever you like
Click "Create Droplet" and Digital Ocean will take about a minute to get your cloud server up and running
DigitalOcean will email you the root password for your server
Note: see the bottom of this post, in the "Security" section, for the "Add SSH keys" option — you can do this if you're a bit more tech-savvy and want slightly better security on your server.
Step 2: Configure the cloud server
Take the server IP address, visible in the DigitalOcean web control panel, and use it to ssh into the server:
SSH will warn you that you're connecting to this machine for the first time, and ask to add it to the list of known hosts; approve this and login with the password DigitalOcean emailed you.
If you're running Windows and don't have an SSH client built in, you can use Putty or pick an SSH client from the Windows store.
Once you're logged in: [note: you'll be logged in as root, but all these commands are given with sudo, in case anyone will be following this step-by-step instruction from a non-root account.]
1. Update Ubuntu with the most recent patches:
2. Create a swap file (DigitalOcean doesn't create one by default, and there are situations where it can help to have one)
Add a line to /etc/fstab to tell the system about the swap file:
Then put this line at the very bottom of the file:
Ctrl+O then [enter] to save the file, Ctrl+X to exit the editor.
Set some "swappiness" parameters for Linux:
3. Setup the iptables firewall in Linux:
Allow connections once established:
Allow loopback connections:
Allow SSH:
Allow ports needed for Unifi controller:
Drop any packets not allowed by the above rules:
4. Set up Linux to have the firewall rules remain persistent through a reboot:
You will get two prompts during the install — hit [enter] to accept the default action on each of them.
5. Fix a subtle issue involving with cryptography and cloud servers:
The full explanation is in this thread, but the short version is: Linux depends heavily on user and environmental input to generate random numbers. Since cloud servers don't have that, you can get stuck with things, like Java running Unifi, waiting (for a v-e-r-y long time) for enough random data to start up their encryption stuff. haveged is a software package designed to fix that in cloud server environments by using processor timing fluctuations as a source for random numbers.
6. The cloud server is ready — you should reboot to let the swapfile take effect and make sure everything else worked properly.
Wait a minute for the server to finish rebooting, and then log back in with:
Step 3: Install Unifi Controller Software
1. Add the Ubiquiti repositories to the sources list for package installation:
Paste the following into the file:
Ctrl+O then [enter] to save the file, Ctrl+X to exit the editor.
2. Add the UBNT code-signing key to the approved list:
3. Update the apt database to include the new Ubiquiti sources:
4. Install the Unifi controller package:
5. Unifi is installed and should now be running — you can access your controller web UI at:
Note that it is https, not just http.
6. You may want to stop at this point and use DigitalOcean to take a snapshot of your cloud server, so that you can always get back to a completely new and clean install of a Unifi controller, or use the snapshot to spin up a new Droplet if you need a second Unifi controller at some point in the future.
To do that, first power off the server:
Then go into the DigitalOcean control panel under snapshots and take a snapshot. You may have to reload the page to get it to recognize that your machine is powered off. Once the snapshot is taken, use the control panel to power the machine back on.
7. You can then go through the standard wizard to get the Unifi controller set up, and follow the instructions here for various options for adopting access points onto your cloud controller (the easiest is to use the Unifi Discover app on a local machine — the inform URL of the cloud controller will be http://ip-address:8080/inform
Step 4: Keeping things up-to-date
Since everything, including Unifi itself, has been installed from repositories, keeping things up-to-date (and installing updated releases of Unifi) should be as simple as periodically logging in to run:
Security
While the above instructions will get your Unifi controller up and running, you probably want to tighten up the security on your cloud server a bit.
Here are some options for doing that.
1. Use SSH keys instead of passwords:
You can read more about how to set up key-based login with DigitalOcean. Once you've generated a key, you can either provide it at Droplet creation time or add it once you've got the machine up and running.
2. Set up a non-root user:
Follow the prompts to provide a password and other info, and then add the user to the sudo group:
If you're using key-based login, you can then add a key for that user, from the local machine:
Then you can login as that user, instead of root, with:
And now you'll have to use sudo if you want to execute root-level commands.
3. If you're using SSH key access instead of passwords, prevent password-based access entirely:
Find the lines with the following directives and edit them to have the values shown:
If you've created a non-root user, you could also set:
If you want to be extra-secure, you could move SSH to a non-standard port. If you do that, remember that you have to change the firewall settings to open up that new port instead of port 22.
Then restart SSH
4. Alternately, instead of locking down SSH so it can't be accessed with a password, setup fail2ban to prevent brute force attacks against the password by enforcing lockouts when someone tries too often.
If you want to change it from the default configuration to be more protective, Jeff Ferguson's tutorial has information on how to do that.
You can do both (3) and (4) if you want to; they don't conflict with each other.
Idea for the future: it would be awesome if Ubiquiti worked with DigitalOcean to provide a ready-made "application image" like they have for other software so that we could have true one-click installs of Unifi cloud controllers.