I have the controller running behind a reverse proxy just fine. You just have to re-write the headers to translate between 443/8043 both directions, and 80/8088 if you want the initial re-direct to https to work. I have mine behind the HAProxy package on my pfsense firewall at home. I would be happy to share the settings to make this work if anyone is interested. 

Hello!)
Congratulations to everyone on the last holidays!
I wish you all the very best!

I have been using TP-Link equipment for deploying wifi networks for a year now. In total, I have about 130 EAP245 access points at several sites (premises). I have a couple of very complex configurations in terms of design and RF environment.

During this year, I understood exactly what functions I was missing. I would like to suggest (ask) to consider these functions for further implementation.

0. Wireless Snooper(Wi-fi scanner):
In the latest version of EAP 245, if I understand correctly, spectral scanning is implemented. You can use it to determine the quality of the channel. That's great, thank you! But for better setup / optimization of the Wi-Fi network, a "Wireless Snooper" is needed. "Wireless Snooper" will be able to show us which networks with which parameters(SSID,BSSID,channel, signal, band, channel width) this access point catches.

1. Client isolation:
This has already been discussed a lot and has long been discussed.

2. Client signal levels when roaming:

It would be very cool if in the logging of client events, it was recorded at what signal level he left the access point, and with what level he connected to another access point.

3. Сontroller redundancy:
On this point, I think everything is clear

I would like to hear the opinion of other users.
@R1D2 , what do you think about this?

@Fae , I am very glad to welcome you!)

Please look at my list, can you comment on it?

P.S. English is not my native language, if something is not clear, please ask a question.

Thanks for attention! Good luck to all!)))

@TheKaban 

For your requests, does Rogue AP not give you enough for your point 0.

2. - You can add signal level to the client view, it doesn't record their levels so you can't see what they had or why they moved, but is this something many people would need or use? I understand it may help tweaking power settings, but once set, would it be used, often?

3. I also get why this was noted, but the APs will continue without a controller, the only downside is, you would not be able to make changes to the setup or add new SSIDs/profiles during a controller outage, however if you link the controller to the cloud, you can easily have this as your redundancy. I do accept not everyone want's to use this.

@Rod-IT 

Hello!
Regarding Rogue AP, it's not very convenient when you have to control a network of 50+ access points. It is more convenient to see spectral scanning information, and Wireless Snooper detailed (SSID, BSSID, channel, signal, band, channel width) information on one page for a specific access point.
In this implementation, you have to constantly switch between windows, which creates inconvenience.

The Client signal levels when roaming function in the event log is only needed:
1. When you make the setting
2. Optimization
3. When customers have problems, using this event log with signal levels, you can find the problem more accurately and in a shorter period of time.

Сontroller redundancy, I just want to sleep well!))) This feature will also help the TP-link to make more sales of controllers

@matt25 I would also like to see how you have done this. Trying to achieve the same via nginx

@BigHeadSmith 

As I mentioned, you have to set the header to the port the controller software is expecting on requests, and then back to the front-end port on the replies. I'll include some screenshots from the pfsense GUI to HAProxy, and the resulting HAProxy config file too. The http/port 80 items are only needed if you want the re-direct from http to https to work for you. I you don't mind just always typing https you can leave that whole part out.

HTTPS/443 front-end:

HTTP/port 80 front-end:

HAProxy config:

frontend EAP-Controller-https-443
        bind                    10.0.0.50:443 name 10.0.0.50:443   ssl crt-list /var/etc/haproxy/EAP-Controller-https-443.crt_list
        mode                    http
        log                     global
        option                  http-keep-alive
        timeout client          30000
        acl                     eap-short       var(txn.txnhost) -m str -i eap
        acl                     eap-fqdn        var(txn.txnhost) -m str -i eap.localdomain
        acl                     aclcrt_EAP-Controller-https-443 var(txn.txnhost) -m reg -i ^eap(:([0-9]){1,5})?$
        acl                     aclcrt_EAP-Controller-https-443 var(txn.txnhost) -m reg -i ^eap\.localdomain(:([0-9]){1,5})?$
        http-request set-var(txn.txnhost) hdr(host)
        http-request set-header host eap:8043  if  eap-short aclcrt_EAP-Controller-https-443
        http-request set-header host eap.localdomain:8043  if  eap-fqdn aclcrt_EAP-Controller-https-443
        http-response replace-value location 8043 %[hdr(location),regsub(8043,443)]  if   aclcrt_EAP-Controller-https-443
        use_backend server-8043_ipvANY  if   aclcrt_EAP-Controller-https-443

frontend EAP-Controller-http
        bind                    10.0.0.50:80 name 10.0.0.50:80
        mode                    http
        log                     global
        option                  http-keep-alive
        timeout client          30000
        acl                     eap-short       var(txn.txnhost) -m str -i eap
        acl                     eap-fqdn        var(txn.txnhost) -m str -i eap.localdomain
        http-request set-var(txn.txnhost) hdr(host)
        http-request set-header host eap:8088  if  eap-short
        http-request set-header host eap.localdomain:8088  if  eap-fqdn
        http-response replace-value location 8088 %[hdr(location),regsub(8088,80)]
        http-response replace-value location 8043 %[hdr(location),regsub(8043,443)]
        default_backend server-http_ipvANY

backend server-8043_ipvANY
        mode                    http
        id                      100
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk OPTIONS /
        server                  server 10.0.0.151:8043 id 101 ssl check-ssl check inter 10000  verify none
        
backend server-http_ipvANY
        mode                    http
        id                      102
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk OPTIONS /
        server                  server 10.0.0.151:8088 id 101 check inter 10000
 

@R1D2 I'd vote, as many times as you will let me, for making the installation of security certs easier. I managed to disable ALL logins of any kind to my OC200 just two days ago; the controller said the installation was successful, but "successful" must mean something different to it than to me, as I am now getting SSL_ERROR_NO_CYPHER_OVERLAP errors when I attempt to login using my web browser (FireFox or Chrome, it makes no difference).

Obviously, I made the .jks incorrectly, possibly because the recipe I found was for the Mac and I was running keytool on Ubuntu.  Epic fail, as a matter of fact.  While everything is still working, I must do a factory reset and a restore from a (reasonably current) backup in order to regain access.  Otherwise, I can forget ever adding clients again.