Tutorial NAS Remote Access for Newbies: Part 2 - Port 443 & Reverse Proxy

Preface​

This tutorial is a continuation of the Remote Access for Newbies series of tutorials, and continues the discussion started in Part 1. While parts of this tutorial can stand on their own, it does reference an office building analogy used to describe your LAN in Part 1. If you are unfamiliar with the basics of your LAN, it’d be best to start with Part 1 of the series:

1. Tutorial - NAS Remote Access for Newbies: Part 1 - LAN Overview & Port Forwarding

Reverse Proxy and Background on Port 443​

@Rusty created a very good tutorial on Reverse Proxy (RP) here:

• Tutorial - Synology Reverse Proxy

There is also tons of info on the internet, so I’m not going to explain it much other than to explain it in terms of our office analogy. Essentially, reverse proxy is like adding a switchboard to the office. Instead of forwarding multiple ports to your NAS in order to access a growing list of apps, we can set up a switchboard where all connections are forwarded through a single port into the NAS switchboard, and then the switchboard will make the connection behind the scenes to the room/port that contains the application.

Let’s suppose we created a reverse proxy (RP) to allow us to access iTunes. If we follow Rusty’s tutorial and use port 443 for the source and port 3689 (iTunes) for the destination, we might end up with a domain name that looks something like: itunes.yourname.synology.me. If we created a port forwarding rule in our router to forward port 443 to our NAS, then using itunes.yourname.synology.me in a browser or app would link us up to our iTunes server in room/port 3689 of our NAS. This works because external port 443 is a universal default port for an HTTPS connection. Because of this, internet protocol assumes any HTTPS URL without a port added on the end is trying to access the router via port 443, and so no port is required to be added to the URL.

I was initially very confused about which port I should be using as the central incoming line to this switchboard. I had read that I did not want to use known default ports, which would include 443 & 5000/5001, so I started experimenting with using port 38400/38401 as discussed in this thread:

• How do you choose your DSM network ports?

This is where I learned that if you are going to port-forward a non-standard port for a reverse proxy, you will need to include the port at the end of the URL every time. So, if instead of using 443 for the source port of our iTunes RP I decided to use 38401, I would have to enter https://itunes.yourname.synology.me:38401 into a browser every time I wanted to access my iTunes server. This kind of defeats the purpose of the RP in my opinion. I have since learned that even though 443 is the default HTTPS port, the RP provides another layer of security. It is more secure to use 443 via RP than a directly accessed port 38401 for example. I now plan to accept all my remote NAS https connections over port 443 where they’re forwarded to the NAS’ RP.

Figure 2-1 below demonstrates how the use of ports is simplified with reverse proxy. Compare Figure 2-1 to Figure 1-4 from the Part 1 tutorial and note that we now have only one open forwarded port (443). All incoming access requests are now routed through port 443; all other ports are closed. The steps are roughly the same, except that Step 3 has an additional substep where the NAS is acting as a switchboard and will connect external port 443 to whichever port is requested as directed by the reverse proxy.



Figure 2-1: Reverse Proxy Flowchart

This concludes our initial discussion on reverse proxy. Please see Part 3: Accessing Mobile Apps via Reverse Proxy for a discussion on how to configure DSM & NAS-hosted applications so that you can use reverse proxy to access applications on your NAS remotely via mobile apps.