400 bad request in shlink links from public network

Currently reading
400 bad request in shlink links from public network

104
7
NAS
DS918+
Operating system
  1. Windows
Mobile operating system
  1. Android
Despite resolving the issues I had by accessing via shlink namely, connection refused on most browsers, as described here. But this time, there is a 400 bad request in every browser call from public network only. Shlink calls from private network are not affected.

Some searching leads me to a section in shlink documentation but refers a 404 error. There is no references for exact 400 errors. So this is the closest help I got: Shlink - The URL shortener — Documentation.

But maybe my thoughts are wrong. Maybe the issue is related with this situation where 400 bad request is mentioned: Shlink - The URL shortener — Documentation

I did read somewhere else that shlink must be configured additionally to handle non-common domains as is in the case by reverse proxy with .cc domain. Don't know if this make sense.

Again, I gathered some info here and there, but don't have tech knowledge enough put a solution in practice.
Please, I need help to get rid of this issue in particular to I finally put shlink to serve to something real.

Thank you.
 
Solution
bjsa.cc points to the same IP address as bjamsa.myds.me now. However, using bjsa.cc gives a warning that its not safe but if accept it, I can reach your web station. It’s because of the certificate. It’s issued for bjamsa.myds.me
Look it is issued.
1617650095599.png


Which one do you want to use?

View attachment 3358
-- post merged: --

View attachment 3359
-- post merged: --

Sorry. What I meant above is that if I use https://s1.bjsa.cc I can get to your web station after I accept the risk.

View attachment 3360
-- post merged: --

Here’s a suggestion (since I remember you saying that don’t care if it’s http).

Change the Reverse Proxy settings (your screenshot above) under source to:
Protocol http...
How can I test if domain is reaching my NAS?
Using a DNS server that's on the Internet, does the domain and the sub-domains resolve to your Internet IP address?

Test would be using the command line nslookup, such as resolving using OpenDNS (208.67.222.222):

nslookup mydomain1.com 208.67.222.222

Or using the interactive mode:

Code:
nslookup
server 208.67.222.222
mydomain1.com

....
exit

An example would be:

Code:
$ nslookup synology.com 208.67.222.222
Server:    208.67.222.222
Address:    208.67.222.222#53

Non-authoritative answer:
Name:    synology.com
Address: 210.61.203.217

When you do this for your domain and sub-domains does the Address come back as your Internet IP?

Also, LE has to be able to connect to the NAS's web server to validate the certificate request, so TCP ports 80 and 443 must be forwarded by your router to the NAS's LAN IP. [it may only require port 80, I can't remember for certain]
 
Upvote 0
Last edited:
Using a DNS server that's on the Internet, does the domain and the sub-domains resolve to your Internet IP address?

Test would be using the command line nslookup, such as resolving using OpenDNS (208.67.222.222):

nslookup mydomain1.com 208.67.222.222

Or using the interactive mode:

Code:
nslookup
server 208.67.222.222
mydomain1.com

....
exit

An example would be:

Code:
$ nslookup synology.com 208.67.222.222
Server:    208.67.222.222
Address:    208.67.222.222#53

Non-authoritative answer:
Name:    synology.com
Address: 210.61.203.217

When you do this for your domain and sub-domains does the Address come back as your Internet IP?
For the domain it resolves a different IP. But the subdomain resolves to my NAS.

Also, LE has to be able to connect to the NAS's web server to validate the certificate request, so TCP ports 80 and 443 must be forwarded by your router to the NAS's LAN IP. [it may only require port 80, I can't remember for certain]
Both ports are set in router.
-- post merged: --

In addition to @fredbert suggestion, you can also try:

You should see your public IP address.
The same result as tested in NAS terminal above.
Domain bjsa.cc points to a different IP.
Subdomain s1.bjsa.cc points to my NAS.
 
Upvote 0
Last edited:
If your LE certificate is being requested for bjsa.cc then it has to resolve to your Internet IP and forwarded to the NAS. Have you tried creating the certificate for s1.bjsa.cc?
Yes I did. Same result. I will try later on when rebooting my pc and clean the browser. Maybe restart NAS?
 
Upvote 0
Hmm. Not sure what to suggest. I've created a raft of LE certificates that use either my Synology DDNS (because it had wildcard support) or my personal domain. Either way, I include SAN for these and other domains that I own... it's to keep my options open for the names I can use to access my services.
 
Upvote 0
Last edited:
Strange! Why are they different. Do you own (registered) bjsa.cc?
Yes, it is registered at godaddy.
bjsa.cc points to dns given by godaddy (parked there)
s1 is a cname pointing to NAS

Does it make sense configuring it so?

PS.: It succeeded to get the certificate. More on this I posted below.
 
Upvote 0
Hmm. Not sure what to suggest. I've created a raft of LE certificates that use either my Synology DDNS (because it had wildcard support) or my personal domain. Either way, I include SAN for these and other domains that I own... it's to keep my options open for the names I can use to access my services.
Now LE certificate succeeded. The culprit was the double entry in router.
One entry (the first one) was port 80 forwarded to NAS solely.
Some entries below another entry port 80 to NAS, AND 443 to NAS.
So I deleted the first entry AND blanked all other 0 value fields.

1617475104981.png


Maybe this router interprets 0 value from blank in its fields differently. So, every entry with 0 was replaced with blank.

Next step I changed environment variable SHORT_DOMAIN_SCHEMA in Shlink container from http to https. In addition, changed reverse proxy settings accordingly. Reloading shlink web client, all links early staring with http now starts with https.
So far so good. But now, even local network links doesn't work anymore. "Connection refuse" or "connection not private".

What am I missing here? Some help will be appreciated. I almost there.
 
Upvote 0
Yes, it is registered at godaddy.
bjsa.cc points to dns given by godaddy (parked there)
s1 is a cname pointing to NAS

Does it make sense configuring it so?
Hang on. why are you pointing bjsa.cc to godaddy? Why not to your NAS (your public IP address)? It’s your domain name.
I think that’s why it resolves to an address in the U.S.!

But now, even local network links doesn't work anymore. "Connection refuse" or "connection not private".
How're you accessing it internally? Are you using the IP address or https and the domain name?
 
Upvote 0
Upvote 0
All you need to do is update the A record with the public IP address (assigned by your ISP).
It says "parked" now, so it's not pointing anywhere.

However (this is important), are you assigned a static or a dynamic public IP address by your ISP?
If it's dynamic, your DiskStation (or some other device on the network) will need to update Godaddy with the public IP address every time it changes.

Is this a QuickConnect link?
 
Upvote 0
Last edited:
All you need to do is update the A record with the public IP address (assigned by your ISP).
It says "parked" now, so it's not pointing anywhere.

However (this is important), are you assigned a static or a dynamic public IP address by your ISP?
If it's dynamic, your DiskStation (or some other device on the network) will need to update Godaddy with the public IP address every time it changes.
I'm not sure, but think it is dynamic, so how is godaddy updated every time IP changes? By hand or is there an automatic way to accomplish that?
Is this a QuickConnect link?
What do you mean with quickconnect? The short link was created by shlink.
1617632517801.png


PS.: I already changed A record inserting my public IP, but the result is still the same. What now?
 
Upvote 0
Unfortunately, Godaddy is not on the list in DSM. I think they don't offer a DDNS service.
If you go Control Panel > External Access > Add
You'll not find Godaddy on the list.

I think there are workarounds using scrips but I've never tried anything like that (I use no-ip DDNS and Synology DDNS)

Are you stuck with Godaddy or can you change to another service?

PS.: I already changed A record inserting my public IP, but the result is still the same. What now?
Hang on. We need to break things and tackle them one by one.

First thing to do, is to fix the remote access to your NAS. Forget about the Shlink thing for now.
I can see, using “whats my DNS” that bjsa.cc is pointed to an IP address in your country. So that’s working.

Provided that you’ve setup port forwarding correctly, you should be able to access services on your NAS. For example, https://bjsa.cc:5001
Is this working? (use whatever port you’ve configured for the service).
If you’ve enabled the reverse proxy over 443, then something like https://myservice.bjsa.cc
 
Upvote 0
Unfortunately, Godaddy is not on the list in DSM. I think they don't offer a DDNS service.
If you go Control Panel > External Access > Add
You'll not find Godaddy on the list.

I think there are workarounds using scrips but I've never tried anything like that (I use no-ip DDNS and Synology DDNS)

Are you stuck with Godaddy or can you change to another service?
I don´t know what do you mean by another service, 'cause I just bought this domain exclusively for short-linking since my domain for accesssing NAS is a little longer. Ok, perhaps it's not too long in order to justify acquisition of another 3rd party domain shorter that the one offered by synology, but I thought so at the time Rusty closely helped me creating and configuring step-by-step the process by installing shlink into docker.
I roughly see that I'm maybe stuck with technicalities, but as you said, first things first below.
Hang on. We need to break things and tackle them one by one.

First thing to do, is to fix the remote access to your NAS. Forget about the Shlink thing for now.
I can see, using “whats my DNS” that bjsa.cc is pointed to an IP address in your country. So that’s working.

Provided that you’ve setup port forwarding correctly, you should be able to access services on your NAS. For example, https://bjsa.cc:5001

Is this working? (use whatever port you’ve configured for the service).
That's true, I accessing NAS flawlessly, however not with domain "bjsa.cc". NAS domain is "bjamsa.myds.me".

If you’ve enabled the reverse proxy over 443, then something like https://myservice.bjsa.cc
1617637202386.png
 
Upvote 0
Last edited:
That's true, I accessing NAS flawlessly, however not with domain "bjsa.cc". NAS domain is "bjamsa.myds.me".
bjsa.cc points to the same IP address as bjamsa.myds.me now. However, using bjsa.cc gives a warning that its not safe but if accept it, I can reach your web station. It’s because of the certificate. It’s issued for bjamsa.myds.me

Which one do you want to use?

AE2E5DF2-D61F-4736-AD59-581D93AFC5FB.jpeg
-- post merged: --

F88C0F09-73F7-4FC5-BBA2-F89D171A3965.jpeg
-- post merged: --

Sorry. What I meant above is that if I use https://s1.bjsa.cc I can get to your web station after I accept the risk.

06074906-1265-4F14-B5A1-C0CC6072A08E.jpeg
 
Upvote 0
bjsa.cc points to the same IP address as bjamsa.myds.me now. However, using bjsa.cc gives a warning that its not safe but if accept it, I can reach your web station. It’s because of the certificate. It’s issued for bjamsa.myds.me
Look it is issued.
1617650095599.png


Which one do you want to use?

View attachment 3358
-- post merged: --

View attachment 3359
-- post merged: --

Sorry. What I meant above is that if I use https://s1.bjsa.cc I can get to your web station after I accept the risk.

View attachment 3360
-- post merged: --

Here’s a suggestion (since I remember you saying that don’t care if it’s http).

Change the Reverse Proxy settings (your screenshot above) under source to:
Protocol http and port to 80.
(I think you have 80 on the router forwarded to your NAS).

Try it using http://s1.bjsa.cc
Not needed, now it works. Try it!.
1617650274376.png
 
Upvote 0
Solution

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Yep this section. I would have expected to see the digest instead of {repo}:{tag}. With the repo digest...
Replies
5
Views
2,136

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top