Bit of a newbie, but I can usually figure things out with a little push in the right direction. This one, however, is giving me a bit of a pain so I could use some help. I'm trying to access my NAS using a reverse proxy, but have not set up a reverse proxy before and have very little coding/IT experience (legal drug dealer by day, IT/home automation enthusiast by night). My web server is running on a different machine and simply because it works, I'd like to keep the web site on that server. Plus, I'd rather not have to do port forwarding to access my NAS and would like the web server to really be the only device directly exposed to the web. However, I'd like to be able to use example.com/synology, example.com/synologyphotos, or example.com/synologydrive to access my NAS or apps directly. I already have a domain name, so I'd rather use it than use the DDNS name from Synology.
Problem is, and this is where me being a complete amateur comes in, is that I can get things almost working. If I type example.com/synologyphotos in the browser the page loads with the Photos heading in the tab, but then stops at a blank page (no errors, information, nothing). Same with example.com/synologydrive, I get the correct name in the browser tab, but nothing on the page. If I look at the developer tools, both pages are throwing a ton of ERR:ABORTED 404 errors with failed to load resource. I also get:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' data: blob: https://*.synology.com 群晖科技 Synology Incorporated Synology 知识中心 https://*.google.com https://*.googleapis.com https://*.google.com https://*.googleapis.com https://*.google.com https://*.googleapis.com https://*.baidu.com https://*.bdstatic.com https://*.bdimg.com". Either the 'unsafe-inline' keyword, a hash ('sha256-XKhBaSyILYL0ESDKu+l0w6VQM5kOHvdYujPIHduzYvU='), or a nonce ('nonce-...') is required to enable inline execution.
If I type local-IP/synologyphotos or local-IP/synologydrive, everything loads just fine.
So the question is, how do I get this to work (and what I've got set up currently is below)? And how do I go about making sure that share links from Drive/Photos are formatted correctly (i.e. example.com/synologydrive/xxxxx) and function behind the reverse proxy?
On the apache side, my reverse proxy looks like this:
On the NAS side, under login portal applications I've got my synology drive and photos alias set to synologydrive and synologyphotos respectively, with customized ports at 40005/40006 (HTTP/HTTPS) and 40007/40008 respectively. I've got HSTS checked on both.
Under external access, advanced, I've set the hostname to example.me, and specified the ports DSM should use (different than default 5000 and 5001). Other than 80 and 443, I do not have any ports forwarded on my router (Unifi UDMP), but do have the ports open on the NAS firewall and web server firewall (DSM, Drive, Photo, and 80/443). I've still got quickconnect enabled, but have disabled the DDNS service (since I'd rather use my own domain). It looks like the NAS is also still holding onto the LetsEncrypt certificate for the DDNS and the synology self-cert for the quickconnect ID. HTTP compression is enabled, along with automatic HTTP to HHTPS redirection.
If I share a file/photo, the share link is "sorta" correct, with https://example.me:[HTTPSDSMport]/xxxx, but I feel like it should actually be https://example.me/synologyphotos/xxx. Or is this incorrect, and if so, how would I make sure the reverse proxy server knows how to handle those? Since right now, visiting a shared link sends me to the first website file in the server (I've got two virtual hosts running) since it doesn't know where else to send it. Not withstanding the fact that I can't even access the application directly at the moment, I do want to be able to create share links that work too.
Am I in over my head, or almost there?
Problem is, and this is where me being a complete amateur comes in, is that I can get things almost working. If I type example.com/synologyphotos in the browser the page loads with the Photos heading in the tab, but then stops at a blank page (no errors, information, nothing). Same with example.com/synologydrive, I get the correct name in the browser tab, but nothing on the page. If I look at the developer tools, both pages are throwing a ton of ERR:ABORTED 404 errors with failed to load resource. I also get:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' data: blob: https://*.synology.com 群晖科技 Synology Incorporated Synology 知识中心 https://*.google.com https://*.googleapis.com https://*.google.com https://*.googleapis.com https://*.google.com https://*.googleapis.com https://*.baidu.com https://*.bdstatic.com https://*.bdimg.com". Either the 'unsafe-inline' keyword, a hash ('sha256-XKhBaSyILYL0ESDKu+l0w6VQM5kOHvdYujPIHduzYvU='), or a nonce ('nonce-...') is required to enable inline execution.
If I type local-IP/synologyphotos or local-IP/synologydrive, everything loads just fine.
So the question is, how do I get this to work (and what I've got set up currently is below)? And how do I go about making sure that share links from Drive/Photos are formatted correctly (i.e. example.com/synologydrive/xxxxx) and function behind the reverse proxy?
On the apache side, my reverse proxy looks like this:
Code:
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName example.me
ServerAlias www.example.me
DocumentRoot /var/www/example.me/public_html
ProxyPreserveHost On
ProxyPass /synologydrive http://10.0.0.13:40005
ProxyPassReverse /synologydrive http://10.0.0.13:40005
ProxyPass /synologyphotos http://10.0.0.13:40007
ProxyPassReverse /synologyphotos http://10.0.0.13:40007
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.me [OR]
RewriteCond %{SERVER_NAME} =example.me
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Code:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName example.me
ServerAlias www.example.me
DocumentRoot /var/www/example.me/public_html
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
<Proxy "*">
Order allow,deny
Allow from all
</Proxy>
ProxyPreserveHost On
ProxyPass /synologydrive https://10.0.0.13:40006
ProxyPassReverse /synologydrive https://10.0.0.13:40006
ProxyPass /synologyphotos https://10.0.0.13:40008
ProxyPassReverse /synologyphotos https://10.0.0.13:40008
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.me/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.me/privkey.pem
</VirtualHost>
</IfModule>On the NAS side, under login portal applications I've got my synology drive and photos alias set to synologydrive and synologyphotos respectively, with customized ports at 40005/40006 (HTTP/HTTPS) and 40007/40008 respectively. I've got HSTS checked on both.
Under external access, advanced, I've set the hostname to example.me, and specified the ports DSM should use (different than default 5000 and 5001). Other than 80 and 443, I do not have any ports forwarded on my router (Unifi UDMP), but do have the ports open on the NAS firewall and web server firewall (DSM, Drive, Photo, and 80/443). I've still got quickconnect enabled, but have disabled the DDNS service (since I'd rather use my own domain). It looks like the NAS is also still holding onto the LetsEncrypt certificate for the DDNS and the synology self-cert for the quickconnect ID. HTTP compression is enabled, along with automatic HTTP to HHTPS redirection.
If I share a file/photo, the share link is "sorta" correct, with https://example.me:[HTTPSDSMport]/xxxx, but I feel like it should actually be https://example.me/synologyphotos/xxx. Or is this incorrect, and if so, how would I make sure the reverse proxy server knows how to handle those? Since right now, visiting a shared link sends me to the first website file in the server (I've got two virtual hosts running) since it doesn't know where else to send it. Not withstanding the fact that I can't even access the application directly at the moment, I do want to be able to create share links that work too.
Am I in over my head, or almost there?
