Ok, I obtained the certificate, but I needed to request it for mydsm.mydomain.com
for not obtaining any security warning from the browser.
That's good if it's working for you.
Yes, that's my case, I would like to host a website on the NAS. So, I am forwarding Port 80 on the Router.
Which rules should I add to the Firewall and to the Reverse Proxy?
That's it for 80, just keep it as is, with web station/port 80 rule. It's best to configure your site to transfer traffic to https when received. So you leave (80) forwarded, however, if someone types
website.com
, their traffic will be forced on https and the browser bar will change to
https://website.com
I know how to do it with Apache but not ngnx.
And for example, if I would like to access via SSH to the NAS, in that case I should forward Port 22 on the Router and create other rules in the Firewall and in the Reverse Proxy? If it is like this, I am not seeing the pros of Reverse Proxy because in any case I am required to open many ports.
The reverse proxy will take care of http/https traffic. Other protocols will need their own ports. If all you're exposing are these services, it might not feel beneficial, however, when you (and I believe you will eventually) start exposing more services, like File Station, a media player (e.g. Plex, Emby), other packages with web interfaces (perhaps Docker containers like I do), it'll become clear how useful it is security wise and organizational too. However, for now your DSM web interface for example is behind a proxy. That by itself, security wise, is much better than a direct access where someone (or some bot) can try to figure out your DSM port and might succeed in getting to your login screen. I'd rather keep them roaming the streets than on my doorstep
So it’s layered security. Here we have the reverse proxy, the firewall, the account blocking, the certificate that you've created, strong passwords and 2FA perhaps. They'll all come together to mitigate the risks, and we'll have to accept whatever remains for the sake of accomplishing our goals (e.g. website) and convenience (e.g. accessing important documents while outside or on a different continent).
For SSH, I'd rather not forward it on the router (and if you do, it won't go through the RP, remember RP can handle http/https only).
You said you've got the OpenVPN working, so I'd use that to reach the NAS and SSH "locally" for the occasional SSH sessions. SSH is dangerous in the wrong (or malicious) hands and the last thing I want to do is expose it externally. However, if you decide to do it, limit it’s source with the firewall and use a different port (not 22). The same for your VPN rule, don’t use “All”, limit it. Less is more here.
So far you've forwarded three ports, 443, 80 and the OpenVPN port. You shouldn't need more than that for a long time.
On a side note,
take a look at this for more about website security.