Can't get reverse proxy working again

5
0
NAS
DS720+
Operating system
  1. Windows
Mobile operating system
  1. Android
The End Goal
To be able to connect to the services that I have hosted through docker via the domain that I own.

The Problem
Despite continuous checks to make sure everything is in order the connection always times out.
It is also worth noting that I had a fully functional reverse proxy setup about 6 months ago but during that time I didn't access any of the services and with no settings personally changed it stopped resolving.

What I've Done
  • I have a service hosted in docker that is accessible and totally fine using the local address and port
  • I have the DNS records set in my domain
    brave_iopAwuzMLM.png
  • I have run an nslookup and everything seems to check out
    Pinging the domain and subdomain also functions as expected
  • I have setup a reverse proxy rule
    brave_pPE5XKvmSu.png

    The 9090 port is both the container and local port the service is used on so I can't mess it up
  • I have setup and assigned the cert
    brave_0IEY0J1UGv.png
  • For the purposes of testing I also turned off the Synology firewall to make sure it wasn't conflicting and it wasn't that either
I am not super educated on DNS but I have run through 4 guides on the matter now and as far as I can tell I have everything setup properly and I can't for the life of me figure out what is wrong with the setup, any help would be greatly appreciated.
 
How does this specific app resolve in the browser when you try and access it using its public domain name?
I have tried it in multiple browsers as well to see if that was the problem and in Chrome and Firefox it simply times out and in IE I get 'INET_E_RESOURCE_NOT_FOUND'
 
Upvote 0
I have tried it in multiple browsers as well to see if that was the problem and in Chrome and Firefox it simply times out and in IE I get 'INET_E_RESOURCE_NOT_FOUND'
Sounds like a problem before hitting the reverse proxy.

Are you sure that docker containers have connection to your lan? Also, do services have access to the Internet from within the container? Do services work fine without accessing them via RP?
 
Upvote 0
I can access the services totally normally via the local IP and port.
I think the problem might be bigger than Docker because as a test I also tried to host a NextCloud instance using Webstation instead of a container and tried to setup a virtual host to connect via my domain but that didn't function either, although again it did function under local IP.
Also a bit earlier, in an attempt to get literally any functionality to the domain name, I setup a DDNS and was able to functionally use my domain name to access the DSM page using my domain name with a port attached to it which is only making me more confused why my original docker setup isn't working since I do have a static IP set as well.
 
Upvote 0
So local access works, ddns access works, but reverse access over 443 does not. Looks like an nginx problem if you have it all forwarded correctly.

As a test, try and configure a separate reverse proxy via docker and use it for your services. If it works, then you will know it’s the internal one causing you problems.

There is a thread here about troubleshooting built in nginx that you could try and follow as well.
 
Upvote 0
Ok that was an adventure, you were right about it being the built in Nginx setup not working. After setting up a docker instance of Nginx I was able to make a connection to the site but it wouldn't let me in because there was no certificate and I wasn't allowed to create one via the docker Nginx because it wasn't sitting in port 80 due to the default Synology Nginx running on port 80. But I could create the cert's using the built in Synology cert creator and than download the cert files and upload them to the Docker Nginx. So now everything runs as long as I add a port to my link and now my next step will be to see if I can disable the default Nginx installation to make the Docker Nginx instance run on port 80 and 443.
Thanks so much for the help, I'll also update with instructions on how I got everything working in case anyone else has this problem as well.
 
Upvote 0
Well the adventure continues it seems as I managed to swap the default Nginx ports to let me set the Docker Nginx to 80 and 443 however it went back the the same problem and so i set everything back to normal and tested out the Synology Nginx on a different port and it actually works so somehow my port 443 isn't allowing traffic through it.
If I check Shodan it shows 443 being open and pointing to the Synology Nginx and disabling the firewall makes no difference. I am going to try and dig deeper and see if I can find a solution but I might have to settle with a port at the end of my links which wouldn't be the end of world but now I just want to know what is blocking my 443 traffic.
 
Upvote 0
Well the adventure continues it seems as I managed to swap the default Nginx ports to let me set the Docker Nginx to 80 and 443 however it went back the the same problem and so i set everything back to normal and tested out the Synology Nginx on a different port and it actually works so somehow my port 443 isn't allowing traffic through it.
If I check Shodan it shows 443 being open and pointing to the Synology Nginx and disabling the firewall makes no difference. I am going to try and dig deeper and see if I can find a solution but I might have to settle with a port at the end of my links which wouldn't be the end of world but now I just want to know what is blocking my 443 traffic.
There is no need to mess with DSM 80/443 ports or its nginx. Simply run a custom RP container using a custom local port mappings (like 8443:443 and 8086:80), then use those custom ports inside your port forward settings on your router (external 443 to internal 8443 for example). Eventually in the RP you will again have port mappings for a specific container going from 443 to the internal docker container port.

This way you will bypass internal nginx, will not battle with taking control of the default 80/443 ports (bare metal ones), and you will still get the end result of your apps not having a port at the end.

 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I really like the NPM service. Works well and is easy to use so I would prefer to use it. I’ll set it up...
Replies
10
Views
717
I understand that but because you have a DMZ in place and all traffic is pushed via isp router to your...
Replies
11
Views
733
  • Question
Does this only happen when you try to access packages via the 'office' links in Drive's menu? And have you...
Replies
1
Views
1,418
  • Question
Ofc you can make a single compose for this no problem. Personally I like to separate front end apps from...
Replies
10
Views
2,727
  • Solved
I think it was point 1 that was messing me up. And it was a simple fix, honestly. We'll have to see if I...
Replies
3
Views
2,832
  • Solved
yes you can fullchain + privkey would be a better option
Replies
21
Views
7,001
I just went into my nas, support services, turned on remote access which generated a support...
Replies
1
Views
633

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top