Domain Question?

Currently reading
Domain Question?

Huggy

Huggy

88
19
NAS
DS920+
Operating system
  1. Linux
  2. macOS
Mobile operating system
  1. iOS
Last edited:
Hi all,

I'm looking for help with setting up my domain with my NAS. I've purchased a domain through GoDaddy and have a static IP address from my ISP.

I've added my IP address to the A record and can access DSM via www.mydomainname.com. I need to add a SSL certificate so presume Let's Encrypt is as good as any?

Also, eventually I'll want to host a website on the Nas, but until then I'm happy for it to just point to DSM. However, I'd like to use the domain to access services running on the server eg. with my reverse proxy... sonarr.mydomain.com

I've tried adding reverse proxy rules but they're not working. Has anyone got any ideas what I've missed?

Should I take this opportunity and install nginx for my reverse proxy needs?

I'm also planning on hosting my own mail server so wondering if that will make any difference to any of this?

Apologies for the split post, I'm in hospital with my daughter today and had to go to theatre in the middle of posting lol.

Thanks for any help or advice (y)
 
Sort by date Sort by votes
If you have ports 80 and 443 forwarded to the NAS then you can just used Control Panel -> Security. Go to Certificate tab and then Add. Here you can create a Let's Encrypt certificate for your domain.

Doing it this way you can't create a wildcard *.mydomain.com in the Subject Alternative Name (SAN) field, so instead you enter all the FQDN that you want to use in Login Portal (Application and Reverse Proxy) and Web Station's virtual hosts.

There is a SAN limit of 255 characters. But you can create more certificates for the same domain and add different SAN. Use the description field to give a useful name to each certificate.

1646302404660.png

If you have more than one certificate you can use the Settings button in Certificate to select which certificate will be used for each service.
 
Upvote 0
Huggy said:
I've tried adding reverse proxy rules but they're not working. Has anyone got any ideas what I've missed?
Click to expand...
the idea behind this is solid, and this should work. So, the question now is, how did you setup your apps that you want to access via RP regarding their DNS records, RP host parameters, and what exactly isn't working (also what errors are you getting).

This will require some info feedback from your side in order to start troubleshooting the problem.
 
Upvote 0
Last edited:
fredbert said:
so instead you enter all the FQDN that you want to use in Login Portal (Application and Reverse Proxy) and Web Station's virtual hosts
Click to expand...

Hey @fredbert, thanks for the help. I'm doing something wrong. It worked for "www.mydomain.com" but when I try and add what I think you mean for application/reverse proxy ie. "www.sonarr.mydomain.com" I keep getting a message saying "Invalid domain, please make sure this domain can be resolved into a public IP address". Any ideas to what I'm doing wrong? Thanks.
-- post merged: --

Rusty said:
So, the question now is, how did you setup your apps that you want to access via RP regarding their DNS records, RP host parameters, and what exactly isn't working (also what errors are you getting).
Click to expand...
Hey @Rusty, thanks for the help, and apologies for the delay in replying. I thought I had time yesterday, but it turned out to be one of them days lol.

So from your questions I can tell I've missed a big part of the puzzle....

I haven't set up any dns records for the apps, I'm now thinking this might be why I'm having trouble with the Let'sEncrypt certificates (see above). All I've done is put my static IP address in the A record. I was presuming that the reverse proxy was would handle the app part of the url and DNS would translate the domain part, if that makes sense....
Screenshot from 2022-03-04 12-54-03.png



Obviously I got that wrong :rolleyes: I'd appreciate it if you can point me in the right direction.


To answer your second question, I just entered RP rules for the apps like I did with Synology DDNS ie. "sonarr.xxxxx.synology.me" but it just didn't work. Firefox just says "Hmm. We’re having trouble finding that site."

As always, I'm grateful for your help mate (y)
 
Upvote 0
You have to have your DNS records setup to resolve a name to an IP address. If you have created a wildcard '*' record then that should direct everything to the IP address that doesn't otherwise have its own record. The client will request resolution of the whole server name (FQDN), not just the domain part. That should get the request to your Internet router which will then NAT/port foward to the NAS. Getting to the NAS, after DNS resolution, is all IP address routing.

Then the request arrives at the NAS the web services, specifically the proxy rules, will see the embedded FQDN in the payload and then direct the request to the configured destination.

You don't have to use www. in front of every web service, you could just use, e.g., sonarr.mydomain.com.
 
Upvote 0
I couldnt said it better then what @fredbert said.

So in your DNS zone, just make a A record pointing sonarr.domain.com to your static IP address.

In the RP host configuration, use that public name sonarr.domain.com to redirect to your local destination, for example, 192.168.13.33 (your nas IP), on a custom port for that sonarr docker container (if you are running it in docker).

That way, any public request, will know to redirect sonarr.domain.com to your public IP address, hit your router, and router will redirect the request to your NAS reverse proxy. From there, the record will translate from a public name to your LAN resource, and boom!
 
Upvote 0
Telos said:
Just curious. Why not CNAME (I'm still learning this stuff).
Click to expand...
I'm also curious about this. Before @Rusty replied I'd been watching a YT video that showed adding a CNAME record for this sort of thing?? All I can say is that the CNAME record didn't seem to work, but changing it to an A record does! (Thanks Rusty).
 
Upvote 0
fredbert said:
Usually a CNAME will work, certainly all mine are CNAME on the Internet DNS service. My domain is maintained as a DDNS and everything that point home is using CNAME. If you have a static IP then A records work because you don't have to allow for changes.
Click to expand...
That explains it, thanks (y)
 
Upvote 0
I have a static IP but my domain points at my provider's IP, rather than my own, which they then fire at me. Same for my email, my mail records for my domain point at my friendly email host's IP address rather than direct to me. Saves any risk of DDOS or any direct attack using your actual IP.

The mail side seems pretty essential to me as hosting your own email can see your outgoing mail dumped by the spam logic of most ISPs. A few years ago hosting your own mail was easy but practically it has become way more difficult if the email is not coming from a 'trusted & known' email provider rather than a random NAS in a cupboard.
 
Upvote 0
fredbert said:
There is a SAN limit of 255 characters. But you can create more certificates for the same domain and add different SAN. Use the description field to give a useful name to each certificate.
Click to expand...
So I'm making progress! I managed to get the certificate working for half my docker apps. I then started to create a 2nd certificate for the rest but it was coming up with "Invalid domain, please make sure this domain can be resolved into a public IP address" again. I figured this was due to the newly created A records not being fully updated yet. I retried a couple of times more, and then got this message....
Screenshot from 2022-03-04 18-41-57.png


Any idea if this is a temporary thing or do I need to delete the certificate and set up a wildcard certificate instead? I have 15 apps/services plus the main domain, adding these manualy is a real ball ache lol. If I do need to create a wildcard certificate, do I need to ssh into the nas and install certbot? Or is there an easier way? I guess I could have reduced the amount of subdomains by going through Heimdall :rolleyes:.

Thanks for the help (y)
 

Attachments

  • Screenshot from 2022-03-04 18-41-57.png
    Screenshot from 2022-03-04 18-41-57.png
    6.2 KB · Views: 84
Upvote 0
Thanks for everyone's help with this, everything seems to be working as planned. (y) You are all really kind to give up your time to help others. I really am very grateful!

Cheers.
 
Upvote 0
Telos said:
Just curious. Why not CNAME (I'm still learning this stuff).
Click to expand...
As @fredbert said. Cname is an alias that points to an existing fqdn. Considering OP said it runs a static public IP then A host record is the way. A record can’t point to a name just an IP.

Essentially answered.

Huggy said:
If I do need to create a wildcard certificate, do I need to ssh into the nas and install certbot?
Click to expand...
It will depend if your domain is a synology domain or 3rd party.

You can get a wild card syno cert for your syno registered domain but If you are running a 3rd party one I would suggest running a separate docker container that would do generation of a wild card cert via LE.

Glad you got it all running in the end.
 
Upvote 0
Huggy said:
... I then started to create a 2nd certificate for the rest but it was coming up with "Invalid domain, please make sure this domain can be resolved into a public IP address" again. I figured this was due to the newly created A records not being fully updated yet. I retried a couple of times more, and then got this message....

Any idea if this is a temporary thing or do I need to delete the certificate and set up a wildcard certificate instead? ...
Click to expand...
As has been discussed this is likely due to the new A records not being available to the DNS servers used for resolution or you had them recently defined to another IP address and the change time hasn't exceed the TTL (time to live) for requesting a refresh. Usually the time is stated to take up to 3 days for changes to become globally available, which is why DDNS with its short TTL is useful for users with dynamic IP assignments.

When creating LE certificates within DSM Control Panel, for personal domains, it needs to have each FQDN in the SAN resolved to your Internet IP and then onto the NAS web service. If you use a an access profile to block Internet access to the reverse proxy / app portal's FDQN then the LE certificate will fail, and keep failing until you allow access during the certification process.
 
Upvote 0
Rusty said:
If you are running a 3rd party one I would suggest running a separate docker container that would do generation of a wild card cert via LE.
Click to expand...
That sounds great! I've just realized I need to make a couple of changes, so using a wildcard certificate will make things much easier. Can you point me in the right direction please?

Thanks (y)
 
Upvote 0
Last edited:
OK so I'm not having much success with this.

First I had ago at installing nginx, got it working but pretty sure it wasn't right and then stuffed the password. I eventually scrapped it and started again following a guide. The guide was quite technical for me, I had to create a macvlan and turn on the NAS firewall. After that I was getting a “Bad Gateway” error when logging into nginx, but somehow, after a few minutes, it just seemed to start working. Hooray!!!

So then I started adding some proxy hosts into nginx. I wanted to get them all in thinking that would be where I'd need to be to set up a wildcard SSL certificate. However, my Bitwarden browser extension stopped working, so I thought I'd get that working first…

I have a proxy host setup for it in nginx and just in case of conflicts, I've deleted the rule in Synology's reverse proxy.

When I request an SSL certificate for it in nginx, but I get an “Internal Error” warning.

If I just try to log into Bitwarden through the browser extension I get this error…

Screenshot from 2022-03-06 13-39-40.png


Can anyone help me out please? Thanks.

After turning off the NAS firewall, I can now get a Let's Encrypt certificate. But when I try and access bitwarden I'm getting a "Bad Gareway" error?
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

ilbarone87
Synology domain and Cloudflare tunnel
Gotcha. I use both cloudflare (but for some reason it doesn’t always resolve) and Tailscale IP or...
Replies
5
Views
1,249
mathematics28
M
P
Access to Synology Nas from a Server that is located in a domain.
Do you have a local user account and domain user account that shares the same short name? It was fixed...
Replies
2
Views
650
fredbert
fredbert
R
Reverse proxy sub domain always takes me to DSM login page
IT WORKED!!!!!!!!!!! Big thanks to you man!!!!!!
Replies
14
Views
2,412
RoLLER
R
H
  • Solved
How to Redirect IP Address to Domain?
I see you are using an A host record. In my case both A host record or CNAME work. So I would bet that...
Replies
19
Views
3,222
Rusty
Rusty
H
  • Question
Assign local administrator to domain users
Hi, I've set up a domain via Synology Directory Server in a test environment, and one of the issues I've...
Replies
0
Views
1,961
hydroMick
H
tekguru
  • Question
Linking domain to web site or forum hosted on the NAS
Right I’m with you now. I’ll take a look to see if I can get it to work with subdomain.domain.com and DDNS...
Replies
5
Views
1,773
tekguru
tekguru
dzunk
  • Question
Cannot Access Root Domain Internally
I cannot access the web station pages internally for my 2 root domains. Subdomains are not a problem...
Replies
0
Views
2,372
dzunk
dzunk

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top