External Access > Cloudflare > Nginx Proxy Mgr > DSM > Status 522 No Reason Phrase

Currently reading
External Access > Cloudflare > Nginx Proxy Mgr > DSM > Status 522 No Reason Phrase

24
3
NAS
DS720+
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
  2. iOS
Hello world,

I am having a problem with externally accessing DSM using a subdomain address (dsm.mydomain.lol). I hoping someone can help!

I recently configured my own domain to use Cloudflare as the DNS nameserver. I have my router pointing to Nginx Proxy Manager (NPM), which is a Docker container on my Synology NAS. This, in turn, serves all of my other docker containers/web services based on their own subdomain (i.e. vaultwarden.mydomain.lol, freshrss.mydomain.lol, dsm.mydomain.lol, etc...).

On the Cloudflare side, I have an 'A' record that points to my router's public IP. I have a wildcard CNAME record (*.mydomain.lol) and a 'www' CNAME record.

On the NPM side, I have created a Let's Encrypt SSL certificate for "mydomain.lol" and "*.mydomain.lol", utilizing the DNS challenge and Cloudflare API token. With all of my subdomains, I have the following options checked (on) in NPM:
  • Details
    • Block common exploits
  • SSL
    • Force SSL
    • HTTP/2 Support
    • HSTS Enabled
    • HSTS Subdomains
All of my subdomains work perfectly. I can access Vaultwarden (with websockets working!), FreshRSS, and other web pages perfectly fine. It is only with DSM that it takes forever to load, sometimes not loading at all. If or when DSM finally loads, and I sign into DSM using my credentials, the icons and widgets either appear after some time, they don't appear at all, or they appear in a buggy, abnormal way. I am also unable to open up any of the DSM apps, file browser, or settings menu.

Examining the Firefox browser console, I see that I am met with several 522 error codes. For example:

Code:
GEThttps://dsm.mydomain.lol/webman/modules/ResourceMonitor/style.css?v=1648633174
[HTTP/2 522 No Reason Phrase 15443ms]

GEThttps://dsm.mydomain.lol/webman/modules/StorageManager/style.css?v=1648633174
[HTTP/2 522 No Reason Phrase 15440ms]

GEThttps://dsm.mydomain.lol/webman/modules/C3/style.css?v=1648633174
[HTTP/2 522 No Reason Phrase 15675ms]

GEThttps://dsm.mydomain.lol/webman/modules/TaskSchedulerWidget/style.css?v=1648633174
[HTTP/2 522 No Reason Phrase 15404ms]

GEThttps://dsm.mydomain.lol/webman/modules/SystemInfoApp/style.css?v=1648633174
[HTTP/2 522 No Reason Phrase 15700ms]

GEThttps://dsm.mydomain.lol/webman/modules/ActiveInsightUpdateNotify/style.css?v=1648633174
[HTTP/2 522 No Reason Phrase 15405ms]

GEThttps://dsm.mydomain.lol/webman/modules/FileChooser/style.css?v=1648199907
[HTTP/2 522 No Reason Phrase 15484ms]

GEThttps://dsm.mydomain.lol/webman/modules/Widgets/style.css?v=1648633174
[HTTP/2 522 No Reason Phrase 15401ms]

GEThttps://dsm.mydomain.lol/webman/modules/UpdateMaskApp/style.css?v=1648633174
[HTTP/2 522 No Reason Phrase 15417ms]

GEThttps://dsm.mydomain.lol/webman/modules/SharingManager/style.css?v=1648199907
[HTTP/2 522 No Reason Phrase 15667ms]

GEThttps://dsm.mydomain.lol/webman/modules/AdminCenter/style.css?v=1648174904
[HTTP/2 522 No Reason Phrase 15700ms]

This page gives me some clues, but I am still not able to identify what's going on. Again, all my other subdomains loads my pages perfectly fine, which makes me suspect there something particular about DSM that is preventing the page to load properly. I never had this problem when using Synology's DDNS (mydomain.synology.me).

Any suggestions?
 
So you have 2 dns records only correct? Is that record "proxied" by CF (orange cloud)? Try and configure one for dsm that is not proxied and see if that makes a difference.
3 actually, all of which were proxied. 1) ‘A’ record, 2) a wildcard CNAME for *, 3) CNAME for ‘www’.

I have since added a 4th CNAME for ‘dsm’ (dsm.my domain.lol) and have un-proxified (grey-clouded) it as you suggested. This DOES make a difference! DSM is loading much faster than before and is responding normally, by which I mean all icons, widgets, and apps are appearing and opening as expected. This leads me to believe there is something going on either with Cloudflare’s proxy service itself or my DSM doesn’t respond well to Cloudflare’s IPs? Or rather, is it my NPM instance since technically I have all traffic via port 443 and 80 port forwarded to NPM. Does it make senes to create an Access List of all Cloudflare IP addresses for my DSM Proxy Host (dsm.mydomain.lol)? I had tried yesterday to create an Access List in NPM for the known Cloudflare IP addresses for my DSM Proxy Host (dsm.mydomain.lol), while all my records were proxied, but I was met with a 403 Forbidden message so I removed the Access List. Hmmm..
 
3 actually, all of which were proxied. 1) ‘A’ record, 2) a wildcard CNAME for *, 3) CNAME for ‘www’.

I have since added a 4th CNAME for ‘dsm’ (dsm.my domain.lol) and have un-proxified (grey-clouded) it as you suggested. This DOES make a difference! DSM is loading much faster than before and is responding normally, by which I mean all icons, widgets, and apps are appearing and opening as expected. This leads me to believe there is something going on either with Cloudflare’s proxy service itself or my DSM doesn’t respond well to Cloudflare’s IPs? Or rather, is it my NPM instance since technically I have all traffic via port 443 and 80 port forwarded to NPM. Does it make senes to create an Access List of all Cloudflare IP addresses for my DSM Proxy Host (dsm.mydomain.lol)? I had tried yesterday to create an Access List in NPM for the known Cloudflare IP addresses for my DSM Proxy Host (dsm.mydomain.lol), while all my records were proxied, but I was met with a 403 Forbidden message so I removed the Access List. Hmmm..
Hmm not sure what to suggest here as I have the same setup as you (proxied host A hitting npm) and it works fine.

I did at some point had some services not play well with CF proxy but can’t recall what those services were. In any case, DSM login page does work fine. Tested it with one of my boxes and it is indeed working ok.

Could you test that dsm record as an A host proxied parameter instead of a cname?
 
I'm unsure if this is helpful, but this is my npm proxy host entry for my NAS
ZVEEIdE.png


In npm, I loaded the Cloudflare Origin cert for my domain, that is paired with this entry.
 
Last edited:
I'm unsure if this is helpful, but this is my npm proxy host entry for my NAS

In npm, I loaded the Cloudflare Origin cert for my domain, that is paired with this entry.
I also have Websockets Support enabled and am using the https scheme. 👍

What about the SSL options for the DSM entry? Does it make sense to have all of these enabled? I believe DSM does support all of these, though not sure what HSTS Subdomains is....

1665071646590.png


I currently use a NPM generated Let's Encrypt cert, which should work as the Origin Server cert, right? Is the cert you use the Origin certificate from the Cloudflare Dashboard > SSL/TLS > Origin Server > Create Certificate? Did you create to use exclusively for DSM? Or do you have that for all services you expose?

Could you test that dsm record as an A host proxied parameter instead of a cname?
I have now deleted the 'dsm' CNAME record in Cloudflare and have replaced it with an 'A' record, proxied. I am now experiencing the same issue as before. Does it take a while for these DNS record changes to take effect?
 
Last edited:
Does it take a while for these DNS record changes to take effect?
Check here...
What about the SSL options for the DSM entry? Does it make sense to have all of these enabled?
I'm still working through this, however you must enable HSTS on your Cloudflare account if you plan to use that. I don't have those boxes checked presently.
Is the cert you use the Origin certificate from the Cloudflare Dashboard > SSL/TLS > Origin Server > Create Certificate? Did you create to use exclusively for DSM? Or do you have that for all services you expose?
Initially I added the origin cert to the NAS as my "default". Later I added that same cert to npm ("custom"), and use it with my domain/subdomains, so it is on both.
 
I have now deleted the 'dsm' CNAME record in Cloudflare and have replaced it with an 'A' record, proxied. I am now experiencing the same issue as before.
Ok, so the issue is on the CF side (proxied) settings.

What does your CF SSL/TLS configuration look like? Off/Flexible/Full/Full (strict)?
 
Last edited:
Ok, so the issue is on the CF side (proxied) settings.

What does your CF SSL/TLS configuration look like? Off/Flexible/Full/Full (strict)?
My SSL/TLS encryption mode was originally set to 'Full'. I have since created an Origin CA certificate from Cloudflare (following @Telos 's cert configuration), set the Cloudflare CA Root Certificate as the Intermediate Certificate, and now have my SSL/TLS encryption mode set to 'Full (Strict)'.

I have also reverted my DSM subdomain back to a CNAME record from an 'A' record since I prefer to just have one field in Cloudflare for my public IP.

Things are working a little bit better with DSM. DSM sign-in page opens a bit faster. And once logged in, I am able to launch apps that open in a separate tab (i.e. Video Station, Photos), though they still take a while to load. Widgets and apps that open within DSM (i.e. File Station, Control Panel, Docker, etc...) still cannot launch. Instead, they just appear to be thinking about opening:

1665151910068.png

As before, all other subdomains pointing to my other containers work perfectly fine. It's only DSM that I am having issues with.

In Cloudflare dashboard > SSL/TLS > Edge Certificates, I have the following enabled:
  • Always user HTTPS
  • Minimum TLS version = TLS 1.2
  • Opportunistic Encryption
  • TLS 1.3
  • Automatic HTTPS Rewrites
Do you recommend enabling HSTS? I hesitated because of the cautionary verbiage, so I was hoping I could get DSM to work well before turning this on. I also currently have DNSSEC disabled (I enabled it once before) because I wasn't sure if that would break things if I'm constantly fiddling around with my DNS records and other settings.

🤔
 
I have re-set up my Synology DDNS (mydomain.synology.me) as a Proxy Host inside Nginx Proxy Manager using the original Let's Encrypt SSL cert that Synology generated. When navigating to dsm.mydomain.synology.me, DSM works perfectly. I believe this means nothing is wrong with Nginx Proxy Manager nor with Synology DSM's page.

However, still, when navigating to my custom domain, dsm.mydomain.lol (using Cloudflare's Full-Strict SSL/TLS encryption), I still run into slowness and things not loading properly. Upon navigating to my DSM page, I see this message in the web console in Firefox:

Code:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). dsm.mydomain.lol:134:1
Content Security Policy: The page’s settings blocked the loading of a resource at https://static.cloudflareinsights.com/beacon.min.js/v652[...]194 (“script-src”).

When clicking on File Station, I see this:

Code:
Loading failed for the <script> with source “https://dsm.mydomain.lol/webman/modules/PollingTask/PollingTask.js?v=42661-s4&SynoToken=ijwP0TlyI4ov.”. dsm.mydomain.lol:1:1
Loading failed for the <script> with source “https://dsm.mydomain.lol/webman/3rdparty/FileBrowser/FileBrowserUtil.js?v=1.3.3-1399&SynoToken=ijwP0TlyI4ov.”. dsm.mydomain.lol:1:1
Loading failed for the <script> with source “https://dsm.mydomain.lol/webman/3rdparty/SynologyPhotos/extjs/fileStationExtension.min.js?v=1.3.0-0317&SynoToken=ijwP0TlyI4ov.”. dsm.mydomain.lol:1:1
Loading failed for the <script> with source “https://dsm.mydomain.lol/webman/3rdparty/SynologyDrive/cloudstation_util.js?v=3.1.0-22920&SynoToken=ijwP0TlyI4ov.”. dsm.mydomain.lol:1:1
Loading failed for the <script> with source “https://dsm.mydomain.lol/webman/3rdparty/FileTaskMonitor/UploadUtil.js?v=1.3.3-1399&SynoToken=ijwP0TlyI4ov.”. dsm.mydomain.lol:1:1
Loading failed for the <script> with source “https://dsm.mydomain.lol/webman/modules/BackgroundTaskMonitor/FileTaskUtil.js?v=42661-s4&SynoToken=ijwP0TlyI4ov.”. dsm.mydomain.lol:1:1
Loading failed for the <script> with source “https://dsm.mydomain.lol/webman/3rdparty/NoteStation/notestation_badge.js?v=2.6.1-2450&SynoToken=ijwP0TlyI4ov.”. dsm.mydomain.lol:1:1
Loading failed for the <script> with source “https://dsm.mydomain.lol/webman/modules/ClipBoardJS/syno_clipboard.js?v=42661-s4&SynoToken=ijwP0TlyI4ov.”. dsm.mydomain.lol:1:1
Source map error: Error: request failed with status 404
Resource URL: https://dsm.mydomain.lol/webman/3rdparty/FileBrowser/FileSaver.min.js?v=42661-s4&SynoToken=ijwP0TlyI4ov.
Source Map URL: FileSaver.min.js.map

It appears some scripts are not wanting to load when proxying via Cloudflare. Though I really don't think I need to modify NPM "under the hood," I went ahead and tried adding a custom .conf in location /data/nginx/custom/server_proxy_6.conf within the NPM Docker container with the following:

Code:
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://static.cloudflareinsights.com/beacon.min.js/v652[...]194";

From what I gathered, I believe this should allow scripts to be read from the given https address. I figured this should address the Content Security Policy error mentioned above. Still, no sign of improvement. Perhaps I have the syntax wrong? Truly at a loss here...any further suggestions? Would clearing the Cloudflare cache help?
 
I finally found a fix, though it is questionable if it is a good fix or not. But hey, it works! :sneaky:

The solution was to simply to disable my Asus router's "DoS Protection" found under Firewall > General > Enable DoS Protection. Not exactly sure why it slowed Cloudflare's proxy when enabled, but based on Asus' website, the DoS Protection is meant to do three things:
  1. SYN-Flooding Protection :Only allow one TCP/SYN packet to pass per second.
  2. Port Scanner Protection : Protect router from port scanning via external port scan tool
  3. Ping of Death : Only allow one ICMP packet(type 8) to pass per second or drop the length of ICMP packet over 65535
My guess is that Cloudflare was trying to send TCP requests to my router in a too aggressive way(?). Not sure. I don't see why Cloudflare would need to port scan or Ping my router to death.

My question is: does disabling the DoS protection on my router make my network any more vulnerable considering all traffic should be going through Cloudflare, who has their own DDoS protection. Not to mention, the Synology NAS itself has DoS protection. I have other mechanisms of protection such as router firewall rules, NAS firewall rules, reverse proxy, and access lists.

Anyhow, I just wanted to share this here in case anyone else in the future encounters this issue. Thanks again all for your help.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Had simelar issue last Thursday. Router and 1 NAS worked, 2 NAS’s didn’t! This occurred as I was adding...
Replies
5
Views
783
  • Question
My certificate is confirmed. Did you mean in synology? 1678195913 OK, I set up 2FA on all accounts. This...
Replies
5
Views
2,325
External Access is generally there to configure outside services that will allow for external access like...
Replies
1
Views
2,626
Just to add here that I've had to move to a different platform as I have never found the solution to get...
Replies
5
Views
1,368
Okay! The only thing I was wondering, I'm doing all this so that my friend in another country can connect...
Replies
7
Views
2,547
I would recommend to invest in a decent firewall. What is provided as a standard by providers, is...
Replies
4
Views
2,069
You can if your router support it. So it’s not impossible in general
Replies
15
Views
10,091

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top