Failing in my attempts at reverse proxy

Currently reading
Failing in my attempts at reverse proxy

33
3
NAS
Ds920+
Operating system
  1. other
Mobile operating system
  1. Android
Last edited:
Morning people, spent a good few hours yesterday trying to get reverse proxy working but failed miserable, don't know how or why... So gonna start a thread and see if you guys can help me fault find.

So currently, I believe I've forwarded ports 80/443 on Openwrt to the Nas ip. I've got the Nas firewall off until I've got this working to eliminate another potential failure point.

I've deleted the .synology.me ddns I had tried before, I've not set up a replacement, do I need to? My IP is static.

I've got a Google domain, but not sure what settings I need to set up in that, it's a minefield of its own, has anyone seen a guide to set it up?

My aim is to have a few subdomains pointing to applications, so I can access them externally, jellyfin, transmission etc.
-- post merged: --

Is there a way to test port 80/443 on the synology to ensure the port forwarding is correct?
 
33
3
NAS
Ds920+
Operating system
  1. other
Mobile operating system
  1. Android
So far if I type my domain in it takes me to my 5001 port DSM page with a warning my certificate is invalid.

If I type my sub domain, it does the exact same thing.

How do I get it the synology to know the difference?
 

Rusty

Moderator
NAS Support
3,757
1,083
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
My aim is to have a few subdomains pointing to applications, so I can access them externally, jellyfin, transmission etc.
configure CNAME records in your google domain for all subdomain names (future apps you want to access) and point the records to your public IP address where your nas is hosted.

So far if I type my domain in it takes me to my 5001 port DSM page with a warning my certificate is invalid.
expected if you dont have a valid ssl cert on your NAS and active on the required service (control panel > security > certificate > configure button)

How do I get it the synology to know the difference?
reverse proxy is the one that will tell the difference once you configure reverse host records to redirect incoming public names (your app.googldomain.something) to an internal IP address on your nas and a custom port that that app is running on.
 
33
3
NAS
Ds920+
Operating system
  1. other
Mobile operating system
  1. Android
IMG_20210516_120721~2.jpg

The Cname bit being this section??
 

Rusty

Moderator
NAS Support
3,757
1,083
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
yes, where the A record dropdown menu is.
 
33
3
NAS
Ds920+
Operating system
  1. other
Mobile operating system
  1. Android
Hello again, do you know Google domains very well? I'm struggling to get it to work... And can't find any guides online.
 
33
3
NAS
Ds920+
Operating system
  1. other
Mobile operating system
  1. Android
Last edited:
IMG_20210516_162302~2.jpg


How does that look? The Google documentation is might vague, it clearly expects you to know what to do... Clearly I don't lol.
-- post merged: --

IMG_20210516_162835.jpg


This is what I have in my reverse proxy set up...
-- post merged: --

Failing that does anyone know where you can pay to get this kind of stuff set up? I don't think Curry's knowhow team are upto the job??
 

Rusty

Moderator
NAS Support
3,757
1,083
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
How does that look? The Google documentation is might vague, it clearly expects you to know what to do... Clearly I don't lol.
Cname is correct but for the "data" column just enter your public IP address, not the root domain name. The cname value that you have entered will automatically append the root domain name so that means that the data value needs to be your "target" destination value, and that is your public IP address (where the NAS is located).

The reverse proxy side of things looks correct. So just edit the cname data value and make sure the 443 port is open on your router and pointing to your NAS IP (internal lan ip, 192.168.1.20) and you will be off to the races
 
33
3
NAS
Ds920+
Operating system
  1. other
Mobile operating system
  1. Android
done all that, its not working at the minute, but i believe the googledomains changes can take a while to get going.

If this doesnt work ill try find some online teamviewer assistance as its beyond my muddling through.
 
I didn't follow the thread completly, though, if you have a static ip, then you will want to use an "A" record and assign your static ip as data to it.

One or more subdomains (called Name in your ui) can point to the same ip. In a scenario where multiple subdomains point to the same ip, people typicaly create one "A" record and assign the ip to it, then create CNAME records for each additional subdomain and point to the full quallified domain name of the "A" record entry. In case your static ip changes, you would only need to change the A record, as every other subdomain would point to the A record and implicitly use the changed ip address.

Hope it makes sense.
 
33
3
NAS
Ds920+
Operating system
  1. other
Mobile operating system
  1. Android
Hello, some of it makes sense, the logic.... but putting that logic into practice is making me pull my hair out at the minute.

Currently, if i put https://www.thebroughfamily.com into a window, it takes me to my dsm log in page.... but if i put https://www.jellyfin.thebroughfamily.com into a window, it also takes me to my dsm log in page? Shouldnt the above reverse proxy shenanigans have redirected it??
-- post merged: --

i need to stick to being a mechanic, this is above my paygrade, lol.
 

Rusty

Moderator
NAS Support
3,757
1,083
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
My mistake on this one. @one-eyed-king was correct. A host record with your public ip address not the cname. My mistake mixing it with your previous screen thinking about a ddns domain and thinking about a cname (alias) instead.

but i believe the googledomains changes can take a while to get going.
yes dns replication can take some time.
 
33
3
NAS
Ds920+
Operating system
  1. other
Mobile operating system
  1. Android
Well all i can do is wait and see then... the main address works, just the CNAME subdomains that dont, if you think the reverse proxy looks right its either ive mucked up the dns bit on googledomains, or it needs time to work its magic.
 
Usualy isp provided dns servers require some time to catch up with the changes that happen in the world. Using cloudflair or googles dns server usualy speeds up things a lot :)
 
33
3
NAS
Ds920+
Operating system
  1. other
Mobile operating system
  1. Android
Google domains webchat says the DNS settings are right, so i guess they know, she says it can take a few minutes upto 48hours to work.

So its just now wait and see if the reverse proxy bit works, just hope ive not messed things up in DSM trying to figure it all out, ive re-enabled the dsm firewall and allowed port 80 and 443 to the docker apps.
 
HSTS will require you to have an existing and valid certificate in place and assigned to the domain.

You could use nslookup to check if the expected ip is returned for a particular full qualified domain name:

C:\Users\me>nslookup www.thebroughfamily.com
Server: homelan.box
Address: fd00::xxxx:xxxx:xxxx:xxxx

Not authorized response:
DNS request timed out.
timeout was 2 seconds.
Name: www.thebroughfamily.com
Address: 212.69.58.88
while this entry exists, this one is not available yet:
C:\Users\me>nslookup jellyfin.thebroughfamily.com

Server: homelan.box
Address: fd00::xxxx:xxxx:xxxx:xxxx

Not authorized response:
Name: jellyfin.thebroughfamily.com

Can you share your current dns configuration?
 
33
3
NAS
Ds920+
Operating system
  1. other
Mobile operating system
  1. Android
The Google DNS ??
-- post merged: --

Do I need HSTS? I only ticked it as I followed a guide and he said too... I've no understanding what it's for.
 
aye, an updated photo of your custom resource records.
-- post merged: --

Once everything works well, you will want to have it enabled :)
Though, typicaly browsers won't allow you to access the page in case of any certifcate issues. While without HSTS some browsers indicate the problem and still allow you to access the page.
 
33
3
NAS
Ds920+
Operating system
  1. other
Mobile operating system
  1. Android
That's as they stand now, I tried to change the CName ones earlier so they had my IP address not the domain, but it wouldn't let me, it said it would only accept a domain name in that configuration.

So I sent the online message desk a help ticket, and they got back saying the current configuration I have is correct, an ip address wouldnt be accepted in that situation and everything looked fine, I just needed to wait a bit of time.
-- post merged: --

Like I said this is way beyond my understanding. I'm much happier rebuilding a diesel engine or fixing a broken ATV.
-- post merged: --

aye, an updated photo of your custom resource records.
-- post merged: --

Once everything works well, you will want to have it enabled :)
Though, typicaly browsers won't allow you to access the page in case of any certifcate issues. While without HSTS some browsers indicate the problem and still allow you to access the page.
So should I turn it off for now?
 

Attachments

  • Screenshot_20210516-211840~2.png
    Screenshot_20210516-211840~2.png
    143.9 KB · Views: 13
  • Screenshot_20210516-211911~2.png
    Screenshot_20210516-211911~2.png
    98.5 KB · Views: 12
Okay. It seems like you missed out that you actualy need to use the type "A" for your jellyfin and transmission subdomains and use your static ip adress in the data field.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top