Failing in my attempts at reverse proxy

Currently reading
Failing in my attempts at reverse proxy

Last edited:
@akahan: should work for both type of records.

The http01-challenge is quite simple. It creates a token and serves it from the local webserver, and tries to access this token using the full qualified domain naim to access the token. In order to for this to work, a) the full qualified domain name must resolve the correct ip, b) port 80 must be forwarded from that ip to the server that serves the token and must be allowed by the syno firewall. c) the client does not hit the letsencrypt request treshhold for this domain (which happes after too many failed tries).

I would put my money on b)

Haven't seen akahan's follow up on this. Seems the problem is sorted out, as the certificate now covers all subdomains as subject alternative names.
 
Well it might be all messed up now, as nina@googledomains has asked for it to be changed as they said it was wrong...

So it's now like this...

thebroughfamily.com - A - 212.69.58.88

thebroughfamily.com - AAAA -fe80::ccdf:b529:3cf0:892

www.thebroughfamily.com - CNAME - thebroughfamily.com

jellyfin.thebroughfamily.com - CNAME - thebroughfamily.com

transmission.thebroughfamily.com - CNAME - thebroughfamily.com

So I guess my certificate is now wrong too... And I've not even seen if the reverse proxy worked. It might be easier to skip it altogether and just open the 2 ports I need lol
 
Nope it's not wrong. It was not the most optimal solution :) Your old and new settings provide the same result. Actualy the new ones are cleaner and easier to maintain, as this will allow ipv4 and ipv6 name resolution for all the domains.

For the sake of simplicity I went in recommending to set A records for all subdomains, even though I stated earlier that one a record and cname's point to a record would be the prefered approach. Actualy that's what akahan recommende as well.

Amazing that the google service actualy recommended to optimize the setting.
 
The root url, returns to the default port 5001. Would recommend changing that or simply push DSM main login page behind the reverse proxy as well and access it over 443 while closing down 5001 on the router.

You are asking for trouble with those default numbers.
 
Rusty said:
The root url, returns to the default port 5001. Would recommend changing that or simply push DSM main login page behind the reverse proxy as well and access it over 443 while closing down 5001 on the router.

You are asking for trouble with those default numbers.
Click to expand...
And I also noticed that typing in your IP:port will lead us to DSM login page ... which is not very secure IMO; in the RP you can make it so it lands on a 404 page if the fqdn is not the target
 
Shoop said:
And I also noticed that typing in your IP:port will lead us to DSM login page ... which is not very secure IMO; in the RP you can make it so it lands on a 404 page if the fqdn is not the target
Click to expand...
Another reason to close down that port and push over RP
 
Last edited:
Rusty said:
The root url, returns to the default port 5001. Would recommend changing that or simply push DSM main login page behind the reverse proxy as well and access it over 443 while closing down 5001 on the router.

You are asking for trouble with those default numbers.
Click to expand...
How do I do that???
-- post merged: --

Shoop said:
And I also noticed that typing in your IP:port will lead us to DSM login page ... which is not very secure IMO; in the RP you can make it so it lands on a 404 page if the fqdn is not the target
Click to expand...
What do you guys recommend as I really don't understand any of this.
-- post merged: --

Right ive got jellyfin and transmission using 443 now, not sure how it got changed, but Ive been lost and pressing buttons haha.

How do I hide the main DSM page so it's less open and more secure?
 
Obfuscating (changing default) port numbers isn't really good security practice. I do understand however you would like to use your custom DNS entries over SSL.

I use the same method for my internal sites, however I lock everything down using both the built in firewall on the network interface and reverse proxy ACL -- found in the Access Control Profile tab on the Application portal page -- again only allowing access from my local subnet, eg. 192.168.1.0/24 (only in two instances I allow ingres traffic from a specific public IP address) and a DENY ALL als the last rule.

Then you can either use the OpenVPN server on your Synology (or if your router supports OpenVPN you could alternatively use that) to dial into your local network from devices that aren't part of your local network (eg. tablets, smartphones and laptops on the go).

If you don't want to go through all that I would strongly suggest at the very least indeed switch to an abitrary TCP port somewhere in the 40,000-50,000 range, adjust your forwarding rule on your router accordingly and enable the firewall on your interface to allow only traffic from from your country. Hackers and script kiddies port scanning your machine will be bad enough from just your own country.

Ps. If you want to make your DSM accessible from the Internet do enforce two-factor authentication for every single account that has DSM access.

Ps2. Do yourself a favor and clean up any personal identifiable information (eg. custom DNS records and or your public IP address) from your posts. You are basically inviting people with nefarious intent.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

M
Can the Synology router detect intrusion attempts?
No. Just stay on top of things (updates, warnings, patching, etc), and it will be fine.
Replies
1
Views
971
Rusty
Rusty
B
  • Solved
Access Control Profile still allowing remote login attempts
Thank you, @Rusty! It works!) @Telos, I understand that FW and Port Forwarding are different things, The...
2
Replies
21
Views
5,062
yodasad
yodasad
D
  • Question
Web app links behind reverse proxy
Does this only happen when you try to access packages via the 'office' links in Drive's menu? And have you...
Replies
1
Views
962
fredbert
fredbert
K
  • Question
Subdomains (and also with reverse proxy) always display the DSM login page on DSM 7.2.1
Ofc you can make a single compose for this no problem. Personally I like to separate front end apps from...
Replies
10
Views
1,462
Rusty
Rusty
A
  • Solved
Reverse proxy, Forbidden 403 error
I think it was point 1 that was messing me up. And it was a simple fix, honestly. We'll have to see if I...
Replies
3
Views
1,728
arcylix
A
C
SSTP and WEB with Synology Reverse Proxy
I accessed to log and when I trying connect I have message: "SSTP_DUPLEX_POST...
Replies
9
Views
1,813
CzarnyLewis
C
B
  • Solved
Please Help me with Troubleshooting Reverse Proxy
Glad it’s working. Now you can help the next person! No reward necessary 😎
Replies
14
Views
2,357
fredbert
fredbert

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top