Failing in my attempts at reverse proxy

Currently reading
Failing in my attempts at reverse proxy

Last edited:
@akahan: should work for both type of records.

The http01-challenge is quite simple. It creates a token and serves it from the local webserver, and tries to access this token using the full qualified domain naim to access the token. In order to for this to work, a) the full qualified domain name must resolve the correct ip, b) port 80 must be forwarded from that ip to the server that serves the token and must be allowed by the syno firewall. c) the client does not hit the letsencrypt request treshhold for this domain (which happes after too many failed tries).

I would put my money on b)


Haven't seen akahan's follow up on this. Seems the problem is sorted out, as the certificate now covers all subdomains as subject alternative names.
 
Well it might be all messed up now, as nina@googledomains has asked for it to be changed as they said it was wrong...

So it's now like this...

thebroughfamily.com - A - 212.69.58.88

thebroughfamily.com - AAAA -fe80::ccdf:b529:3cf0:892

www.thebroughfamily.com - CNAME - thebroughfamily.com

jellyfin.thebroughfamily.com - CNAME - thebroughfamily.com

transmission.thebroughfamily.com - CNAME - thebroughfamily.com

So I guess my certificate is now wrong too... And I've not even seen if the reverse proxy worked. It might be easier to skip it altogether and just open the 2 ports I need lol
 
Nope it's not wrong. It was not the most optimal solution :) Your old and new settings provide the same result. Actualy the new ones are cleaner and easier to maintain, as this will allow ipv4 and ipv6 name resolution for all the domains.

For the sake of simplicity I went in recommending to set A records for all subdomains, even though I stated earlier that one a record and cname's point to a record would be the prefered approach. Actualy that's what akahan recommende as well.

Amazing that the google service actualy recommended to optimize the setting.
 
The root url, returns to the default port 5001. Would recommend changing that or simply push DSM main login page behind the reverse proxy as well and access it over 443 while closing down 5001 on the router.

You are asking for trouble with those default numbers.
 
The root url, returns to the default port 5001. Would recommend changing that or simply push DSM main login page behind the reverse proxy as well and access it over 443 while closing down 5001 on the router.

You are asking for trouble with those default numbers.
And I also noticed that typing in your IP:port will lead us to DSM login page ... which is not very secure IMO; in the RP you can make it so it lands on a 404 page if the fqdn is not the target
 
And I also noticed that typing in your IP:port will lead us to DSM login page ... which is not very secure IMO; in the RP you can make it so it lands on a 404 page if the fqdn is not the target
Another reason to close down that port and push over RP
 
Last edited:
The root url, returns to the default port 5001. Would recommend changing that or simply push DSM main login page behind the reverse proxy as well and access it over 443 while closing down 5001 on the router.

You are asking for trouble with those default numbers.
How do I do that???
-- post merged: --

And I also noticed that typing in your IP:port will lead us to DSM login page ... which is not very secure IMO; in the RP you can make it so it lands on a 404 page if the fqdn is not the target
What do you guys recommend as I really don't understand any of this.
-- post merged: --

Right ive got jellyfin and transmission using 443 now, not sure how it got changed, but Ive been lost and pressing buttons haha.

How do I hide the main DSM page so it's less open and more secure?
 
Obfuscating (changing default) port numbers isn't really good security practice. I do understand however you would like to use your custom DNS entries over SSL.

I use the same method for my internal sites, however I lock everything down using both the built in firewall on the network interface and reverse proxy ACL -- found in the Access Control Profile tab on the Application portal page -- again only allowing access from my local subnet, eg. 192.168.1.0/24 (only in two instances I allow ingres traffic from a specific public IP address) and a DENY ALL als the last rule.

Then you can either use the OpenVPN server on your Synology (or if your router supports OpenVPN you could alternatively use that) to dial into your local network from devices that aren't part of your local network (eg. tablets, smartphones and laptops on the go).

If you don't want to go through all that I would strongly suggest at the very least indeed switch to an abitrary TCP port somewhere in the 40,000-50,000 range, adjust your forwarding rule on your router accordingly and enable the firewall on your interface to allow only traffic from from your country. Hackers and script kiddies port scanning your machine will be bad enough from just your own country.

Ps. If you want to make your DSM accessible from the Internet do enforce two-factor authentication for every single account that has DSM access.

Ps2. Do yourself a favor and clean up any personal identifiable information (eg. custom DNS records and or your public IP address) from your posts. You are basically inviting people with nefarious intent.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Does this only happen when you try to access packages via the 'office' links in Drive's menu? And have you...
Replies
1
Views
1,067
  • Question
Ofc you can make a single compose for this no problem. Personally I like to separate front end apps from...
Replies
10
Views
1,694
  • Solved
I think it was point 1 that was messing me up. And it was a simple fix, honestly. We'll have to see if I...
Replies
3
Views
2,143

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top