Failing in my attempts at reverse proxy

Currently reading
Failing in my attempts at reverse proxy

49
3
NAS
Ds920+
Router
  1. RT6600ax
Operating system
  1. Windows
  2. other
Mobile operating system
  1. Android
Last edited:
Morning people, spent a good few hours yesterday trying to get reverse proxy working but failed miserable, don't know how or why... So gonna start a thread and see if you guys can help me fault find.

So currently, I believe I've forwarded ports 80/443 on Openwrt to the Nas ip. I've got the Nas firewall off until I've got this working to eliminate another potential failure point.

I've deleted the .synology.me ddns I had tried before, I've not set up a replacement, do I need to? My IP is static.

I've got a Google domain, but not sure what settings I need to set up in that, it's a minefield of its own, has anyone seen a guide to set it up?

My aim is to have a few subdomains pointing to applications, so I can access them externally, jellyfin, transmission etc.
-- post merged: --

Is there a way to test port 80/443 on the synology to ensure the port forwarding is correct?
 
So far if I type my domain in it takes me to my 5001 port DSM page with a warning my certificate is invalid.

If I type my sub domain, it does the exact same thing.

How do I get it the synology to know the difference?
 
My aim is to have a few subdomains pointing to applications, so I can access them externally, jellyfin, transmission etc.
configure CNAME records in your google domain for all subdomain names (future apps you want to access) and point the records to your public IP address where your nas is hosted.

So far if I type my domain in it takes me to my 5001 port DSM page with a warning my certificate is invalid.
expected if you dont have a valid ssl cert on your NAS and active on the required service (control panel > security > certificate > configure button)

How do I get it the synology to know the difference?
reverse proxy is the one that will tell the difference once you configure reverse host records to redirect incoming public names (your app.googldomain.something) to an internal IP address on your nas and a custom port that that app is running on.
 
IMG_20210516_120721~2.jpg

The Cname bit being this section??
 
Last edited:
IMG_20210516_162302~2.jpg


How does that look? The Google documentation is might vague, it clearly expects you to know what to do... Clearly I don't lol.
-- post merged: --

IMG_20210516_162835.jpg


This is what I have in my reverse proxy set up...
-- post merged: --

Failing that does anyone know where you can pay to get this kind of stuff set up? I don't think Curry's knowhow team are upto the job??
 
How does that look? The Google documentation is might vague, it clearly expects you to know what to do... Clearly I don't lol.
Cname is correct but for the "data" column just enter your public IP address, not the root domain name. The cname value that you have entered will automatically append the root domain name so that means that the data value needs to be your "target" destination value, and that is your public IP address (where the NAS is located).

The reverse proxy side of things looks correct. So just edit the cname data value and make sure the 443 port is open on your router and pointing to your NAS IP (internal lan ip, 192.168.1.20) and you will be off to the races
 
done all that, its not working at the minute, but i believe the googledomains changes can take a while to get going.

If this doesnt work ill try find some online teamviewer assistance as its beyond my muddling through.
 
I didn't follow the thread completly, though, if you have a static ip, then you will want to use an "A" record and assign your static ip as data to it.

One or more subdomains (called Name in your ui) can point to the same ip. In a scenario where multiple subdomains point to the same ip, people typicaly create one "A" record and assign the ip to it, then create CNAME records for each additional subdomain and point to the full quallified domain name of the "A" record entry. In case your static ip changes, you would only need to change the A record, as every other subdomain would point to the A record and implicitly use the changed ip address.

Hope it makes sense.
 
Hello, some of it makes sense, the logic.... but putting that logic into practice is making me pull my hair out at the minute.

Currently, if i put https://www.thebroughfamily.com into a window, it takes me to my dsm log in page.... but if i put https://www.jellyfin.thebroughfamily.com into a window, it also takes me to my dsm log in page? Shouldnt the above reverse proxy shenanigans have redirected it??
-- post merged: --

i need to stick to being a mechanic, this is above my paygrade, lol.
 
My mistake on this one. @one-eyed-king was correct. A host record with your public ip address not the cname. My mistake mixing it with your previous screen thinking about a ddns domain and thinking about a cname (alias) instead.

but i believe the googledomains changes can take a while to get going.
yes dns replication can take some time.
 
Well all i can do is wait and see then... the main address works, just the CNAME subdomains that dont, if you think the reverse proxy looks right its either ive mucked up the dns bit on googledomains, or it needs time to work its magic.
 
Google domains webchat says the DNS settings are right, so i guess they know, she says it can take a few minutes upto 48hours to work.

So its just now wait and see if the reverse proxy bit works, just hope ive not messed things up in DSM trying to figure it all out, ive re-enabled the dsm firewall and allowed port 80 and 443 to the docker apps.
 
HSTS will require you to have an existing and valid certificate in place and assigned to the domain.

You could use nslookup to check if the expected ip is returned for a particular full qualified domain name:

C:\Users\me>nslookup www.thebroughfamily.com
Server: homelan.box
Address: fd00::xxxx:xxxx:xxxx:xxxx

Not authorized response:
DNS request timed out.
timeout was 2 seconds.
Name: www.thebroughfamily.com
Address: 212.69.58.88
while this entry exists, this one is not available yet:
C:\Users\me>nslookup jellyfin.thebroughfamily.com

Server: homelan.box
Address: fd00::xxxx:xxxx:xxxx:xxxx

Not authorized response:
Name: jellyfin.thebroughfamily.com

Can you share your current dns configuration?
 
The Google DNS ??
-- post merged: --

Do I need HSTS? I only ticked it as I followed a guide and he said too... I've no understanding what it's for.
 
aye, an updated photo of your custom resource records.
-- post merged: --

Once everything works well, you will want to have it enabled :)
Though, typicaly browsers won't allow you to access the page in case of any certifcate issues. While without HSTS some browsers indicate the problem and still allow you to access the page.
 
That's as they stand now, I tried to change the CName ones earlier so they had my IP address not the domain, but it wouldn't let me, it said it would only accept a domain name in that configuration.

So I sent the online message desk a help ticket, and they got back saying the current configuration I have is correct, an ip address wouldnt be accepted in that situation and everything looked fine, I just needed to wait a bit of time.
-- post merged: --

Like I said this is way beyond my understanding. I'm much happier rebuilding a diesel engine or fixing a broken ATV.
-- post merged: --

aye, an updated photo of your custom resource records.
-- post merged: --

Once everything works well, you will want to have it enabled :)
Though, typicaly browsers won't allow you to access the page in case of any certifcate issues. While without HSTS some browsers indicate the problem and still allow you to access the page.
So should I turn it off for now?
 

Attachments

  • Screenshot_20210516-211840~2.png
    Screenshot_20210516-211840~2.png
    143.9 KB · Views: 106
  • Screenshot_20210516-211911~2.png
    Screenshot_20210516-211911~2.png
    98.5 KB · Views: 104

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

No. Just stay on top of things (updates, warnings, patching, etc), and it will be fine.
Replies
1
Views
905
  • Solved
Thank you, @Rusty! It works!) @Telos, I understand that FW and Port Forwarding are different things, The...
Replies
21
Views
4,935
  • Question
Does this only happen when you try to access packages via the 'office' links in Drive's menu? And have you...
Replies
1
Views
456
  • Question
Ofc you can make a single compose for this no problem. Personally I like to separate front end apps from...
Replies
10
Views
1,240
  • Solved
I think it was point 1 that was messing me up. And it was a simple fix, honestly. We'll have to see if I...
Replies
3
Views
1,565
I accessed to log and when I trying connect I have message: "SSTP_DUPLEX_POST...
Replies
9
Views
1,662
  • Solved
Glad it’s working. Now you can help the next person! No reward necessary 😎
Replies
14
Views
2,267

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top