How can I share a Moments Album via Reverse Proxy?

[NAS Newbie]

I want to set up an album of photos for my grandma to view. I know that it is frowned upon, but I want to use just the public link option instead of creating a password/username for her so she doesn't have to remember login info. I'd kill the link after a couple of days once she's viewed/downloaded whatever she wants in the album. I have all my access to the NAS set up via Reverse Proxy thru port 443. I do not yet have any reverse proxy set up for Moments. When I create a public share link for the album, it gives me a link similar to: https://mynas.synology.me:33333, where 33333 is the custom default port I'm using for DSM. This link works so long as I have 33333 port-forwarded, but I don't want to leave that port open on my router. How can I get Moments to spit out a reverse-proxy URL instead of a port-forwarded one?

 

[WST16]

If you don’t mind sharing a folder, it works using the File reverse proxy. Just add the subdomain to the generated URL.
Login using the File portal.
I didn’t play with Moments, don’t know what’s possible.

 

[NAS Newbie]

So your comment about adding the subdomain to the generated URL got me thinking. The actual URL that was generated was more like: https://mynas.synology.me:33333/mo/sharing/sflksjdfoi3398.

I added my dsm subdomain to the URL and eliminated the port number and it appears to have routed through my DSM RP. I was able to access the shared album on my phone when not connected to my LAN, so it appears to be working. It isn't an auto-generated link, but it will work. Thanks for the idea. The resulting URL was similar to https://dsm.mynas.synology.me/mo/sharing/sflksjdfoi3398.

 

[WST16]

I added my dsm subdomain to the URL and eliminated the port number

Either that or login using the File portal (you end up with the login screen with the folder). When I generate a share, it doesn’t have any ports included, however, for some reason it doesn’t include the subdomain (as you said) and I just add it.

You can have a password and set expiry dates on that too.

Edit: You can zip the folder (without compression because it’s useless if your photos are mostly JPG) and share a single file to dload.

 

[Gerard]

for me there were two places to put in my reverse proxy domain name and port 443 when setting everything up. First was external access then advanced. I put my rp dsm name and https port 443.
I’m using photo station and I’m the settings of photo station there’s an area to do the same I put my rp name for photo station and https port 443. Anytime a share link was generated it was generated with this setting of rp photo port 443, and it was auto I did not have to manually tweak the urls.

in external access advanced that area is more for the certain dsm reports that are emailed. In the email it’s a one click shop to view to reports using the rp name (both locally & remotely).

in settings and then notifications there’s one more area there called the http_url (I think) where I set the dsm rp url and port 443. This is for any notifications that are sent (such as storage analyzer reports ..I think) that are sent out and I can click the link in email to view.

I haven’t used moments but I’m sure there’s a way to do the same without having to manually adjust the url.
This is where the photo station option is, I put my rp name and then https 443

 

[fredbert]

Resurrecting this question.

Moments doesn't have the same admin/advanced options (as far as I can see) for defining the domain for sharing links. Within Drive Admin Console this is possible, and seems so for Photo Station, but Moments picks up the domain set globally in Control Panel / External Access / Advanced. Leave that blank and my Syno DDNS is used with Application Portal alias appended.

If you've accessed Moments using a unique domain defined in Application Portal then this is replaced in sharing links using the External Access domain. But this fails as that 'domain/mo/sharing/<code>' isn't handled correctly. Well not for me as it doesn't append the alias.

The admin control in Moments is pretty lacking.

 

[fredbert]

Synology Photos in DSM 7 doesn't look to be any better, though testing is rather slow as I now remember the reason for moving from the DS215j.

OK, so I see how the reverse proxy works. Not exactly ideal if wanting to limit access to applications to just using a direct service domain name. Basically you have to allow Internet access to the full DSM portal, whether you allow direct to the DSM '5001' HTTPS or use a reverse proxy rule to direct a 443 request to DSM.

 

[Rusty]

Basically you have to allow Internet access to the full DSM portal

Hmm, I have had 0 problems with limiting only access to the Photos app on DSM7.

Just placed the Photos app on a custom port using the Application portal for that app, and then used that port to redirect my custom domain name via reverse proxy to that port, like with any other Docker app for example.

Does that not work for you?

 

[fredbert]

It's when creating/enabling sharing links that I find I'm having a problem. Working this out with Moments as DM 7 Photos is too slow really to test on the DS215j. For example:

Direct name: moments.mydomain.com​

Alias access: www.mydomain.com/moments​

​

External Acces name: www.mydomain.com​

HTTPS: 443​

I access Moments using https://moments.mydomain.com and try to create a sharing link. The link is created as https://www.mydomain.com/mo/sharing/<code> . This doesn't work to get to the shared content but if the link had been aware of the URL I had browsed with as the App Portal direct domain then it could should have offered these working links:

https://moments.mydomain.com/mo/sharing/<code>​

https://www.mydomain.com/moments/mo/sharing/<code>​

If I access Moments using the alias https://www.mydomain.com/moments then the second link type is created. But this somewhat removes the usefulness of using the direct name.

I don't want to have direct HTTPS 5001 [default 5001 is not what I really use] to the full DSM portal. The way to 'fix' this is to do this:

External Acces name: www-links.mydomain.com​

HTTPS: 443​

​

Reverse Proxy: HTTPS www-links.mydomain.com:443 >> HTTPS localhost:5001​

​

Plus a certificate that covers www-links.mydomain.com​

So now I have a reverse proxy that allows full DSM portal access


I don't think this has changed in Photos. If they used the Drive Admin Console method to allow you to set the sharing domain then this would not be an issue... that was fixed by Synology after much complaining.


Edit:

The reason why custom ports are not much use is that most corporate firewalls will restrict which destination ports are allowed from internal users. Hence overloading TCP 443 with reverse proxy rules.

This may lessen as the use of application aware firewalls are more prevalent but I doubt it.

 

[Rusty]

Working this out with Moments as DM 7 Photos is too slow really to test on the DS215j

I see. Can't comment on Moments as I haven't used it or tried it but I noticed that it had this problem that you are describing. The reason why I tested Photos to see if there is an option to get to it using a reverse way.

 

[fredbert]

I'm mostly not wanting DSM access from the Internet for admin users. So I guess I can set a 'By IP' restriction to DSM, limiting to LAN / VPN subnets... test on a standard account first before applying to admins!!