Solved [NGINX] Custom Reverse-Proxy configuration issue

162
45
NAS
DS918+ (8GB RAM, 4x WD RED 4TB SHR) ; EATON Ellipse PRO 1200FR
Operating system
  1. Windows
Mobile operating system
  1. Android
Last edited:
Hi all,
First of all, happy holidays to everyone.

Since I have installed BitwardenRS and configured the NGINX-RP to access it, I was wondering if I could also use NGINX to redirect every other applications of the NAS.
I was able to test various things but it still do not suit my expectations.

[tl;dr]tried to setup reverse proxy on nginx for all my dsm apps and docker app, failed at almost 1st step, rolled back, need advice/guidance...[/tl;dr]

Currently I can (from LAN and WAN) :
Code:
access DSM with https://my_ddns:dsmapps_custom_port/
access DS Drive with https://my_ddns:dsmapps_custom_port/<the alias to DSDrive configured in apps portal>
access DS Moments with https://my_ddns:dsmapps_custom_port/<the alias to DSMoments configured in apps portal>
access BitwardenRS with https://my_ddns:bitwarden_custom_public_port/ redirecting to https://127.0.0.1:bitwarden_custom_local_port/

... etc

Here is what I want to achieve (from LAN and WAN) :
Code:
access DSM with https://my_ddns/<an alias to DSM> redirecting to https://127.0.0.1:my_dsmapps_custom_port/
access DS Drive with https://my_ddns/<an alias to DSDrive> redirecting to https://127.0.0.1:my_dsmapps_custom_port/<the alias to DSDrive configured in apps portal>
access DS Moments with https://my_ddns/<an alias to DSMoments> redirecting to https://127.0.0.1:my_dsmapps_custom_port/<the alias to DSMoments configured in apps portal>
access BiwardenRS with https://my_ddns/<an alias to Bitwarden RS> redirecting to https://127.0.0.1:bitwarden_custom_local_port/
... etc

Below is the working configuration for NGINX RP for Bitwarden :
Code:
server {
    listen <custom_bitwarden_public_port> ssl;
    listen [::]:<custom_bitwarden_public_port> ssl;

    server_name <my_ddns>;

    ssl_certificate /PATH/TO/fullchain.pem;
    ssl_certificate_key /PATH/TO/privkey.pem;

    location / {
        proxy_connect_timeout 60;
        proxy_read_timeout 60;
        proxy_send_timeout 60;
        proxy_intercept_errors off;
        proxy_http_version 1.1;
        proxy_set_header        Host            $http_host;
        proxy_set_header        X-Real-IP            $remote_addr;
        proxy_set_header        X-Forwarded-For            $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto            $scheme;
        proxy_pass http://127.0.0.1:<custom_bitwarden_local_port>;
    }

    location /notifications/hub {
        proxy_pass http://127.0.0.1:<another_custom_bitwarden_local_port>;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /notifications/hub/negotiate {
        proxy_pass http://127.0.0.1:<custom_bitwarden_local_port>;
    }

    error_page 403 404 500 502 503 504 @error_page;

    location @error_page {
        root /usr/syno/share/nginx;
        rewrite (.*) /error.html break;
        allow all;
    }
}

I wanted to test it step by step so, first I tried to modify the "location /" section with location /bitwarden as below but not working, even worse it broke my access to DSM with https://my_ddns:dsmapps_custom_port/:
Code:
    location /bitwarden {
        proxy_connect_timeout 60;
        proxy_read_timeout 60;
        proxy_send_timeout 60;
        proxy_intercept_errors off;
        proxy_http_version 1.1;
        proxy_set_header        Host            $http_host;
        proxy_set_header        X-Real-IP            $remote_addr;
        proxy_set_header        X-Forwarded-For            $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto            $scheme;
        proxy_pass http://127.0.0.1:<custom_bitwarden_local_port>/;
    }

Any one has already tried to do what I want to do ?

Sorry for the long post
 
You should be able to do this using the Application portal alone (or Revers proxy tab under it).

For all Synology apps just use the 1st section of the Application portal and configure the alias option there. Your url should look like the one that you want. DSM will handle the rest (no need to manually configure nginx file).

Regarding accessing BW via a subfolder (alias name) instead of a subdomain name you will probably need to customize nginx file, but of the top of my head, I have no idea on it considering I use subdomains and not folders/aliases.

One question, why are you preferring /alias and not subdomain.domian.something?
 
Last edited:
One question, why are you preferring /alias and not subdomain.domian.something

Because I have No-Ip free plan and i can not use subdomains ... hence trying to stay with my current ddns and adding folder after it to access my apps. But I also can create up to 3 hosts (even if these are pointing to the same IP)
I also wanted to to this so I would not have to expose the auth page directly on https://mydomain:<port>/ even for DSM. I read a while ag that there has been one vulnerability on the auth page allowing malicious ppl to gain access to the NAS without credentials so if it's not exposed direcly but only available in a case-sensitive folder ... that's one more step to secure the access from the outside.

Well that being said, I have created a second and third host in my ddns and also got a let's enc cert for them (one cert with 2 objects names).
I had my BWRS pointing to one of these the NGINX RP configured to listen on port 80 and port 443 for the new ddns then redirect to the internal app https port perfectly. Of course I had to forward ports 80 and 443 from router to my NAS.
My BWRS instance is now only accessible with this DDNS and this DDNS only allows to reach my BWRS instance.

Also as I set in portal apps the names already, with ports 80 and 443 open and forwarded, I'm able to reach each app with https://myddns/alias but when I go to https://myddns/ it redirects me to https://myddns:custom_port/ exposing the port and also the DSM login page... which is what I wanted to avoid.

I am also able to reach my apps with the third DDNS I created (which at some point would replace my current one) and it behaves exactly the same as my current DDNS (described just right above). And ... for this DDNS, the certificate won't work. No matter what it still picks the one created for my 1st DDNS though I have set the multiple objects cert as defaut cert and as cert for all available components in DSM ....

I also did not find a way to tell my NAS that it's public name was now the 3rd DDNS I created and that it had to now use the attached cert ...
 
Domains are not that expensive, and depending on the provider more or less easy to maintain. Best case the provider of choise offers an api to update dns entries and is nativly supported by letsencrypt's certbot.

I have my domains at netcup. A *.domain is forwarded to my router's wan-interface. On each re-connect the router updates the entry for the *.domain using a self-hosted dyndns service, which uses the dns api to keep the entry updated to my ip change.

Letsencrypt supports dns challenge for my provider and i created a wildcard certifacte that is used everywhere.

The *.domain is the only domain I maintain, I do configure everything else in my reverse proxy (though, I am using traefik instead of the syno-reverse proxy).
 
Since it *kinda* works as it is, I will not mess with it for the moment :)
Thanks anyway
 
For all Synology apps just use the 1st section of the Application portal and configure the alias option there. Your url should look like the one that you want. DSM will handle the rest (no need to manually configure nginx file).

Along these lines, I have a question:

I would like https://mail.mydomain.com to be equivalant to https://mydomain.com/mail

(In other words, I want https://mail.mydomain.com to direct to Mail Station.)

But I can't see how to do this using the GUI in DSM's Reverse Proxy setup...even though Mail Station is a Synology app. It's not one of the apps listed in the Application Portal (even though mydomain.com/mail directs to it).

I have reverse proxy working for each of my Diskstations (i.e., Diskstationname.mydomain.com will point to the UI of the selected diskstation), and I have reverse proxy working for various apps running under Docker (tautulli, bitwarden, etc.) But can't figure out how to get it working for Mail Station. Any ideas?
 
What I have done to achieve this is create a Web Station virtual host for the desired subdomain URL, e.g. https://webmail.mydomain.com/. Within its doc root folder the index.html file is minimal:

HTML:
<html>
    <head>
        <meta http-equiv="refresh" content="0; url=https://www.mydomain.com/mail">
    </head>
    <body>
    </body>
</html>
 
You should be able to do this using the Application portal alone (or Revers proxy tab under it).

For all Synology apps just use the 1st section of the Application portal and configure the alias option there. Your url should look like the one that you want. DSM will handle the rest (no need to manually configure nginx file).

Regarding accessing BW via a subfolder (alias name) instead of a subdomain name you will probably need to customize nginx file, but of the top of my head, I have no idea on it considering I use subdomains and not folders/aliases.

One question, why are you preferring /alias and not subdomain.domian.something?
Hi expert !
I ve configured Nginx PRoxy Manager Docker successfully, but how can I use the 1st section of application portal on Sunology DSM if I ve "redirected all 80/443" from my router to my NAS/NginxDocker internal ports ?

Thanks in advance, and excuse if I m telling something wrong.

Note: Before Nginx proxy docker, I ve breen using this 1st section and reverse proxy (native on Synology).

Thanks sir
 
Hi expert !
I ve configured Nginx PRoxy Manager Docker successfully, but how can I use the 1st section of application portal on Sunology DSM if I ve "redirected all 80/443" from my router to my NAS/NginxDocker internal ports ?

Thanks in advance, and excuse if I m telling something wrong.

Note: Before Nginx proxy docker, I ve breen using this 1st section and reverse proxy (native on Synology).

Thanks sir
You are referring to the built in the application list? If so, just configure those apps to use a custom port of your choosing, like this:

Screenshot 2021-03-24 at 15.13.58.png


So check the Enable customized port (http or https) up to you. That will broadcast that app on your NAS IP using that custom port.

Then just use that information in your Nginx custom deploy to reverse it by using your NAS IP address and this custom port as the source parameter.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

@tonyufo Thanks for the advise but unfortunately this is still the same, the Advanced Share Permissions...
Replies
2
Views
1,134
  • Question
I have a DS216play running DSM 7.21-69057 update 3. It's web-facing, so it's running as a proxy server. I...
Replies
0
Views
1,426

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top