NPM and Synology

Currently reading
NPM and Synology

17
1
NAS
DS923+
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
Hi everyone !

I have an issue with NPM and Synology NAS. Every request I made for every domain redirect to the DSM page.

I will explain more :

What worked : NPM in a raspberry and handle the proxy part. It's worked fine. But the downsize of this setup is, every port of every services are published and not secured in my Synology server.

What is setup now :

  • NPM docker on the Synology with port 8907:443 8765:80 and 81
  • Port forwarding on my router to my NAS and port specified above
  • NPM network is in bridged
  • My local DNS rewrite to my Synology NAS

But every time I tried to access to a container with sub.domain.tld, the Synology redirect with port 5001 and DSM show up.

The issue seems to be with Synology and the way it handle the network but I don't understand how...

Thanks a lot !
 
Exactly what do you mean by this? Only one of my ports is open. RPi npm works fine.

To proxy request, the port on the Synology must be open.

For example : I have radarr on port 7878. I need to exposed this port on the Synology NAS to be able to proxy it with the raspberry.

If I do a nmap scan on my network, all my service are exposed and you can accessed it it the IP address:port and bypass the proxy.

I want my reverse proxy to catch every request and don't expose every service with the port associated with it.
-- post merged: --

Just to be sure, port forward is 443 > 8907?

Yup !

1674221188504.png
 
Upvote 0
Can you test redirecting an RP host to some other device on the network, not toward a service on the NAS? Does that work?

That was my setup before I migrate the NPM into the NAS and it worked fine (+ I don't need any port forwarding on my router because the port 80 and 443 is available).

Anyway I have tested NPM on the RB Pi to my router webinterface and it's worked. And all the service in the Synology worked too.
 
Upvote 0
I have radarr on port 7878. I need to exposed this port on the Synology NAS to be able to proxy it with the raspberry.
Not at all. Open only port 443 to the NAS. Access radarr using subdomain
https://radarr.domain.com

RP then is set to move incoming requests from radarr.domain.com:443 to https://NAS_IP:8787 or https://RPi_IP:8787, or wherever you have radarr running.

This is the point of npm... that you don't open every port.
 
Upvote 0
Not at all. Open only port 443 to the NAS. Access radarr using subdomain
https://radarr.domain.com

RP then is set to move incoming requests from radarr.domain.com:443 to https://NAS_IP:8787 or https://RPi_IP:8787, or wherever you have radarr running.

This is the point of npm... that you don't open every port.

You port needs to be open to reach it on the server.

You can achieved that with this : Nginx Proxy Manager but you must linked your npm container with other container with the same network.

If you can access the website via NPM on your rasbperry, you can access it with IP_ADDRESS:PORT and you bypass your reverse proxy.

My goal is to isolate my LAN network and only NPM reach local port of service ! I can't do this with NPM on other device (as I know maybe there are a solution) so I need to figure how to use NPM on Synology but that bring me the issue I encounter in my first post.
 
Upvote 0
But every time I tried to access to a container with sub.domain.tld, the Synology redirect with port 5001 and DSM show up.
The only thing that comes to mind is that you have your domain configured in the advanced settings of DSM. But that would mean that port forward is not targeting your NPM but the default Nginx on the DSM and getting redirected to 5001.

Considering that port forward that you have in the image above shows differently guess that is not the case.

Do you have WebStation installed by any chance and any configured virtual hosts?
 
Upvote 0
The only thing that comes to mind is that you have your domain configured in the advanced settings of DSM. But that would mean that port forward is not targeting your NPM but the default Nginx on the DSM and getting redirected to 5001.

Considering that port forward that you have in the image above shows differently guess that is not the case.

Do you have WebStation installed by any chance and any configured virtual hosts?

My domain used by the NPM are not associated with the Synology and no webstation installed.

I will reconfigure everything and try again to find the root cause of this.
 
Upvote 0
Okay so I found the root cause : my router does not port forward on LAN only from WAN so when I ask sub.domain.tld, my Adguard forward to NASIP:443 and the NAS just proxy to the 5001 DSM interface.

So I have 2 solutions :

  • Use macvlan on docker to have a IP in my LAN and forward everything to the NPM
  • Change port used by the Synology to have the 443 and 80 free.

I don't really want to use a script to do free up the port, so I tried the first one but my docker knowledge are a little bit limited and I don't know how to set up the macvlan on the docker.

Docker compose worked, I have my NPM running with the IP address set up. But I cannot access to the docker container.
 
Upvote 0
my router does not port forward on LAN only from WAN
Aha so no NAT loopback options.

But I cannot access to the docker container.
macvlan by default behaves that any container running on your host in macvlan will not have communication with the host or any other contianer on that host that is also not configured as macvlan.

Other devices on the network will be able to talk to that container, but host communication will not work, this is by design.
 
Upvote 0
this is by design.
Note: Actually, this is caused by a security mechanism in the Linux Kernel that prevents macvlan parent interfaces to directly communicate with macvlan child interfaces. Containers attached to a macvlan network use a macvlan child interface.

Most people just add a macvlan child interface to the host to bypass that restriction.


My local DNS rewrite to my Synology NAS
By "rewrite" you mean you override the dns entries, so they resolve to the ip of your nas? If this is the case your reverse proxy should pick up the "host: ${domain}" http-header and apply the rule for that domain and port.

Are you sure your domain overrides and your reverse proxy rules are correct? There must be a reason why you get redirected to the DSM management console.

Does it work for other people that access your NPM from WAN?
  • if not: your reverse proxy rules are high likely the issue, as your domain override shouldn't be involved in this scenario.
  • if yes: then it's only a local problem and your domain overrides are a good candidate for causing the problems.
 
Upvote 0
By "rewrite" you mean you override the dns entries, so they resolve to the ip of your nas? If this is the case your reverse proxy should pick up the "host: ${domain}" http-header and apply the rule for that domain and port.

Are you sure your domain overrides and your reverse proxy rules are correct? There must be a reason why you get redirected to the DSM management console.

My guess is I do https://sub.domain.tld -> My Adguard rewrite my request to IP_ADDRESS:443. The IP address of the Nginx Proxy Manager is the same than the NAS. So the request is : https://172.21.16.254:443. The NAS redirect to DSM on port 5001.

I have modified something and now I cannot reproduce it anyway.

Does it work for other people that access your NPM from WAN?
  • if not: your reverse proxy rules are high likely the issue, as your domain override shouldn't be involved in this scenario.
  • if yes: then it's only a local problem and your domain overrides are a good candidate for causing the problems.

I don't need to check on WAN because my service don't need to be exposed. I only want to do this on my LAN.
 
Upvote 0
My guess is I do https://sub.domain.tld -> My Adguard rewrite my request to IP_ADDRESS:443. The IP address of the Nginx Proxy Manager is the same than the NAS. So the request is : https://172.21.16.254:443. The NAS redirect to DSM on port 5001.
If you call the url https://sub.comain.tld in your browser, does it change the url to https://ip:443 in your browser?! (=url rewrite on http protocol level) Or does it still keep the same Domain but resolve to the nas ip? (=dns override for a domain to resolve to a different ip).

Only the 2nd case is the right approach. The 1st approach removes information relevant for what you are trying to achieve.
-- post merged: --

I don't need to check on WAN because my service don't need to be exposed. I only want to do this on my LAN.
I am not sure how this response helps with troubleshooting the root cause. But okay, If not needing is more relevant than identifying the root cause of your problem, then so be it.
 
Upvote 0
If you call the url https://sub.comain.tld in your browser, does it change the url to https://ip:443 in your browser?! (=url rewrite on http protocol level) Or does it still keep the same Domain but resolve to the nas ip? (=dns override for a domain to resolve to a different ip).

Only the 2nd case is the right approach. The 1st approach removes information relevant for what you are trying to achieve.
-- post merged: --


I am not sure how this response helps with troubleshooting the root cause. But okay, If not needing is more relevant than identifying the root cause of your problem, then so be it.

It's DNS override yes. URL don't change during the request.

It's not I don't want to test but I can't, I expose nothing on the WAN and configure DDNS and stuff seems too heavy just to verify one thing. The root cause seems to be my router and NAT Loopback that doesn't work properly.

I appreciate the help and information you provided, sorry if my message was ruded, I don't want it.
 
Upvote 0
With DNS override the router is not involved.

You could try curl -iv https://sub.comain.tld (from any linux(!) shell) and share the resulting output, so we can see what happens during the communication.

Also: please share screenshots of how you publish your ports.

I know for the DNS and the router, What I want to say is the issue I have is my router that don't change the port on the request. The curl show that :

Bash:
.\curl.exe -iv https://npm.redacted.xyz
*   Trying 172.21.16.254:443...
* Connected to npm.redacted.xyz (172.21.16.254) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: C:\Users\Admin\Desktop\curl-7.87.0_2-win64-mingw\curl-7.87.0_2-win64-mingw\bin\curl-ca-bundle.crt
*  CApath: none
* [CONN-0-0][CF-SSL] TLSv1.0 (OUT), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Unknown (21):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

The request goes to my NAS IP:443. On that port, the proxy from Synology answer and redirect to port 5001 with DSM. The DNS part working has expected but the port forwarding does not.

Here is my portainer UI with the container NPM on the screenshot. Nothing special in the configuration.

1674591744865.png
 
Upvote 0
I end up and push a script to free up port 80 and 443 on the NAS. Everything work fine now beside I don't really like this kind of solution.

I check if I can find another solution but for now I let the configuration like that !

Thank you for your help :)
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Welcome to the forum! To where? What's going on? How are CF records set as well as NPM RP record for that...
Replies
1
Views
939
I am also trying to setup a Z-wave USB dongle and am getting stuck after following the same steps as...
Replies
1
Views
1,035
You can run cmd.exe to get a command window from which you can execute SSH commands. However, my personal...
Replies
36
Views
3,015
Thanks for your replies, but I found the solution: I had to allow port 8083 in the firewall.
Replies
5
Views
1,590
Thank you for this - I'll give it a go and see where I get - worst case I learn something as I go!
Replies
6
Views
1,494
I am struggling with that since I am only a copy & paste hacker. I have installed netdata on my Synology...
Replies
0
Views
1,943
Thanks for sharing @BobW Indeed, both Matrix implementation seem more efficient when it comes to the cpu...
Replies
4
Views
4,407

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top