OTP/2FA not working with Reverse Proxy

Currently reading
OTP/2FA not working with Reverse Proxy

ed.j

ed.j

284
89
NAS
DS920+, DS416slim
Operating system
  1. Windows
Mobile operating system
  1. Android
I have managed to set up a reverse proxy, which I am loving. However I can't log into DS Video / Files / Finder apps (on Android) using accounts that have OTP generated by an authenticator app (I use Authy but I presume this is irrelevant).

I have tested this by disabling 2FA on a certain account and it will let me log in, but as soon as I turn on 2FA it just keeps asking for codes as if I've entered it incorrectly.

On browsers the log in works properly.

I have tried resetting the OTP mechanism for the accounts by disabling and re-enabling but it doesn't fix anything.

Any ideas please? I'm a big fan of 2FA and don't want to have to turn it off, especially for admin accounts.

Many thanks...
 
Sort by date Sort by votes
Strangely I have found that if I use the address with the final DSM port in the reverse proxy address, it works - I thought the whole point of reverse proxy was that the subdomain was associated with a port DSM side?

So with 2FA, rev.mydomain.com:5001 works whereas rev.mydomain.com does not work. Either works without 2FA.

Am I doing something incorrectly? Family members use DS Video and some use 2FA, and it's so much cleaner (and satisfying) to just give them a simple address rather than one with a port after it...
 
Upvote 0
Rusty said:
Mobile apps need to have ports added even if it's the default port for that protocol (like 443 for https). Syno design.
Click to expand...
Don't the older DS apps assume the default ports 5000 and 5001 if a port number is omitted?

It's just easier to always add the port number in these apps.
 
Upvote 0
Thanks for the responses guys, however I can't entirely agree for two reasons - I am probably misunderstanding though!!

Again this is all when using a reverse proxy.

1. The port is only required when using 2FA
2. Isn't the whole point of a reverse proxy that the app doesn't define the port, the reverse proxy does?
 
Upvote 0
Last edited:
When you use rev.mydomain.com:5001 you are actually bypassing the reverse proxy and going straight to the DSM web portal (on port 5001, if that's what you use) and the API it uses to access the required package.

But using rev.mydomain.com:443 will use the reverse proxy (well Application Portal), because it is listening to port 443.

I just tested and rev.mydomain.com failed while rev.mydomain.com:443 worked, and rev.mydomain.com: DSM_HTTPS_PORT threw a certificate mismatch (I use different certificates for different services).

I can't recall if the newer mobile apps don't require the port number but the older apps* are very finicky about it. Just add ':443' to the server name, if that's the port you use.


*the apps you listed are in the older category.
 
Upvote 0
ed.j said:
I have managed to set up a reverse proxy, which I am loving. However I can't log into DS Video / Files / Finder apps (on Android) using accounts that have OTP generated by an authenticator app (I use Authy but I presume this is irrelevant).

I have tested this by disabling 2FA on a certain account and it will let me log in, but as soon as I turn on 2FA it just keeps asking for codes as if I've entered it incorrectly.

On browsers the log in works properly.

I have tried resetting the OTP mechanism for the accounts by disabling and re-enabling but it doesn't fix anything.

Any ideas please? I'm a big fan of 2FA and don't want to have to turn it off, especially for admin accounts.

Many thanks...
Click to expand...
I have tried hard in settings up the reverse proxy without avail. How did you managed to set up a reverse proxy mate? Step by step instructions will be very much appreciated ([email protected])
 
Upvote 0
fredbert said:
I just tested and rev.mydomain.com failed while rev.mydomain.com:443 worked, and rev.mydomain.com: DSM_HTTPS_PORT threw a certificate mismatch (I use different certificates for different services).
Click to expand...
Alternately, you can forward 443 to the NAS, and the domain works w/o adding the port.
 
Upvote 0
fredbert said:
When you use rev.mydomain.com:5001 you are actually bypassing the reverse proxy and going straight to the DSM web portal (on port 5001, if that's what you use) and the API it uses to access the required package.

But using rev.mydomain.com:443 will use the reverse proxy (well Application Portal), because it is listening to port 443.

I just tested and rev.mydomain.com failed while rev.mydomain.com:443 worked, and rev.mydomain.com: DSM_HTTPS_PORT threw a certificate mismatch (I use different certificates for different services).

I can't recall if the newer mobile apps don't require the port number but the older apps* are very finicky about it. Just add ':443' to the server name, if that's the port you use.


*the apps you listed are in the older category.
Click to expand...

You are right - using :443 worked, and with 2FA, which was my initial issue. Thanks!

Telos said:
Alternately, you can forward 443 to the NAS, and the domain works w/o adding the port.
Click to expand...

This doesn't work for me - with 2FA anyway. Simply says it cannot connect.

Nefe said:
I have tried hard in settings up the reverse proxy without avail. How did you managed to set up a reverse proxy mate? Step by step instructions will be very much appreciated ([email protected])
Click to expand...

my own notes as follows.
I have a feeling that the destination should be http rather than https - but on my side I have DSM http forwarding to https anyway so I'm not sure it makes a difference.

SSL / HTTPS cert always needs domain name, either bought or DDNS
Numerical IP doesn't work

DDNS: Log In - No-IP

TO GET HTTPS / SSL CERT WITH REVERSE PROXY
  1. Ensure there is "A" record on website pointing subdomain eg "vpn" if vpn.xxx.uk to nas external IP (88.xxxx)
Each subdomain requires new certificate

  1. DSM-Control Panel-Login-Advanced-Reverse Proxy
Source HTTPS / vpn.xxx.uk / 443 (should always be 443 for https Reverse Proxy )
Destination HTTPS / 192.168.1.174 / appropriate service port

  1. On router forward port 80 to 80 on dsm
  2. On DSM open port 80
  3. DSM-Control Panel-Security-Certificate-Add
  4. Close ports on router and DSM
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

5
Can’t verify account for 2FA - claims email sent but never received
I have to confess I was doing exactly that :mad: thanks for the tip.
Replies
7
Views
818
5cats
5
bear0214
Shared Folder Access Using 2FA or Key Files?
Thank you for the useful suggestions, I am going to investigate this more. Much appreciated.
Replies
6
Views
1,047
bear0214
bear0214
D
  • Question
2FA: Remove using SSH to move Google folder is not working, 2FA still enforced
Thanks for your help, appreciate it. Definitely helped to reset the time manually in SSH session, then the...
Replies
5
Views
2,170
Danabw
D
S
remove 2FA with ssh not the reset button
For others stumbling across this thread, an alternative to Tip 11, is to (via SSH) reenable the default...
Replies
3
Views
4,135
Telos
Telos
D
2FA Stopped Working for Synology Account
I have seen your post on Mastodon and responded, but I see no issues with using 3rd party 2fa platforms...
Replies
6
Views
4,611
Rusty
Rusty
A
Can I use Yubikey as a 2FA to secure my Synology NAS account?
Same here, I look at it and check it out every once in a while. But my issues with it are a conveince...
Replies
6
Views
4,905
Gerard
G
D
Quickconnect 2FA
Yes, it is through the QC relay service (we don't have ddns set up and no permanent ip address). Yes, we...
Replies
12
Views
3,304
dslamguy
D

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top