Remote file sharing from NAS configured as reverse proxy - how best to ensure security?

[0ct0pus]

Hi all,

I'm configuring a NAS for a small business, to allow secure transfer of files to clients directly from the Synology NAS.
So far, I have configured the NAS as a reverse proxy server and opened port xyz (ports 80 and 443 are already forwarded to other services, so this is some other port).

I set up a reverse proxy from the NAS to itself, meaning that I can generate file sharing links like https:// nas1.mydomain.com:xyz/sharing/randomcode.
This works perfectly for my needs, but it leaves the NAS login page open to the internet at https:// nas1.mydomain.com:xyz. I feel this is insecure and I'd like to set up a system where these file sharing links can be provided without the login page available.

Is there a better way to configure a reverse proxy to bypass this issue? Should I resign myself to port forwarding instead?

 

[WST16]

Hi,

It's going to be convenience vs. security (as it's mostly the case when it comes to computers).

If they don't share a lot of files then a Docker container will be more secure (isolated). The down side, is that they'll need to upload the files to the container instead of clicking share on –what I would presume– a file that's already on the NAS.

I use pwndrop (there might be others). I like it very much, but I don't share a lot of files.

Another option, is to create a vDSM and dedicate it for sharing files only, If it's compromised, it'll be isolated from the main (DSM) instance.

Of course, whichever way you go, use a firewall (enable the DSM firewall at least, if a dedicated one is not available), to limit geographical access to the NAS.

 

[Rusty]

Is there a better way to configure a reverse proxy to bypass this issue? Should I resign myself to port forwarding instead?

You could use Synology Drive platform via RP as well. This will open up your Drive service to the internet (on a custom port of 443 depeding how you want it), but it doesnt mean it will land on your main DSM page. If DSM runs on another custom http/https port that you do not have forwarded or configured via RP, nobody can land on it.

Also, as @WST16 suggested, use FW to even further close down access.

 

[0ct0pus]

You could use Synology Drive platform via RP as well. This will open up your Drive service to the internet (on a custom port of 443 depeding how you want it), but it doesnt mean it will land on your main DSM page. If DSM runs on another custom http/https port that you do not have forwarded or configured via RP, nobody can land on it.

Also, as @WST16 suggested, use FW to even further close down access.

Hi,

Thanks for your reply! I just checked out the Drive platform and it seems like it could work. If I configure Synology Drive correctly, will I be able to provide clients file sharing links without having access to my entire Drive internet-facing? You said "this will open up your Drive service to the internet", but of course I do not want clients to have access to all the files on my NAS, only those which I wish to share.

Thank you!

-- post merged: 5. Mar 2022 --

Hi,

It's going to be convenience vs. security (as it's mostly the case when it comes to computers).

If they don't share a lot of files then a Docker container will be more secure (isolated). The down side, is that they'll need to upload the files to the container instead of clicking share on –what I would presume– a file that's already on the NAS.

I use pwndrop (there might be others). I like it very much, but I don't share a lot of files.

Another option, is to create a vDSM and dedicate it for sharing files only, If it's compromised, it'll be isolated from the main (DSM) instance.

Of course, whichever way you go, use a firewall (enable the DSM firewall at least, if a dedicated one is not available), to limit geographical access to the NAS.

Thanks for your reply! Unfortunately my client wants to share a lot of files with relative ease, so I'd prefer that they don't have to transfer to Docker or other like services. I'll check out the firewall configuration for sure.

 

[Rusty]

will I be able to provide clients file sharing links without having access to my entire Drive internet-facing?

you will yes. Shared link will be to a specific content that you share (file or folder)

 

[fredbert]

Has Synology fixed it when accessing links from mobile devices? From the mobile web browser it used to [still does?] respond by saying to use their Drive app.

I just tested with a html file and then a folder, using Drive's public sharing links. The html file could be downloaded on both mobile and desktop browsers, but the folder was only browser-accessible from desktop... the mobile browser gives a button 'Open in Synology Drive'.

Worth testing to see if any limitations are deal-breakers.

 

[Rusty]

Has Synology fixed it when accessing links from mobile devices? From the mobile web browser it used to [still does?] respond by saying to use their Drive app.

I just tested with a html file and then a folder, using Drive's public sharing links. The html file could be downloaded on both mobile and desktop browsers, but the folder was only browser-accessible from desktop... the mobile browser gives a button 'Open in Synology Drive'.

Worth testing to see if any limitations are deal-breakers.

Drive in current beta version has modified mobile browser behavior. It shouldn’t force you to a dedicated app no more

 

[0ct0pus]

You could use Synology Drive platform via RP as well. This will open up your Drive service to the internet (on a custom port of 443 depeding how you want it), but it doesnt mean it will land on your main DSM page. If DSM runs on another custom http/https port that you do not have forwarded or configured via RP, nobody can land on it.

Also, as @WST16 suggested, use FW to even further close down access.

Hi,

I'm trying to configure this now and I have another question:

Right now I have the RP configured from an external link to the local IP of my NAS (and the port it runs on, i.e. http:// nasip:nasport). If I want to open the Drive service to the internet instead of opening DSM, do I use port 6690 (the port used for file syncing by Synology Drive?). Connecting to http:// nasip:6690 doesn't actually give me a valid site, so I'm a little confused as to how to connect to drive with RP.

Thanks so much!

 

[Rusty]

Hi,

I'm trying to configure this now and I have another question:

Right now I have the RP configured from an external link to the local IP of my NAS (and the port it runs on, i.e. http:// nasip:nasport). If I want to open the Drive service to the internet instead of opening DSM, do I use port 6690 (the port used for file syncing by Synology Drive?). Connecting to http:// nasip:6690 doesn't actually give me a valid site, so I'm a little confused as to how to connect to drive with RP.

Thanks so much!

Drive web site can be configured via RP, 6690 is only needed if you need Drive desktop client syncing. Yes, if you just want web access then you can leave 6690 alone.