REVERSE PROXY - QUESTIONS

lemondrop9344 · 28. Jan 2022

I have multiple NAS devices on my LAN. Having read several posts on this forum, it would appear that setting up 'reverse proxy' would resolve the issue of connecting someone outside of my LAN to the correct NAS & folder on that NAS. I presently have a static IP address provided by my ISP.
The posters all indicate I will need a SSL certificate (Lets Encrypt is suggested) as well as a registered domain. I am relatively new to this so humor me please.
I now how to obtain the domain. Is it correct to assume any SSL certificate I presently have from Synology will not work with reverse proxy?

Rusty · 28. Jan 2022

Can you just explain 1st what the end game is here? Not necessarily need reverse proxy if you just need access to your folders.

It can be used in that manner but only in case you are running a custom domain and maybe want to manipulate some ports.

So best to start with your wishes in plain words and people here will help out with suggestions depending on your needs.

fredbert · 28. Jan 2022

A Synology DDNS domain and SSL certificate will work, you just have the luxury of have the IP never changing. Normally people use DDNS because their ISP IP address changes regularly, or at least unpredictably. But the DDNS mechanism is just an agent on a LAN device going out the the the DDNS servers and saying "this is my current Internet IP, please use this", there's no more magic to it.

In the reverse proxy setup in Control Panel you assign a FQDN such as myothernas.domain.com, or myothername.mynas.synology.me. And then set the destination as the LAN IP of the other NAS. You just need to have the SSL certificate you assign to this reverse proxy rule (Control Panel -> Security -> Certificates) be created such that the list of alternaive names includes the server name you used.

lemondrop9344 · 28. Jan 2022

Rusty,
End game........ I have multiple NAS devices on the LAN which serves a home/office. A tutorial on this forum suggested this was the way (reverse proxy) so that both NAS devices could be accessed from outside the LAN. If there is a better way, I am receptive to trying it.
NAS # 1 will serve the home on a VLAN segregated from the office portion of the LAN. Photos, media, etc will need to be accessed from outside the LAN.
NAS # 2 will serve the office on a VLAN segregated from the home portion of the LAN. This NAS will be accessed by multiple clients using a variety of Synology applications.
I also want to minimize the number of ports that I have opened to the internet.

Rusty · 28. Jan 2022

Well in that case, reverse is the way.

lemondrop9344 said:
Is it correct to assume any SSL certificate I presently have from Synology will not work with reverse proxy?

@fredbert already answered this. The point is you just need to have a matching cert for your domain/services.

lemondrop9344 · 29. Jan 2022

rusty, fredbert....
Just a quick note to thank your responses. It's very much appreciated.

lemondrop9344 · 5. Feb 2022

Have performed more reading on the subject of reverse proxy. Of course this leads to more questions.
I have a static ip address from my ISP, for the purpose of this question I will say it's 70.63.111.222.
I have a registered domain name through godaddy let's assume it's mynas.com
I have an existing LAN setup with multiple VLANs to segregate the office (a business) from the home users.
I presently have a DS1621xs+ which will be the NAS for business, its internal address will be 192.168.1.10 (VLAN1).
I also have a DS918+ which will be the NAS for the home (photos, media, etc), its internal address will be 192.168.2.11 (VLAN2).
Both NAS devices will need to be accessed from outside the LAN.
The NAS for business will have discrete folders (read access, possibly write access) for clients. This NAS will also have discrete folders for employees (read/write) access.
Presently, if I key in 70.63.111.222 (actually I key in the real static ip address), it goes to the NAS device at 192.168.1.10 on port 5001. This was expected.
What I want to accomplish is to achieve something like clientname.client.mynas.com. Where clientname is a subfolder of the client directory on the NAS on VLAN1 192.168.1.10. On the other hand, if I want to get to Plex it would be something like
Plex.mynas.com & it would go to the NAS on VLAN2 @ 192.168.2.11.
I did not see, or did not understand, from the reverse proxy tutorial how one might accomplish arriving at a subfolder within a specific directory. Is there a better way to achieve what I am trying to accomplish?
Please minimize the list of acronyms. I readily admit I am also struggling with what this actually means in real world syntax You just need to have the SSL certificate you assign to this reverse proxy rule (Control Panel -> Security -> Certificates) be created such that the list of alternaive names includes the server name you used.
Thanks in advance for any suggestions/advice.

akahan · 6. Feb 2022

Reverse proxy is not used to get you to subfolders. It is used to get you from the internet to individual servers or services.
You have two NAS's. For example purposes, let's call them home and business. On your LAN, let's say home is at 192.168.1.20, and business is at 192.168.1.30
You could set reverse proxy so that home.mynas.com is forwarded to 192.168.1.20:5000, and https:// home.mynas.com is forwarded to 192.168.1.20:5001. And, business.mynas.com is forwarded to 192.168.1.30:5000 and https:// business.mynas.com is forwarded to 192.168.1.30:5001. (Of course you can reset those ports to whatever you want, so long as you set the reverse proxy to match.)
Suppose on the home nas, you have Plex listening at port 32400. You could forward https:// plex.mynas.com to 192.168.1.20:32400.
Note that this means you no longer have to port forward on your router - the port forwarding is handled by the reverse proxy. In the router, the only forwarding you'd have to do is forwarding ports 80 and 443 to whichever machine the reverse proxy is running on.
When you create an SSL certificate, you can create it for www.mynas.com, and also for plex.mynas.com and home.mynas.com and business.mynas.com . In the "alternate names" field when you set up the certificate with lets encrypt (or whoever), you would just list all the subdomains you plan to use. And, you'll need to go into the DNS setup for your domain at your domain provider (which might or might not be the same as your ISP) and make sure you have a hostname set up for each of the host names you want to use (business, home, plex, etc.

Telos · 6. Feb 2022

akahan said:
Reverse proxy is not used to get you to subfolders.

ICBW, but the pure nginx package (non-Synology) permits one to land directly on a specific folder, through its advanced settings. Docker may be a solution here.

akahan · 6. Feb 2022

Telos said:
ICBW, but the pure nginx package (non-Synology) permits one to land directly on a specific folder, through its advanced settings. Docker may be a solution here.

Understood, but, without meaning to be in any way insulting, for this particular poster who is declaring himself to be a noob, I think one step at a time is best - get reverse proxy understood/working, then docker, then nginx. He'll be a nerd like us in just a few more weeks.

lemondrop9344 · 6. Feb 2022

Thanks for the help.... I'm trying, please bare with me.
I realize once I get it set up, further changes will most likely be required. To the extent possible, I want to minimize these changes by trying to implement a 'good design' to begin with.
So much of what experienced users take for granted, I realize I don't even know that I don't know it.
Questions continue:
1. Is it logical to use the more powerful business NAS for the reverse proxy? I assume it (reverse proxy) is not installed on both NAS devices.
2. As indicated in my post........... each NAS is on a different VLAN. Using the information I provided it would look something like this
business.mynas.com is forwarded to 192.168.1.10:5000 and https;//business.mynas.com is forwarded to 192.168.1.10:5001
home.mynas.com is forwarded to 192.168.2.11:5000 and https://home.mynas.com is forwarded to 192.168.2.11:5001
Please note the ip addresses above are the same as how the NAS devices are set up on the existing LAN
3. Assuming I have set up the reverse proxy correctly, the results of one specifying https;//business.mynas.com should take them to the sign on screen of the business NAS. Is that a good assumption?
4. Would it then be correct to assume a user would only be able to see the folder one has permission to see based upon the criteria established for that user within the control panel? If that is true, they already only have permission to read/write on a shared folder on the NAS
Again, your help and patience is appreciated.

akahan · 6. Feb 2022

Reverse proxy is installed on one device. Doesn't matter whether it's the more powerful, as reverse proxy is not very demanding. But it should be the one that's most reliably "up and running," since connecting to everything else from the outside world will depend on it.
Your assumption is good, provided that the NAS on VLAN#1 can find the NAS on VLAN#2.
Reverse proxy won't affect permissions a whit. So if a user has permission to see a folder when logging into the NAS without reverse proxy, they'll have the same permission when logging in with reverse proxy.

lemondrop9344 · 6. Feb 2022

Thanks for reply. This helps a bunch.

REVERSE PROXY - QUESTIONS

Currently reading
REVERSE PROXY - QUESTIONS

lemondrop9344

Rusty

fredbert

lemondrop9344

Rusty

lemondrop9344

lemondrop9344

akahan

Telos

akahan

lemondrop9344

akahan

lemondrop9344

Similar threads

Trending threads

Forum statistics

We value your privacy

REVERSE PROXY - QUESTIONS

Currently reading REVERSE PROXY - QUESTIONS

Similar threads

We value your privacy

Currently reading
REVERSE PROXY - QUESTIONS