Reverse proxy setup for intranet

[SynFan]

Hi,

I have Synology Router and NAS setup on the same VLAN. I am self-hosting bunch of containers (around 16) on NAS and would like to setup reverse-proxy so that I can access intranet website without the http://local-id:port.

I have purchased a gTLD on Cloudfare and tried to follow the steps mentioned here

However, I am stuck at setting up webroot and the next steps seem vague for my skill level. I can build/run docker containers but my knowledge in networking concepts is not great. Can any kind soul translate these instructions so that I can set up the reverse proxy

I have found another blog that tries to setup reverse-proxy (with internet access which I am not looking for) using Traefik. The guide is available here

PS: If you have any other material that I can follow through, that will be helpful as well

Thanks

 

[Telos]

For intra-LAN connectivity, why not just use NAS_IP:Container_Port?

I access 90% of my containers like that (others are accessed via internet).

 

[SynFan]

Right now, I use NAS_IP:Container_Port and it works. I am looking to setup reverse-proxy to make it easy to type in the address rather than having to remember the port. It is more of a convenience

 

[Telos]

to make it easy to type in the address rather than having to remember the por

Yea... I get that. So I made browser shortcuts for my containers... No more typing

 

[Rusty]

Right now, I use NAS_IP:Container_Port and it works. I am looking to setup reverse-proxy to make it easy to type in the address rather than having to remember the port. It is more of a convenience

Why not then setup a local DNS server and zone for your "internal" domain name and be done with it? Set up upstream servers for any requests going towards the internet, and all the local hosts for all your internal containers, no reverse needed.

The official KB article on DNS can explain how to do it, and there are already several DNS threads on the forum explaining this. Most are from @fredbert.

 

[fredbert]

One such post...

https://www.synoforum.com/threads/remote-connection-over-vpn-does-not-work.6406/post-30920

One change since then:

After Zones you'll want to setup Resolution. I use Forward First and have OpenDNS as primary and Cloudflare as secondary.

I now use Forward Only and Cloudflare's 1.1.1.1 and 1.0.0.1 as primary and secondary.

 

[SynFan]

Hi. I will definitely look into this. Can this work with DoH setup like Adguard or NextDNS. I have currently enabled DoH on the Synology router.

Thanks @fredbert for your article. I am reading through it and will try to setup following your instructions. Once again, thanks for the sharing your knowledge and pointing me an easy solution

 

[fredbert]

Not quite sure what you mean about working with DOH. There is Safe Access and in SRM 1.3 there is somewhere a setting to stop LAN requests to DOH servers, while SRM itself can use DOH servers. Have a look at SRM’s built in help.

I don’t want LAN devices to use DOH and bypass Safe Access, so this works well for me.

 

[SynFan]

I am inclined to use Dns-Over-Https (DOH) to block ads on my devices. I looked into the tutorial and it seems like I have have to type in the port number while setting it up? Is that correct ?

 

[fredbert]

Not sure how DOH in and of itself stops adverts, it’s a transport to a server that’s still doing resolution for the requests it receives. It’s the decision process that the server employs by way of filters and intelligence that could result in some requests not resolving to the actual destination: this can be used to apply control to accessing certain destinations, such as categorisation of some destinations being undesirable, or thought to be compromised or malicious.

DOH uses HTTPS to hide the requests from being readable by the network infrastructure that lies between the client and DNS server. It used to be easy to force users to use approved DNS servers (usually done in business environments) by implementing firewall rules that restricted access to TCP and UDP ports 53. By using DOH this is harder as the client is using the HTTPS port 443, this then allows users to bypass access controls that block access to undesirable content but more importantly protect form accessing malicious content.