Question Reverse Proxy to TCP/UDP over 443?

Currently reading
Question Reverse Proxy to TCP/UDP over 443?

9
1
NAS
DS218+, DS212 (Backup)
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
Hello everyone,

i'm using the built-in Synology Reverse Proxy quite frequently and it works without an issue for my subdomains.
Besides to ports 80/443 i have two more ports open on my router for forwarding. One TCP for the Synology Drive syncing-thingy. And One UDP for VPN.

Is it possible to reverse proxy TCP/UDP ports over 443 and a subdomain to these applications? The built-in Reverse-Proxy only offers HTTP/HTTPS-Connections, so is there a Docker Container or a Package that i can use for that?
 

Rusty

Moderator
NAS Support
2,361
702
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Is it possible to reverse proxy TCP/UDP ports over 443 and a subdomain to these applications?
If by this you mean to get something like https://subdomain.mydomain.net then yes, it works just fine.

Also you can run a dedicated RP solution using linuxserver/swag image or official trafik image for example.
 
9
1
NAS
DS218+, DS212 (Backup)
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
Yeah, right this. Would be useful to only portfoward ports 80/443 and nothing more. With Synology Tools it's not possible, i think?

Then i will have a look at swag and traefik for Docker!
 

Shadow

Subscriber
462
160
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
The built-in Reverse-Proxy only offers HTTP/HTTPS-Connections, so is there a Docker Container or a Package that i can use for that?

What are you exactly trying to achive?

Reverse Proxy works on level 7 of the OSI layer, so thats why you only have HTTP/HTTPS connections. It sounds like you want to forward a protocol on a lower level to another device/service? You can't use a reverse proxy server for that.
 
9
1
NAS
DS218+, DS212 (Backup)
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
That was my question, yes.

I have, e.g. port 9999 (UDP) for my VPN-Server on the NAS. So i portforward the port 9999 (UDP) from my router to the NAS. So that i can connect with domain.myds.me:9999

The question is, if it's possible, to go over 443 and reverse proxy it to the UDP Port 9999. So that i can connect with: vpn.domain.myds.me.
 

Rusty

Moderator
NAS Support
2,361
702
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
That was my question, yes.

I have, e.g. port 9999 (UDP) for my VPN-Server on the NAS. So i portforward the port 9999 (UDP) from my router to the NAS. So that i can connect with domain.myds.me:9999

The question is, if it's possible, to go over 443 and reverse proxy it to the UDP Port 9999. So that i can connect with: vpn.domain.myds.me.
In that case, no you can't
 

Shadow

Subscriber
462
160
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
That was my question, yes.

I have, e.g. port 9999 (UDP) for my VPN-Server on the NAS. So i portforward the port 9999 (UDP) from my router to the NAS. So that i can connect with domain.myds.me:9999

The question is, if it's possible, to go over 443 and reverse proxy it to the UDP Port 9999. So that i can connect with: vpn.domain.myds.me.

No. VPN works from layer 4 and is not HTTP/HTTPS traffic (as I explained earlier). If by coincidence you use OpenVPN, you could try some SSLH trickery (there are Docker images as well for this).
 
9
1
NAS
DS218+, DS212 (Backup)
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
Okay, thanks for help!

Maybe there was a solution to not having portforward any other ports then 80/443 anymore. :D
 
Last edited:
Actualy this limitation has its origin in the Synology UI - nginx itself is perfectly capable to act on layer4.
While Traefik v1.x did only support layer7 forwarding, v2.x additionaly added TCP on layer4 to the mix. Though, I recall that they did not implement UDP support yet - maybe they did in the meantime.

Back to nginx. It can be configured to listen and forward/balance traffic on layer4. For tls encapsulated traffic, SNI can be levaraged to fetch the target domain from the tls handshake, which can be used to identify which packats need to be forwarded to which target host_or_ip:port (see: Nginx TCP forwarding based on hostname). For non TLS encapsulated traffic, this solution does NOT work. So TCP without SNI and UDP are limited to binding an incomming port and defining a target host_or_ip:port to forward to.

Someone else needs to pitch in regarding which file to add this changes to... I can only say it must be a config in etc/nginx... I have no idea which files are generated by Syno's reverse proxy UI.

Update: seems like its safe to create your own config in /etc/nginx/conf.d/http.*.conf or /etc/nginx/app.d/server.*.conf. Both are included in the buttom of /etc/nginx/nginx.conf and are outside of a configuration block. Looks like you can add your config (following the naming schema!) in either one of those folders.
 

Shadow

Subscriber
462
160
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
@one-eyed-king's post is a 'holy s....' moment for me. I have 0 experience with nginx, but looks like I should try to find a nginx Docker image and play around with that. Cuz I wouldn't mind getting my NAS and my Synology VPN (runs on RT2600AC) both working on port 443.
 
VPN is a special case and you might want to start your exploration by checking if the VPN client actualy supports SNI and if the server sends all packages thru TLS and not just the controlling messages. And then there is the risk that the implementation does TLS over VPN and not the required VPN over TLS :oops:
 

fredbert

Moderator
NAS Support
Subscriber
1,610
671
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Is it possible to reverse proxy TCP/UDP ports over 443 and a subdomain to these applications? The built-in Reverse-Proxy only offers HTTP/HTTPS-Connections, so is there a Docker Container or a Package that i can use for that?
Why? What is the problem you are trying to solve here. I can see a couple of reasons:
  1. that some client connections are being attempted from a location that restrict the permitted destination ports.
  2. the ISP restricts the ports that are open to the Internet.
In prior times it would be a basic port filter that would restrict access to services to destinations such as TCP on 80,443, 8080, and 21 and UDP on 53 [maybe]. That's for reason 1 but reason 2 may be more open and allow mail services inbound. Often ISPs are a lot more open for their customers.

Now there may be further controls that add application awareness so that, for example, hijacking TCP 21 for a HTTPS server will no longer work from a corporate LAN to get back home.
 

Shadow

Subscriber
462
160
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Why? What is the problem you are trying to solve here.

I have, e.g. port 9999 (UDP) for my VPN-Server on the NAS. So i portforward the port 9999 (UDP) from my router to the NAS. So that i can connect with domain.myds.me:9999

The question is, if it's possible, to go over 443 and reverse proxy it to the UDP Port 9999. So that i can connect with: vpn.domain.myds.me.
...
 

fredbert

Moderator
NAS Support
Subscriber
1,610
671
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
That's not exactly the what I meant by asking 'why?'. It says what the technical objective is but not whatever the problem is where this is the solution. Maybe it's better to ask if it's the right solution to the unspecified problem ... maybe say what the original problem is and a better solution could be found?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top