Question Reverse Proxy to TCP/UDP over 443?

Currently reading
Question Reverse Proxy to TCP/UDP over 443?

9
0
NAS
DS218+, DS212 (Backup)
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
Hello everyone,

i'm using the built-in Synology Reverse Proxy quite frequently and it works without an issue for my subdomains.
Besides to ports 80/443 i have two more ports open on my router for forwarding. One TCP for the Synology Drive syncing-thingy. And One UDP for VPN.

Is it possible to reverse proxy TCP/UDP ports over 443 and a subdomain to these applications? The built-in Reverse-Proxy only offers HTTP/HTTPS-Connections, so is there a Docker Container or a Package that i can use for that?
 
Is it possible to reverse proxy TCP/UDP ports over 443 and a subdomain to these applications?
If by this you mean to get something like https://subdomain.mydomain.net then yes, it works just fine.

Also you can run a dedicated RP solution using linuxserver/swag image or official trafik image for example.
 
Yeah, right this. Would be useful to only portfoward ports 80/443 and nothing more. With Synology Tools it's not possible, i think?

Then i will have a look at swag and traefik for Docker!
 
The built-in Reverse-Proxy only offers HTTP/HTTPS-Connections, so is there a Docker Container or a Package that i can use for that?

What are you exactly trying to achive?

Reverse Proxy works on level 7 of the OSI layer, so thats why you only have HTTP/HTTPS connections. It sounds like you want to forward a protocol on a lower level to another device/service? You can't use a reverse proxy server for that.
 
That was my question, yes.

I have, e.g. port 9999 (UDP) for my VPN-Server on the NAS. So i portforward the port 9999 (UDP) from my router to the NAS. So that i can connect with domain.myds.me:9999

The question is, if it's possible, to go over 443 and reverse proxy it to the UDP Port 9999. So that i can connect with: vpn.domain.myds.me.
 
That was my question, yes.

I have, e.g. port 9999 (UDP) for my VPN-Server on the NAS. So i portforward the port 9999 (UDP) from my router to the NAS. So that i can connect with domain.myds.me:9999

The question is, if it's possible, to go over 443 and reverse proxy it to the UDP Port 9999. So that i can connect with: vpn.domain.myds.me.
In that case, no you can't
 
That was my question, yes.

I have, e.g. port 9999 (UDP) for my VPN-Server on the NAS. So i portforward the port 9999 (UDP) from my router to the NAS. So that i can connect with domain.myds.me:9999

The question is, if it's possible, to go over 443 and reverse proxy it to the UDP Port 9999. So that i can connect with: vpn.domain.myds.me.

No. VPN works from layer 4 and is not HTTP/HTTPS traffic (as I explained earlier). If by coincidence you use OpenVPN, you could try some SSLH trickery (there are Docker images as well for this).
 
Okay, thanks for help!

Maybe there was a solution to not having portforward any other ports then 80/443 anymore. :D
 
Last edited:
Actualy this limitation has its origin in the Synology UI - nginx itself is perfectly capable to act on layer4.
While Traefik v1.x did only support layer7 forwarding, v2.x additionaly added TCP on layer4 to the mix. Though, I recall that they did not implement UDP support yet - maybe they did in the meantime.

Back to nginx. It can be configured to listen and forward/balance traffic on layer4. For tls encapsulated traffic, SNI can be levaraged to fetch the target domain from the tls handshake, which can be used to identify which packats need to be forwarded to which target host_or_ip:port (see: Nginx TCP forwarding based on hostname). For non TLS encapsulated traffic, this solution does NOT work. So TCP without SNI and UDP are limited to binding an incomming port and defining a target host_or_ip:port to forward to.

Someone else needs to pitch in regarding which file to add this changes to... I can only say it must be a config in etc/nginx... I have no idea which files are generated by Syno's reverse proxy UI.

Update: seems like its safe to create your own config in /etc/nginx/conf.d/http.*.conf or /etc/nginx/app.d/server.*.conf. Both are included in the buttom of /etc/nginx/nginx.conf and are outside of a configuration block. Looks like you can add your config (following the naming schema!) in either one of those folders.
 
VPN is a special case and you might want to start your exploration by checking if the VPN client actualy supports SNI and if the server sends all packages thru TLS and not just the controlling messages. And then there is the risk that the implementation does TLS over VPN and not the required VPN over TLS :oops:
 
Is it possible to reverse proxy TCP/UDP ports over 443 and a subdomain to these applications? The built-in Reverse-Proxy only offers HTTP/HTTPS-Connections, so is there a Docker Container or a Package that i can use for that?
Why? What is the problem you are trying to solve here. I can see a couple of reasons:
  1. that some client connections are being attempted from a location that restrict the permitted destination ports.
  2. the ISP restricts the ports that are open to the Internet.
In prior times it would be a basic port filter that would restrict access to services to destinations such as TCP on 80,443, 8080, and 21 and UDP on 53 [maybe]. That's for reason 1 but reason 2 may be more open and allow mail services inbound. Often ISPs are a lot more open for their customers.

Now there may be further controls that add application awareness so that, for example, hijacking TCP 21 for a HTTPS server will no longer work from a corporate LAN to get back home.
 
Why? What is the problem you are trying to solve here.

I have, e.g. port 9999 (UDP) for my VPN-Server on the NAS. So i portforward the port 9999 (UDP) from my router to the NAS. So that i can connect with domain.myds.me:9999

The question is, if it's possible, to go over 443 and reverse proxy it to the UDP Port 9999. So that i can connect with: vpn.domain.myds.me.
...
 
That's not exactly the what I meant by asking 'why?'. It says what the technical objective is but not whatever the problem is where this is the solution. Maybe it's better to ask if it's the right solution to the unspecified problem ... maybe say what the original problem is and a better solution could be found?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Does this only happen when you try to access packages via the 'office' links in Drive's menu? And have you...
Replies
1
Views
388
  • Question
Ofc you can make a single compose for this no problem. Personally I like to separate front end apps from...
Replies
10
Views
1,236
  • Solved
I think it was point 1 that was messing me up. And it was a simple fix, honestly. We'll have to see if I...
Replies
3
Views
1,552
I accessed to log and when I trying connect I have message: "SSTP_DUPLEX_POST...
Replies
9
Views
1,660
  • Solved
Glad it’s working. Now you can help the next person! No reward necessary 😎
Replies
14
Views
2,264
The thing is... Too many users freeload off Marius and then come to the forums for assistance. Give Marius...
Replies
4
Views
1,724

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top