Synology NAS behind HAProxy

Currently reading
Synology NAS behind HAProxy

Last edited:
I have an OPNsense instance as my network router/firewall. For more security, on top of this, I have installed the HAProxy plugin to abstract webtraffic for all of my backend web-instances.
One of those backend web-instances is my Synology NAS, serving a couple of webservices reachable from the internet (e.g. Synology Drive, Synology Photos, etc.).
Now with HAProxy running as the frontend, the Synology NAS can only "see" the HAProxy IP address which makes the Synology Geo-IP/Autoblocking function useless as it would never be able to block public IP addresses.
To solve this problem I have read about the HAProxy X-Forwarded-For header setting which forwards the original IP address trying to establish a connection. I have configured it like this in my HAProxy frontend:
Code:
# add X-FORWARDED-FOR
option forwardfor
# add X-CLIENT-IP
http-request add-header X-CLIENT-IP %[src]
HAProxy indeed accepts the syntax but still the Synology NAS only sees the IP address of the HAProxy instead of public IP addresses trying to connect to the NAS.
FYI: According to the official HAProxy documentation it should not matter if those forwarders are configured on the HAProxy's frontend or backend side.

Is anyone here with the same setup or with according knowledge who can help me out with this?
 
The common approach would be check what the target application requires to be accessed thru a reverse proxy. The documentation should indicate if it handles addition headers set by the reverse proxy, e.g. like X-Forwarded-For, X-Client-IP, X-Real-IP. Without documentation, you can merly guess which headers the target service supports and considers during processing of a request.
 
The XFF would normally be used by a web service to serve suitable geo-located content. Though it can be used to deny access to content.

I'm not looking at a NAS at the moment, which geo-IP feature are you referring to? There is the feature in the DSM firewall but this firewall works on packet source/destination IPs and not HTTP headers in packet payloads.
 
Is that opensense an appliance or a docker/vm implementation?
It's a VM running on ESXi.
-- post merged: --

The XFF would normally be used by a web service to serve suitable geo-located content. Though it can be used to deny access to content.

I'm not looking at a NAS at the moment, which geo-IP feature are you referring to? There is the feature in the DSM firewall but this firewall works on packet source/destination IPs and not HTTP headers in packet payloads.
Good point. I could indeed use the Geo-IP settings on the OPNsense layer. What I'm more interested in is Synology's automatic IP-blocking feature when the NAS registered an amount of unsuccessful logins. Not sure if in the background it does just block it by creating an invisible firewall rule for blocked IPs. Anyone knows about that?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Same here, I look at it and check it out every once in a while. But my issues with it are a conveince...
Replies
6
Views
5,825
I agree that full encryption of also the OS would be better, but for those looking for a non-custom NAS...
Replies
31
Views
14,455
I am setting up a new DS224+ unit for a client. Not new to NAS drives but new to Synology. Storage pool...
Replies
0
Views
346
agree, but yet another good reminder that it is amongst good security practices to disable the default...
Replies
3
Views
843
All 3 NAS's are set that way.... FIREWALL AND NOTIFICATIONS ARE CHECKED I have in the past seen and...
Replies
2
Views
1,065
Hello guys, I am sorry for my late response, but I was travelling due to work duties. Hello Rusty, I...
Replies
4
Views
2,410
I have seen your post on Mastodon and responded, but I see no issues with using 3rd party 2fa platforms...
Replies
6
Views
5,745

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top