Tutorial Synology Reverse Proxy under the hood

[robotnik]

seems to be - your nginx is broken more than I can expect

create the link again
and restart the nginx

Since the nginx -t fails, can I just restart my nginx, wouldn't it fail?

 

[Rusty]

Still, I am mostly wondering what would happen, if I just reboot the NAS .... would it recreate the conf.d directory?
And how could it disappear in the first place?

Using custom reverse host settings you should be using this location

usr/local/etc/nginx/sites-enabled

it will survive reboot and nginx resets. Still I think it will not work under dsm7 (haven’t tested) so give it a go.

Also, any custom-defined hosts inside files in that location will not be visible via RP Ui

 

[one-eyed-king]

UT: DSM shot me a message saying that it cannot start, but works (of course, as long as nginx is running). I checked with sudo nginx -t and this it what I get:

nginx: [emerg] open() "/etc/nginx/conf.d/main.conf" failed (2: No such file or directory) in /etc/nginx/nginx.conf:7
nginx: configuration file /etc/nginx/nginx.conf test failed

Oh damn....Well, try not restarting my server I guess!

Since I have no proxy rules in the UI, I don't have an example for the structure of /etc/nginx/app.d/server.ReverseProxy.conf. I am unclear wether it only contains a server block and its child elements or contains different blocks. The directives server_name and listen_port must be unique accross all the server blocks.

Though, the more important concern is what made the symlink "/etc/nginx/conf.d -> /usr/local/etc/nginx/conf.d" disappear?! The reverse proxy in the UI should not interfere with content in this folder.

nginx: [emerg] cannot load certificate "/usr/syno/etc/certificate/ReverseProxy/3396f71a-c599-4f14-a1e5-f27ba0f76b88/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/syno/etc/certificate/ReverseProxy/3396f71a-c599-4f14-a1e5-f27ba0f76b88/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) nginx: configuration file /etc/nginx/nginx.conf test failed

This error message indicates that you did remove the reverse proxy configuration for the block you copied over to the /etc/nginx/conf.d folder. Since the path is specific for a reverse proy configuration done by the ui, it will be removed with the rp-entry the ui.

The certificates are stored underneath the folder /usr/syno/etc/certificate/_archive.
A command like this should help to find in which path the correct certificate is:

find /usr/syno/etc/certificate/_archive/ -type f -exec bash -c 'openssl x509 -in {} -text -noout 2>/dev/null | grep -E "DNS:.*" && echo {}  ' \;

Of course you will need to replace the certificate path with the paths in whatever subfoler of /usr/syno/etc/certificate/_archive/ the files for the certifcaete of the domain are stored.

 

[robotnik]

Since I have no proxy rules in the UI, I don't have an example for the structure of /etc/nginx/app.d/server.ReverseProxy.conf. I am unclear wether it only contains a server block and its child elements or contains different blocks. The directives server_name and listen_port must be unique accross all the server blocks.

Though, the more important concern is what made the symlink "/etc/nginx/conf.d -> /usr/local/etc/nginx/conf.d" disappear?! The reverse proxy in the UI should not interfere with content in this folder.

This error message indicates that you did remove the reverse proxy configuration for the block you copied over to the /etc/nginx/conf.d folder. Since the path is specific for a reverse proy configuration done by the ui, it will be removed with the rp-entry the ui.

The certificates are stored underneath the folder /usr/syno/etc/certificate/_archive.
A command like this should help to find in which path the correct certificate is:

find /usr/syno/etc/certificate/_archive/ -type f -exec bash -c 'openssl x509 -in {} -text -noout 2>/dev/null | grep -E "DNS:.*" && echo {}  ' \;

Of course you will need to replace the certificate path with the paths in whatever subfoler of /usr/syno/etc/certificate/_archive/ the files for the certifcaete of the domain are stored.

Wow, thanks to all of you, especially @one-eyed-king I solved the problem.
Like you said, it was pretty basic, I just didn't know about the workings of Synologys RP Certificates!
As soon as I found the certs with the help of your command @one-eyed-king I could retest nginx config without problems and restart the services (yesterday evening, all of our small-company services went offline, including websites and so on...probably because at some point, the nginx tried to reload the certs...). Just updated the correct paths in http.*.conf with the _archive paths and reloaded, now all is good!

Still, I am really wondering what would happen if I reenter the UI RP Config and change something there, if the symlink of conf.d will be gone again....

Anyways, I guess I will be configuring all my RPs with @Rusty s NGINX RP config container, once I get the hang of it! I guess I could use it for all the DSM services that I have running on seperate ports as well, just need to pass all these ports to the docker container, right? Would it be possible to use it in docker with "host" Network instead of bridge as well?

EDIT: So I found out, that somehow the reason for the symlink to disappear was, that I put the wrong certificate paths into the http.*.conf --> as soon as I changed it to the right ones (in _archive) and did another RP config, all went well from start to end; symlink to conf.d stayed.
Thanks again @one-eyed-king and @jeyare ... I learned a lot!!

 

[one-eyed-king]

Welcome!

I am glad the conf.d removal mystery is solved. That one was indeed very odd

Appart of that, on long term everyone that requires more advanced configurations should favor the nginx proxy manager, as it provides a clean and isolated ruleset swithout affecting the syno-rp at all.

 

[jeyare]

Appart of that, on long term everyone that requires more advanced configurations should favor the nginx proxy manager, as it provides a clean and isolated ruleset swithout affecting the syno-rp at all.

and you will get independence from Syno support

 

[Telos]

and you will get independence from Syno support

I can do that with an HDD...

Me: My NAS' LAN bandwidth seems quite low.
Synology Support: You have unverified HDD. Goodbye.

 

[robotnik]

Hey friends, I have another question.
The whole http.conf works perfectly and runs, since I will do High Availability with another 918+ soon, but that one is upgraded to DSM 7.0, I will need to update my main machine as well.
So, before starting another big problem, I am wondering if it usually works fine to upgrade with custom http.DOMAIN.conf files in the conf.d folder. Did anyone try?

 

[oliroe]

Hi

I wondered if anyone could help me. My site has been flagged as deceptive by google and I think it could be related to missing headers. I'm using the built in reverse proxy and have followed this post Synology Community

but the test still fails. Don't suppose anyone can tell me where I'm going wrong?

 

[one-eyed-king]

Thank you for providing a pointer to Analyse your HTTP response headers. I was not aware of this site. According SSL Server Test (Powered by Qualys SSL Labs) your setup already has an A+ ranking.

It appears to me that the post from the syno community wants you to edit files maintained (created/modified) by the reverse proxy configuration. As any change to this file would be lost when the rule is update from the ui, I strongly recommend using the "customer header" function (accessed from where the reverse proxy rule is configured) to add the headers permanently instead.

You can add all headers as written in the post, except Expect-CT, Feature-Policy and Content-Security-Policy, which require individual values per target application! There is no safe default that is guaranteed to work with every target application.

Make sure to only set the header name, and it's value. e.g. add_header X-Frame-Options DENY; becomes Header Name: X-Framge-Options and it's Value: DENY.

Note: each time you click "create" in the "custom header" dialog, a new line will be added, but you have to click manually into the fields. I feel this is not quite obvious.

Update:
Feature-Policy is outdated and replaced by Permissions-Policy.

Here are good default values for Permissions-Policy and Expect-CT:

Permissions-Policy: geolocation=(), microphone=(), camera=(), usb=(), vr=()
Expect-CT: enforce, max-age=21600

This will disallow the listed items in Permissions-Policy and set the Expect-CT header to 6hrs.

The Content-Security-Policy remains highly application specific. You can start off with a setting like this:

default-src 'none'; base-uri 'self'; manifest-src 'self' data:; img-src 'self' data:; font-src 'self' data:; style-src 'self'; script-src 'self'; connect-src 'self'; form-action 'self'

And check your browser's development tools for errors in the console. The errors should also indicate what needs to be added to which item to prevent the error, but it might have a negative impact on the score.

 

[oliroe]

Really appreciate you taking the time to respond to my question

I'll try it with a couple of them, think I'll probably have to reboot nginx or the NAS as a whole. I'll let you know how I get on

 

[one-eyed-king]

There is no need to reboot the NAS. Make sure there are no typos in the header names, for instance X-Framge-Options doesn't look right.

 

[jeyare]

@oliroe
please edit your screenshot "Scan your site now" and try to hide your IP address. It will be better for the quality of your sleep.
enjoy time here

 

[oliroe]

@oliroe
please edit your screenshot "Scan your site now" and try to hide your IP address. It will be better for the quality of your sleep.
enjoy time here

Fair point, replaced the image

Sadly this didn't work, i still get the same output from the site.
I was going to try NPM but it looks too painful to force the Synology to stop using 80/443

 

[Telos]

it looks too painful to force the Synology to stop using 80/443

I don't force anything. I forwarded those ports to my NAS without complaint.

 

[oliroe]

Hmmm, I've scoured hundreds of pages and I can't find a single post that relates to custom headers for anything other than websocket. Does anyone know whether it actually works?

 

[one-eyed-king]

Get in the terminal and see for yourself. On DSM7, open a terminal, become root and execute cat /etc/nginx/sites-enabled/server.ReverseProxy.conf.

Apparently the custom headers configured in the UI are proxy_set_header, which should be the correct way of setting headers For reverse proxy connections. Adding Permissions-Policy: geolocation=(), microphone=(), camera=(), usb=(), vr=() as a custom header results in this setting inside the location block:

        proxy_set_header        Permissions-Policy            geolocation=(),\ microphone=(),\ camera=(),\ usb=(),\ vr=();

You can use your browser developer tools to check the request and response header.

Update: appearently this sets only request headers for the forwarded request, but does not set them to the reponse. But you want them in the response, as the browser is the actor that should deny action based on it (see: The difference between add_header and proxy_set_header in Nginx - Krybot)

So my idea with custom headers was a red herring. Sorry for that.

Thus, I would recommend to either follow the suggestion of the tutorial and add your own custom server block with all bells and whistles, or migrate to nginx proxy manager. I would not recommend to tinker with the auto generated files, as your change will eventually be overwritten.

 

[Zloi78]

one-eyed-king submitted a new resource:

Synology Reverse Proxy under the hood - Fed up with the limitation of the Synology reverse proxy?



Read more about this resource...

Good day.

Thanks for the detailed instructions.

I created a new "headscale" reverse-proxy rule for the headscale and headscale-ui containers. For normal operation of headscale-ui, need to add the following lines:

location /web/ {
proxy_pass https://xxx.xxx.xxx.xxx:xxx/web/;
}

I'm trying to create a main.headscale.conf or http.headscale.conf file with the given content, but when I run the command (nginx -t), I get an error:

nginx: [emerg] "location" directive is not allowed here in /etc/nginx/conf.d/main.headscale.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed

What am I doing wrong?

 

[Micky]

Sorry for my ignorance, simple question, though: does setting up a reverse proxy in DSM mean, I can use hostnames to access e.g. docker containers in LAN without using IP addresses and ports?

Or is this solely for external access to LAN?

 

[Rusty]

Sorry for my ignorance, simple question, though: does setting up a reverse proxy in DSM mean, I can use hostnames to access e.g. docker containers in LAN without using IP addresses and ports?

Or is this solely for external access to LAN?

If the router supports NAT loopback, it will work.