Resource icon

Tutorial Synology Reverse Proxy under the hood

Currently reading
Tutorial Synology Reverse Proxy under the hood

location /web/ {
proxy_pass https://xxx.xxx.xxx.xxx:xxx/web/;
}


I'm trying to create a main.headscale.conf or http.headscale.conf file with the given content, but when I run the command (nginx -t), I get an error:
Seems you missed out on this part:

  • /etc/nginx/conf.d/main.*.conf: can be used to configure high level blocks like http (=layer7 http/https based reverse proxy), stream (=layer4 TCP/UDP Port based reverse proxy) or mail. Create a new file matching the naming convention.
  • /etc/nginx/conf.d/http.*.conf: can be used to configure one or more server block(s) (which are implicitly included in a http block) to create configurations, which allow custom location and directives! Create a new file matching the naming convention.
I suggest to use http.headscale.conf. Though, you can not just use a location block, you need to define a complete server block (like shown in the tutorial) and declare the location block inside the server block.
 
Last edited:
Seems you missed out on this part:


I suggest to use http.headscale.conf. Though, you can not just use a location block, you need to define a complete server block (like shown in the tutorial) and declare the location block inside the server block.
Thanks for the advice. I did so. And now got the following error:

nginx: [warn] conflicting server name "headscale.xxx.xxx" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "headscale.xxx.xxx" on [::]:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

But now it works!

And are the parameters

include /usr/syno/etc/www/certificate/ReverseProxy_22c6813f-7583-xxxxxxxxxx/cert.conf*;

include /usr/syno/etc/security-profile/tls-profile/config/ReverseProxy_22c6813f-7583-xxxxxxxxxx.conf*;

Will they change after the certificate is reissued?

Although I tried Nginx Proxy Manager for verification - everything works fine. But I want to achieve the correct work in the built-in reverse-proxy. :)
 
Will they change after the certificate is reissued?
That's for you to find out :)

I used to know how the Syno handles Letsencrypt certificate updates in generall but I honestly don't recall....

Generally, I would recommend using the nginx proxy manager or Traefik instead of tinkering with the build in reverse proxy. If done right, it should work just fine. Personally I use Traefik.
 
I have problem with iframe. I turned off this two options:
1696772308906.png

and on my website I can open Synology Drive (later I just add my site to allowed) but when I trying loging I have two errors:
Code:
dsm.login-standalone.bundle.js?v=1683699872:2 
Blocked autofocusing on a <input> element in a cross-origin subframe.
and
Code:
Uncaught (in promise)

I trying to add header to server.syno-app-portal.SynologyDrive.conf:
Code:
add_header Access-Control-Allow-Origin "https://example.com";

but it`s not working. What I`m doing wrong ?
 
Access-Control-Allow-Origin "Example Domain";
This is the header for the server response, if the expected origin in https://example.com

What you need to set is the request header Origin with the value https://.example.com

Though, I have no idea whether it's the solution to your problem. If not, someone else will need to pitch in. The tutorial is about the mechanics of how to add custom rules, but not about how rules need to look like, as it is highly application specific.
 
Hello! Thanks for the write-up. I would to ask for assistance on how to modify the configuration.

I'm a n00b user and I try to stick to vanilla Synology solutions as much as I can, but I've run into a problem that requires me to modify
Code:
/etc/nginx/sites-enabled/server.ReverseProxy.conf
or migrate to NGINX Proxy Manager.

The problem: I need to expose calibre-web to sync with my KOBO ebook reader, and for it to work I am required to increase the proxy buffer size, which cannot be done from DSM, specifically this is what I need to include

Code:
proxy_busy_buffers_size   1024k;
proxy_buffers   4 512k;
proxy_buffer_size   1024k;

Option A. Include these settings on the ReverseProxy.conf. Is there a way to do this from GUI...? I'm not comfortable with CLI :-/ I tried using WinSCP and I found the file but I was not able to modify it

Option B. Move to NGINX Proxy Manager: I'm not confident enough to do so. I haven't seen an up-to-date on how to do it with docker-compose and I fear it will be a mess to map all synology's own services with NPN. Plus I see that it doesn't auto renew certificates and that there is another tool for that, which is another layer of complexity for me.
 
Like the introduction text says: you need to be comfortable to use the shell, if you aren't I would not recommend in following this approach.

If you want an ui to configure your reverse proxy rules, then option B is the way to go. The Syno UI just allows configuring a small subset of the nginx instructions, while Nginx Proxy Manager should support a wider range (probably all) of the instructions.

@Rusty made an excellent blog post about how to setup the Nginx Proxy Manager: NGINX proxy manager
 
Like the introduction text says: you need to be comfortable to use the shell, if you aren't I would not recommend in following this approach.

If you want an ui to configure your reverse proxy rules, then option B is the way to go. The Syno UI just allows configuring a small subset of the nginx instructions, while Nginx Proxy Manager should support a wider range (probably all) of the instructions.

@Rusty made an excellent blog post about how to setup the Nginx Proxy Manager: NGINX proxy manager
thank you for your feedback!

Is there a way to "migrate" my current config to the new system? or a "cheat sheet"/ template to map synology's default services to NPN?
 
Is there a way to "migrate" my current config to the new system?
NPM for example has no import option. On top of that, it uses a DB in the background, so no on-the-fly copy/paste would help. Also it names its reverse host configuration files in a specific order to match them with the DB entries. So if NPM is your end goal, I don't see any way to migrate it over other then to manually recreate them.
 
Hey!

Thanks a lot for the manual. I just wanted to make sure, I'm doing this in a good way:

I'm using a reverse proxy to redirect a subdomain to my nextcloud running in a docker. I wanted to make sure, the well-known-redirects work fine, so I copied the entry from the conf file, which my DSM created for my Nextcloud and then added those lines in it:
Code:
location ^~ /.well-known {
        # The rules in this block are an adaptation of the rules
        # in `.htaccess` that concern `/.well-known`.

        location = /.well-known/carddav { return 301 /remote.php/dav/; }
        location = /.well-known/caldav  { return 301 /remote.php/dav/; }

        location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
        location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

        # Let Nextcloud's API for `/.well-known` URIs handle all other
        # requests by passing them to the front-end controller.
        return 301 /index.php$request_uri;
    }

Then i saved it as
Code:
/etc/nginx/sites-enabled/nextcloud.WellKnown.conf

When i reload the nginx, it tells me:

Code:
nginx: [warn] conflicting server name "sub.domain.net" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "sub.domain.net" on [::]:443, ignored
I think thats because i now have 2 "server" brackets with the same "server_name sub.domain.net", one in the original file created from DSM and one in the copied and expanded custom .conf file.

Is this the correct way to do it? Or how do i just append the ^~ /.well-known to my custom conf while still pointing it to server_name sub.domain.net?
 
I think thats because i now have 2 "server" brackets with the same "server_name sub.domain.net", one in the original file created from DSM and one in the copied and expanded custom .conf file.
This can't be right. Either you let the Syno create it and live with the restricted configuration, or you create the whole server block including your modifications manually.
 
This can't be right. Either you let the Syno create it and live with the restricted configuration, or you create the whole server block including your modifications manually.
I'm not sure if I misunderstand you or you me. Currently I have two files, the server.ReverseProxy.conf with a server-bracket containing the default created ReverseProxy from the DSM GUI and a custom created nextcloud.WellKnown.conf, which contains the same server bracket part from the server.ReverseProxy.conf which is responsible for my Nextcloud, but with added lines for the well-known part.

Is that right? Or is it better to remove the server bracket part from the server.ReverseProxy.conf which is for nextcloud? Right now, everything works, i just get the two warnings about the conflicting server name.
 
When I use the DSM to remove the rule, the associated SSL certificate gets also removed from the Security settings. I now reverted it to have the server bracket double, it doesn't seem to cause any conflict.
 
Interesting, the certificates are not created by the reverse proxy, they are just assigned to the server blocks in the server.ReverseProxy.conf. The certificates should exist independently of the reverse proxy rule. Of course, you would need to configure it in your custom config as well.
 
That's the strange thing: My custom conf did had the same path to the certificates, as the server block in the server.ReverseProxy.conf.

After deleting the ReverseProxy-Entry in the DSM, the paths were not correct anymore and the certificate was invalid.

I assume, it has something to do with the correct assignment of the certificate to the service in the Security -> Certificate Tab, where you can chose which certificate belongs to which service/application.

After deleting the ReverseProxy entry, the service/subdomain wasn't listed there anymore, so I think some ofter files are getting edited from the GUI?
 
Last edited:
Ah right, they copy the certificate into the folder.

You should be able to identify the certificate using this script:
Code:
#!/bin/bash

# domain certificate is valid for
domain=subdomain.domain.com

# synology certificates folder
synology_certs=/usr/syno/etc/certificate/_archive

# certificate file names
privatekey=privkey.pem
cert=cert.pem
fullchain=fullchain.pem

for current_domain_cert in ${synology_certs}/*; do
    if [ -d ${current_domain_cert} ] && [ -f ${current_domain_cert}/${cert} ];then
        openssl x509 -in ${current_domain_cert}/${cert} -text | grep DNS:${domain} > /dev/null 2>&1
        domain_found=$?
        if [ "${domain_found}" = "0" ]; then
            echo "certificate paths:"
            echo "  privatekey: ${current_domain_cert}/${privatekey}"
            echo "  cert:       ${current_domain_cert}/${cert}"
            echo "  fullchain:  ${current_domain_cert}/${fullchain}"
            break
        fi
    fi
done
You need to replace the value of domain= with the domain you need the certificate for.

The path in synology_certs= might be wrong, and it might be one of its sibling folders. I can't test it, since it has been years since I exposed any web applications on the Syno and required certificates on it.

Furthermore, the script might require root privileges due to folder permissions.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

@OP : did you finally manage to have it working ? Because I wanted to have my nginx proxy manager working...
Replies
135
Views
36,700
One other suggestion; after the OPNsense/pfSense VM is running and has an internet connection, consider...
Replies
2
Views
1,415
Hi geekau, I am trying to do the same thing as you mentioned here following your steps. But I encountered...
Replies
4
Views
1,510
SynoMan submitted a new resource: NextCloud on Synology NAS using Docker compose (with Portainer) - The...
Replies
0
Views
2,177
wizard99 updated Performing the Synology Memory Test and Extracting the "HIDDEN" Memtest Results via a New...
Replies
9
Views
4,584
fredbert submitted a new resource: Synology Product Security Advisory - A link to the latest DSM and SRM...
Replies
0
Views
1,330
Know about it but no ios app for it as far as I see so not really my main target platform
Replies
2
Views
3,913

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top