Synology Reverse Proxy

Tutorial Synology Reverse Proxy

Currently reading
Tutorial Synology Reverse Proxy

NAS Newbie

Subscriber
446
91
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
So I went through and created the reverse proxy using bitwarden.myname.synology.me as best as I understood it, and then tried to go and get an LE cert for it and got this error. What did I do wrong? Do I have to register the bitward.myname.synology.me domain somewhere, or is loading into the reverse proxy what does the registering?
158


Also, see the 2nd screenshot for how I have my reverse proxy set up. please confirm that I am using the ports and hostname of the Source & Destination correctly. In @Rusty 's bitwarden tutorial, he mentioned setting up two of the ports as 1024 & 1025. In the interest of continuity with his tutorial, lets assume I'm using the same ports. Am I supposed to use 1025 as the Destination port?

159
 

Rusty

Moderator
NAS Support
3,416
1,014
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
So I went through and created the reverse proxy using bitwarden.myname.synology.me as best as I understood it, and then tried to go and get an LE cert for it and got this error. What did I do wrong? Do I have to register the bitward.myname.synology.me domain somewhere, or is loading into the reverse proxy what does the registering?
View attachment 158

Also, see the 2nd screenshot for how I have my reverse proxy set up. please confirm that I am using the ports and hostname of the Source & Destination correctly. In @Rusty 's bitwarden tutorial, he mentioned setting up two of the ports as 1024 & 1025. In the interest of continuity with his tutorial, lets assume I'm using the same ports. Am I supposed to use 1025 as the Destination port?

View attachment 159
Second screenshot looks good but there will be no way you can get s cert like that via built in LE wizard.

As I said you will have to get a new cert via LE that you already have but with SAN field populated with alternate domain and subdomains that you want. Getting a new cert just for one app in this domain name format is not worth it and on top of that it will not work (wizard won’t let you issues one).
 

NAS Newbie

Subscriber
446
91
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
ah. I misunderstood you before. I think I understand now, but it still isn't working. I fill out the LE template as shown below and it still tells me that it cannot connect. I don't understand why it thinks my domain name is invalid as it worked for the original LE cert. I even tried going back and replacing the original LE cert (instead of just adding a new one) and it wouldn't work that way either. Is it because I'm using the same email for both certs? I feel like maybe I'm still not understanding what you were getting at.

160
 

Rusty

Moderator
NAS Support
3,416
1,014
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
That format is correct but if your cert is currently active then you will not be able to renew it/issues a new one. If that is not the case then be sure that port 80 is open on your router to allow LE to do its thing.

To get more details on the error check /var/log/messages file via SSH on your NAS
 

NAS Newbie

Subscriber
446
91
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
I'm not familiar with ssh.

I tried renewing the existing cert, and it popped up a window reminding me to make sure port 80 was enabled, and then when I hit continue, it proceeded to update the cert without issue, so I believe the port is open. I also scanned port 80 using whatmyip.org and it says it is open.

It will not let me delete the existing cert, even though I have configured all processes to be using the synology.com self-signed cert instead for the time being. The existing cert is also the default cert, and I cannot find any menu that lets me remove that default, and the "delete" option is greyed out and not available for the existing cert. How can I add a new cert if it won't let me remove the old one? Also, in the "create certificate" template, it allows you to choose to replace an existing cert, which is what I've tried doing. Why doesn't this work?

162
 

Rusty

Moderator
NAS Support
3,416
1,014
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
1st off be sure that the cert you are removing is not being used by any app/service. If port 80 is open then the problem is not with that, but that only means that you can't get a "new" cert for your same domain if LE has your current one registered as issued and valid. You will have to either get a new cert for a new name or wait until the one you have is no longer valid and then reissues a new one under the same name (with SAN values).

I'm not familiar with ssh.
Might be useful to start getting familiar if you want to troubleshoot on your own or get help from others. There will be situations that pop up messages will not be enough.
 

NAS Newbie

Subscriber
446
91
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
So I was looking to see if there was anything on LE support about how to cancel an LE cert to obtain a new one and came across this: Wildcard Certificates Coming January 2018 - Let's Encrypt - Free SSL/TLS Certificates. I know you've said before that wildcard certs wouldn't work with a synology.me domain. Is this because the synology domain doesn't support them or because there is some issue with the LE wildcard? Meaning, is it synology's fault or LE's fault that wildcard certs don't work on an LE domain?
 

Rusty

Moderator
NAS Support
3,416
1,014
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
So I was looking to see if there was anything on LE support about how to cancel an LE cert to obtain a new one and came across this: Wildcard Certificates Coming January 2018 - Let's Encrypt - Free SSL/TLS Certificates. I know you've said before that wildcard certs wouldn't work with a synology.me domain. Is this because the synology domain doesn't support them or because there is some issue with the LE wildcard? Meaning, is it synology's fault or LE's fault that wildcard certs don't work on an LE domain?
Synology still hasn’t updated their end to issues wild card LE certs. On the other hand you can’t yet use a 3rd party LE method to get a valid synology.me wild card cert.

Atm your options are:
a) synology non wild card cert with SAN values
b) custom domain name with a functional LE wild card cert
 

jeyare

Subscriber
1,876
623
@Rusty :
1. I deleted one of Reverse proxy rule prepared for Host name: sub.domain.com
2. then I Create a new Rule with same Hostname: sub.domain.com ... but with different setup of rest of parameters
Result:
DSM is not able to create the new Rule and notified me:
"The domain name is already used. Please use another name."

Checkpoint:
There isn't a rule in Rule list with this domain name. 100% sure

Result no. 2:
Do I need more coffee or the DSM need a hammer? :)
Thx for a help
 

Rusty

Moderator
NAS Support
3,416
1,014
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
@Rusty :
1. I deleted one of Reverse proxy rule prepared for Host name: sub.domain.com
2. then I Create a new Rule with same Hostname: sub.domain.com ... but with different setup of rest of parameters
Result:
DSM is not able to create the new Rule and notified me:
"The domain name is already used. Please use another name."

Checkpoint:
There isn't a rule in Rule list with this domain name. 100% sure

Result no. 2:
Do I need more coffee or the DSM need a hammer? :)
Thx for a help
Should work without any problem. So you needed to edit the existing setting and instead you deleted it and created a new one with different source parameters.

My guess is that nginx just needs a quick reset and you will be back in business. Look for an ssh command line and reset it that way unless you wanna reset the entire box.
 

jeyare

Subscriber
1,876
623
strange:
/etc/nginx/app.d then sudo vi server.ReverseProxy.conf i can see my reverse proxies listed correct, as is in GUI
then the "deleted" entry with "already used domain name" hooked somewhere

sudo synoservicecfg –restart nginx
doesn't work
any Idea?
 

Rusty

Moderator
NAS Support
3,416
1,014
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
done, entire box restarted, now the new rule is accepted :cool:
Hmm nginx reset should’ve have sorted it... never had a problem before with same situations
 

fredbert

Moderator
NAS Support
Subscriber
2,158
871
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Not logged in to DSM at the moment so can't check this ... does RP use a Save/Apply for all rules to make any changes active? Or are updates activated as soon as the edit/create window is closed?

If it's the latter then you may have to apply the changes that deleted the old RP rule before then creating the new RP rule that re-used some of the settings.
 

Telos

Subscriber
1,432
491
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
So a really ignorant question here... Let's say my DDNS is hope.synology.me for which I have an LE cert. Presently I have an RP set up for BitWarden and it works fine. I digress now...

I've noticed that I can access my web login page using "beer.hope.synology.me". Does that mean I could create an RP for "beer.hope.synology.me" for a specific app/package or port?

And can I create a wildcard LE cert for "*.hope.synology.me"?
 

Rusty

Moderator
NAS Support
3,416
1,014
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Does that mean I could create an RP for "beer.hope.synology.me" for a specific app/package or port?
It does but it has to be covered by your cert.

And can I create a wildcard LE cert for "*.hope.synology.me"?
No you can't because Syno does not support it and using their domain to create a wild card cert for a subdomain your have hope.synology.me is not possible.

I've noticed that I can access my web login page using "beer.hope.synology.me"
Saying all that above, still I'm interested how this is working for you. Have you entered beer as an alias somewhere?
 

Telos

Subscriber
1,432
491
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
Saying all that above, still I'm interested how this is working for you. Have you entered beer as an alias somewhere?
No beer alias, etc.. I can plug in anything in place of "beer" and get to my DSM web login. Logging in works and the URL shown after login still displays the prefix "beer." If I delete the "beer." from the URL and refresh the browser, I'm sent to a login page. If I add back "beer." to the browser URL and refresh the browser again, I'm returned to the active DSM session.

I was surprised this worked and figured there must be some way to take advantage of this. Maybe I should create a wildcard LE via Docker?

FWIW I'm on my LAN but using DDNS to access the DSM web login page.
 

Rusty

Moderator
NAS Support
3,416
1,014
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Hmm interesting that this works. I would understand that you get to the web station front page but to the login page makes no sense to me.

Maybe I should create a wildcard LE via Docker?
Well I have it like that and have 0 problems with it. Plus it gives me lot of room for on the fly subdomain names if I need them.
 
1,817
758
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
I send a lot of share links with expiry dates. If I create a RP to FileStation (that’s where the shares are coming from, right?) and try to creat a share, will it create it with the RP in mind or is it going to have the port in the generated link as if I didn’t enable RP?

(sorry if this was mentioned anywhere and I missed it)
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top