Tutorial Synology Reverse Proxy

[one-eyed-king]

Since when is a reverse proxying related to routing?! An http reverse proxy acts on osi layer7, which already is the applicatin layer. How is that related to a device that usualy works on osi layer 1-4?!

 

[Rusty]

This is accurate,
I just want to consolidate all the routing to my rt2600ac router... Let the router dou the routing and the Nas the file stuff!

understand that you wanna consolidate everything but reverse proxy is actually a server role and not so much a router role. Again saying that I do agree it would be an easy implementation in SRM as well but not sure we will see it anytime soon

 

[fredbert]

I can see both sides to this and maybe 'routing' is the wrong word but the sentiment is clear.

From a home user view with one Internet IP then therefore one TCP port 80/443/etc then there is at least one good reason to do reverse proxy on the SRM router: VPN Plus' SSL-VPN can't be reverse proxied via the standard DSM method (not tried anything else, as the clients complain that the server they are connecting to aren't VPN Plus.

...OK second reason: you don't have anything else that can do reverse proxy, at at least nothing that has a GUI/portal to make it easier.

The rest of DSM (and other) web packages that use Application Portal ... do they health check the web server is the right 'fingerprint' too? I don't know but if they work the same as VPN Plus clients then these will reject an SRM proxied TCP 443 ... and there's a lot more of them to break.

A limiting factor regarding SRM as reverse proxy is that the router support one certificate. Unless you've got a wildcard certificate then you'll soon run out of Subject Alternative Name characters (due to the 250-ish limit set by Synology) for all the proxies applications of Application Portal and Web Station.

Depending on what a reverse proxy is doing then these used to be very expensive bits of kit where the same Internet access would have a much larger reverse proxy appliance to the one that handled forward proxy. I'm not sure that the current SRM routers would have enough oomph to run anything but a very light r-proxy and, except the absolute lowest spec, the DSM NAS range has more RAM and CPU (and SATA disks).

To add reverse proxy to SRM isn't just a matter of adding that feature there're a raft of other changes that are needed to make it a suitable alternative to the DSM offer. But there will be some use cases for SRM

 

[Rusty]

Well put @fredbert. To me, this looks like spending for an average car and wanting to perform like a Mercedes or more. Bundling more and more features needs to be balanced as well, in this case with horsepower and sw solution that will be able to deliver the expected result.

Maybe running an RP on an RPi device would be more of a solution here then pushing it in a device that has nothing to do with that feature in the 1st place.

 

[vtsakiris]

From a home user view with one Internet IP then therefore one TCP port 80/443/etc then there is at least one good reason to do reverse proxy on the SRM router: VPN Plus' SSL-VPN can't be reverse proxied via the standard DSM method (not tried anything else, as the clients complain that the server they are connecting to aren't VPN Plus.

This is my #1 issue...

 

[fredbert]

Maybe running an RP on an RPi device would be more of a solution here then pushing it in a device that has nothing to do with that feature in the 1st place.

Now has more RAM but ethernet port, last I looked, is still limited to 100Mbps ... USB3/ethernet dongle may get better 300Mbps (?) but really it would be WiFi on 802.11ac.

This is my #1 issue...

I'm psychic and have tried it to see if it works! It doesn't.


I much prefer having Threat Prevention over r-proxy on RT2600ac: for the price of the device it works remarkably well vs the cost (and subscriptions) of the SOHO business level devices I've seen.

 

[Rusty]

Now has more RAM but ethernet port, last I looked, is still limited to 100Mbps ... USB3/ethernet dongle may get better 300Mbps (?) but really it would be WiFi on 802.11ac.

You are not up to date with the HW specs on the RPi are you ?

 

[fredbert]

You are not up to date with the HW specs on the RPi are you ?

Raspberry Pi 4 Model B specifications – Raspberry Pi

Your tiny, dual-display, desktop computer …and robot brains, smart home hub, media centre, networked AI core, factory controller, and much more.

www.raspberrypi.org

Seems not! Last I looked it was the 3 Model B+. Knew the 300Mbps number but see it was for Gig ethernet port linked to USB2.

 

[akahan]

A limiting factor regarding SRM as reverse proxy is that the router support one certificate. Unless you've got a wildcard certificate then you'll soon run out of Subject Alternative Name characters (due to the 250-ish limit set by Synology) for all the proxies applications of Application Portal and Web Station.

This is an intriguing statement. Are you saying that you can, on the NAS (but not the router) utilize multiple certificates to beat the character limit in Subject Alternative Names? How is this done, given that you can only make one of them the "default" certificate?


That is: if I have two LE encrypt certs for the same domain, but one of them lists some of my subdomains, and the other lists the remaining subdomains, how do I get the second (non-default) one to "answer the phone" when needed?

 

[fredbert]

@akahan Yes this is exactly what I do.

Short answer: just realised this is another long answer so look for the underline and bold bit

I've four LE certificates that are all for my personal domain but have a different comment name (so I can see which is which) and string of alternative names:

1. Default certificate: most of the DSM server stuff inc. Drive server, CardDAV, WebDAV, Mail services, etc.
2. Application Portal customised domains
3. Reverse Proxy domain names
4. Virtual Hosts in Web Station

Create the certificate with the bunch on alternative names then assign them to the various services using the 'Configure' button in the Certificates tab of Control Panel. The default cert, well obvs., gets assigned until you change it to another certificate. All my certificates are for my domain so get listed as 'mydomain.com' so this is where using an obvious description helps as that is the 2nd line on each list entry.

The other tip is this: keep a text file that records this for each certificate because you'll want it if you add another alt. name

Descriptive name​

Domain​

Email address​

Alternative names​

You can add alt. names that are in other certificates and also for other domains, e.g.: so you can include your synology.me DDNS and subdomains plus an in-case-of-usual-cert-issue www.mydomain.com and you need to assign it quickly.

 

[akahan]

Thanks, Fredbert - this will come in handy if I someday lose the ability to generate free wildcard certificates!

 

[Telos]

I've four LE certificates that are all for my personal domain but have a different comment name (so I can see which is which) and string of alternative names:

1. Default certificate: most of the DSM server stuff inc. Drive server, CardDAV, WebDAV, Mail services, etc.
2. Application Portal customised domains
3. Reverse Proxy domain names
4. Virtual Hosts in Web Station

Is there an advantage to separate certs, apart from the 155-character limit on the SAN entry?

Should I have separate certs for aaa.synology.me and bbb.ddns.net? Would that have some added flexibility?

 

[fredbert]

Is there an advantage to separate certs, apart from the 155-character limit on the SAN entry?

Should I have separate certs for aaa.synology.me and bbb.ddns.net? Would that have some added flexibility?

It’s the SAN character limit. Once I’d exceeded on my default cert I decided to use a cert per functional area: providing growth plus easier to manage.

This is just for personal domains where you haven’t got a process for maintaining a wildcard LE cert. (e.g. Rusty’s docker method). And DSM 6.2.3 (fabled release but unknown to my Package Center) can do wildcard LE certs for .synology.me DDNS.

 

[Telos]

Thanks for all the feedback... I've got this working only after 8 hours of stumbling around before I managed to get partial success.

My Booksonic phone app can reach the server using

https://booksonic.secret.synology.me

BUT... if I use that link on my browser, there is no connection. Why is this?

I forwarded 443 to the NAS, and it must be working since my phone app's connection test passes. But entering that link as a browser URL (which should take me to the server login page) quits after a while and appends my NAD HTTP port in the URL, for example...

https://booksonic.secret.synology.me:15001

What am I missing?

 

[Rusty]

f I use that link on my browser

What does that mean exactly? Internally? While on LAN?

 

[Telos]

What does that mean exactly? Internally? While on LAN?

If I'm on my LAN and enter:
https://booksonic.secret.synology.me
in my browser URL bar it's not redirected to

http://192.168.1.11:4321

It goes nowhere... Can't reach this page... refused to connect.

EDIT: I connected my PC to my phone's data connection and the same failure to connect via browser occurred.

 

[Rusty]

NAT loopback? Does you router support it?

 

[Telos]

NAT loopback? Does you router support it?

I think so... when I enter
"secret.synology.me:NAS_HTTPS_IP" my DSM login page appears.

 

[Rusty]

Then that’s not the problem. How does your reverse setting looks like for this app?

 

[Telos]

How does your reverse setting looks like for this app?