Synology Reverse Proxy

Tutorial Synology Reverse Proxy

Currently reading
Tutorial Synology Reverse Proxy

:unsure: Since when is a reverse proxying related to routing?! An http reverse proxy acts on osi layer7, which already is the applicatin layer. How is that related to a device that usualy works on osi layer 1-4?!
 

Rusty

Moderator
NAS Support
3,416
1,014
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
This is accurate,
I just want to consolidate all the routing to my rt2600ac router... Let the router dou the routing and the Nas the file stuff!
understand that you wanna consolidate everything but reverse proxy is actually a server role and not so much a router role. Again saying that I do agree it would be an easy implementation in SRM as well but not sure we will see it anytime soon
 

fredbert

Moderator
NAS Support
Subscriber
2,158
871
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I can see both sides to this and maybe 'routing' is the wrong word but the sentiment is clear.

From a home user view with one Internet IP then therefore one TCP port 80/443/etc then there is at least one good reason to do reverse proxy on the SRM router: VPN Plus' SSL-VPN can't be reverse proxied via the standard DSM method (not tried anything else, as the clients complain that the server they are connecting to aren't VPN Plus.

...OK second reason: you don't have anything else that can do reverse proxy, at at least nothing that has a GUI/portal to make it easier.

The rest of DSM (and other) web packages that use Application Portal ... do they health check the web server is the right 'fingerprint' too? I don't know but if they work the same as VPN Plus clients then these will reject an SRM proxied TCP 443 ... and there's a lot more of them to break.

A limiting factor regarding SRM as reverse proxy is that the router support one certificate. Unless you've got a wildcard certificate then you'll soon run out of Subject Alternative Name characters (due to the 250-ish limit set by Synology) for all the proxies applications of Application Portal and Web Station.

Depending on what a reverse proxy is doing then these used to be very expensive bits of kit where the same Internet access would have a much larger reverse proxy appliance to the one that handled forward proxy. I'm not sure that the current SRM routers would have enough oomph to run anything but a very light r-proxy and, except the absolute lowest spec, the DSM NAS range has more RAM and CPU (and SATA disks).

To add reverse proxy to SRM isn't just a matter of adding that feature there're a raft of other changes that are needed to make it a suitable alternative to the DSM offer. But there will be some use cases for SRM :cool:
 

Rusty

Moderator
NAS Support
3,416
1,014
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Well put @fredbert. To me, this looks like spending for an average car and wanting to perform like a Mercedes or more. Bundling more and more features needs to be balanced as well, in this case with horsepower and sw solution that will be able to deliver the expected result.

Maybe running an RP on an RPi device would be more of a solution here then pushing it in a device that has nothing to do with that feature in the 1st place.
 
36
11
NAS
DS218+
Router
  1. RT2600ac
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
From a home user view with one Internet IP then therefore one TCP port 80/443/etc then there is at least one good reason to do reverse proxy on the SRM router: VPN Plus' SSL-VPN can't be reverse proxied via the standard DSM method (not tried anything else, as the clients complain that the server they are connecting to aren't VPN Plus.

This is my #1 issue...
 

fredbert

Moderator
NAS Support
Subscriber
2,158
871
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Maybe running an RP on an RPi device would be more of a solution here then pushing it in a device that has nothing to do with that feature in the 1st place.
Now has more RAM but ethernet port, last I looked, is still limited to 100Mbps ... USB3/ethernet dongle may get better 300Mbps (?) but really it would be WiFi on 802.11ac.

This is my #1 issue...
I'm psychic 🤓 and have tried it to see if it works! It doesn't.


I much prefer having Threat Prevention over r-proxy on RT2600ac: for the price of the device it works remarkably well vs the cost (and subscriptions) of the SOHO business level devices I've seen.
 

Rusty

Moderator
NAS Support
3,416
1,014
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Now has more RAM but ethernet port, last I looked, is still limited to 100Mbps ... USB3/ethernet dongle may get better 300Mbps (?) but really it would be WiFi on 802.11ac.
You are not up to date with the HW specs on the RPi are you ;)?
 

fredbert

Moderator
NAS Support
Subscriber
2,158
871
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
You are not up to date with the HW specs on the RPi are you ;)?

Seems not! Last I looked it was the 3 Model B+. Knew the 300Mbps number but see it was for Gig ethernet port linked to USB2.
 
353
144
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
A limiting factor regarding SRM as reverse proxy is that the router support one certificate. Unless you've got a wildcard certificate then you'll soon run out of Subject Alternative Name characters (due to the 250-ish limit set by Synology) for all the proxies applications of Application Portal and Web Station.

This is an intriguing statement. Are you saying that you can, on the NAS (but not the router) utilize multiple certificates to beat the character limit in Subject Alternative Names? How is this done, given that you can only make one of them the "default" certificate?


That is: if I have two LE encrypt certs for the same domain, but one of them lists some of my subdomains, and the other lists the remaining subdomains, how do I get the second (non-default) one to "answer the phone" when needed?
 

fredbert

Moderator
NAS Support
Subscriber
2,158
871
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
@akahan Yes this is exactly what I do.

Short answer: just realised this is another long answer so look for the underline and bold bit :)

I've four LE certificates that are all for my personal domain but have a different comment name (so I can see which is which) and string of alternative names:
  1. Default certificate: most of the DSM server stuff inc. Drive server, CardDAV, WebDAV, Mail services, etc.
  2. Application Portal customised domains
  3. Reverse Proxy domain names
  4. Virtual Hosts in Web Station
Create the certificate with the bunch on alternative names then assign them to the various services using the 'Configure' button in the Certificates tab of Control Panel. The default cert, well obvs., gets assigned until you change it to another certificate. All my certificates are for my domain so get listed as 'mydomain.com' so this is where using an obvious description helps as that is the 2nd line on each list entry.

The other tip is this: keep a text file that records this for each certificate because you'll want it if you add another alt. name

Descriptive name​
Domain​
Email address​
Alternative names​

You can add alt. names that are in other certificates and also for other domains, e.g.: so you can include your synology.me DDNS and subdomains plus an in-case-of-usual-cert-issue www.mydomain.com and you need to assign it quickly.
 
353
144
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Thanks, Fredbert - this will come in handy if I someday lose the ability to generate free wildcard certificates!
 

Telos

Subscriber
1,432
491
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
I've four LE certificates that are all for my personal domain but have a different comment name (so I can see which is which) and string of alternative names:
  1. Default certificate: most of the DSM server stuff inc. Drive server, CardDAV, WebDAV, Mail services, etc.
  2. Application Portal customised domains
  3. Reverse Proxy domain names
  4. Virtual Hosts in Web Station
Is there an advantage to separate certs, apart from the 155-character limit on the SAN entry?

Should I have separate certs for aaa.synology.me and bbb.ddns.net? Would that have some added flexibility?
 

fredbert

Moderator
NAS Support
Subscriber
2,158
871
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Last edited:
Is there an advantage to separate certs, apart from the 155-character limit on the SAN entry?

Should I have separate certs for aaa.synology.me and bbb.ddns.net? Would that have some added flexibility?
It’s the SAN character limit. Once I’d exceeded on my default cert I decided to use a cert per functional area: providing growth plus easier to manage.

This is just for personal domains where you haven’t got a process for maintaining a wildcard LE cert. (e.g. Rusty’s docker method). And DSM 6.2.3 (fabled release but unknown to my Package Center) can do wildcard LE certs for .synology.me DDNS.
 

Telos

Subscriber
1,432
491
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
Thanks for all the feedback... I've got this working only after 8 hours of stumbling around before I managed to get partial success.

My Booksonic phone app can reach the server using


BUT... if I use that link on my browser, there is no connection. Why is this?

I forwarded 443 to the NAS, and it must be working since my phone app's connection test passes. But entering that link as a browser URL (which should take me to the server login page) quits after a while and appends my NAD HTTP port in the URL, for example...


What am I missing?
 

Telos

Subscriber
1,432
491
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
What does that mean exactly? Internally? While on LAN?
If I'm on my LAN and enter:
https://booksonic.secret.synology.me
in my browser URL bar it's not redirected to
It goes nowhere... Can't reach this page... refused to connect.
Pu1aDk6.png


EDIT: I connected my PC to my phone's data connection and the same failure to connect via browser occurred.
 

Rusty

Moderator
NAS Support
3,416
1,014
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
NAT loopback? Does you router support it?
 

Rusty

Moderator
NAS Support
3,416
1,014
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Then that’s not the problem. How does your reverse setting looks like for this app?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top