Synology Reverse Proxy

Tutorial Synology Reverse Proxy

Currently reading
Tutorial Synology Reverse Proxy

Telos

Subscriber
1,719
574
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
Last edited:
Maybe this will provide a clue...

If I edit the RP and use HTTP/80 instead of HTTPS/443, the browser page loads properly when I enter

"booksonic.secret.synology.me" into the browser URL.

But using HTTPS/443 in the RP fails.

Both ports 80 and 443 are forwarded to the NAS. FWIW, Booksonic is running from Docker if that makes a difference.

Is this related?
booksonic
 

Rusty

Moderator
NAS Support
4,098
1,179
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Same result with ip address of your nas instead of localhost?
 

Telos

Subscriber
1,719
574
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
I think this is a booksonic issue. Since the app uses port 4040, I forwarded 4040 to the NAS and without using RP i entered

"https://secret.synology.me:4040"
which failed to connect. Changing 4040 to my DSM HTTPS port brought up the DSM login page.

Next I tried "http://secret.synology.me:4040" which loaded the Booksonic login page.

I'm not sure what's going on here, but apparently Booksonic cannot work with HTTPS is my only guess.

So I tried a different Docker app... a YouTube downloader using RP

https://yt.secret.synology.me connected!

Good grief... a lot of wasted time over what seems an app issue.
 

Rusty

Moderator
NAS Support
4,098
1,179
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I’ll try it later on and report back. I use the same app but internally so never tried it via https.

Let you know.
 
7
4
NAS
DS918+, DS214se
Operating system
  1. Windows
Hi
Thanks for this helpful tutorial. I have managed to follow through using my own domain and now have webmail.mydomain.com, drive.mydomain.com, notes.mydomain.com all working for me. Previously I used the application portal setup to have them work under mydomain.com.webmail:xxxx, etc where xxxx is the port number.
Anyhow although I have it all up and running, I do have to type https://webmail.mydomain.com to get to the secure login. Is there anyway that it can be set up so that it will redirect it from the http to the https so I just have to type webmail.mydomain.com into my browser and it will automatically take me to https://webmail.mydomain.com
Thanks in advance for any help
Phil
 

Rusty

Moderator
NAS Support
4,098
1,179
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Hi
Thanks for this helpful tutorial. I have managed to follow through using my own domain and now have webmail.mydomain.com, drive.mydomain.com, notes.mydomain.com all working for me. Previously I used the application portal setup to have them work under mydomain.com.webmail:xxxx, etc where xxxx is the port number.
Anyhow although I have it all up and running, I do have to type https://webmail.mydomain.com to get to the secure login. Is there anyway that it can be set up so that it will redirect it from the http to the https so I just have to type webmail.mydomain.com into my browser and it will automatically take me to https://webmail.mydomain.com
Thanks in advance for any help
Phil
try this

 

Telos

Subscriber
1,719
574
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
When creating the redirect RP, can I enter a wildcard domain (*.secret.synology.me) in the source hostname, while using the specific hostname (xyz.secret.synology.me) in the site RP? The idea being a single redirect RP handling several wildcard domains.

I hope I said that clearly.
 

Rusty

Moderator
NAS Support
4,098
1,179
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
When creating the redirect RP, can I enter a wildcard domain (*.secret.synology.me) in the source hostname, while using the specific hostname (xyz.secret.synology.me) in the site RP? The idea being a single redirect RP handling several wildcard domains.

I hope I said that clearly.
That didn’t work for me. I have multiple 80 redirects
 
"Jumping" into this discussion...
I am trying to containerize (is that a term ?) my proxy, ie using docker for the reverse proxy (with jwilder/nginx-proxy:alpine). Is this a good idea (it would allow me to "port" to other hosts if / when needed)
I have partial success: port 8080 is forwarder to local 80 but for some reason 4443 > 443 will not work
(I have ports: - 8080:80 - 4443:443).
Any idea how to diagnose ?
 

Rusty

Moderator
NAS Support
4,098
1,179
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
"Jumping" into this discussion...
I am trying to containerize (is that a term ?) my proxy, ie using docker for the reverse proxy (with jwilder/nginx-proxy:alpine). Is this a good idea (it would allow me to "port" to other hosts if / when needed)
I have partial success: port 8080 is forwarder to local 80 but for some reason 4443 > 443 will not work
(I have ports: - 8080:80 - 4443:443).
Any idea how to diagnose ?
How did you configure it exactly? Can you share a bit more info?
 
Sure - here is my (sanitized) docker-compose.yml

YAML:
version: '3'

services:

  proxy:
    image: jwilder/nginx-proxy:alpine
    labels:
      - "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true"
    container_name: nextcloud-proxy
    networks:
      - nextcloud_network
    ports:
      - 8080:80
      - 4443:443
    volumes:
      - ./proxy/conf.d:/etc/nginx/conf.d:rw
      - ./proxy/vhost.d:/etc/nginx/vhost.d:rw
      - ./proxy/html:/usr/share/nginx/html:rw
      - ./proxy/certs:/etc/nginx/certs:ro
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
    restart: unless-stopped
 
  letsencrypt:
    image: jrcs/letsencrypt-nginx-proxy-companion
    container_name: nextcloud-letsencrypt
    depends_on:
      - proxy
    networks:
      - nextcloud_network
    volumes:
      - ./proxy/certs:/etc/nginx/certs:rw
      - ./proxy/vhost.d:/etc/nginx/vhost.d:rw
      - ./proxy/html:/usr/share/nginx/html:rw
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    restart: unless-stopped

  db:
    image: mariadb
    container_name: nextcloud-mariadb
    networks:
      - nextcloud_network
    volumes:
      - db:/var/lib/mysql
      - /etc/localtime:/etc/localtime:ro
    environment:
      - MYSQL_ROOT_PASSWORD=xxxxx
      - MYSQL_PASSWORD=xxxx
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: always
 
  app:
    image: nextcloud:latest
    container_name: nextcloud-app
    networks:
      - nextcloud_network
    depends_on:
      - letsencrypt
      - proxy
      - db
    volumes:
      - nextcloud:/var/www/html
      - ./app/config:/var/www/html/config
      - ./app/custom_apps:/var/www/html/custom_apps
      - ./app/data:/var/www/html/data
      - ./app/themes:/var/www/html/themes
      - /etc/localtime:/etc/localtime:ro
    environment:
      - VIRTUAL_HOST=nextcloud.domain.tld
      - LETSENCRYPT_HOST=nextcloud.domain.tld
      - [email protected]
    restart: unless-stopped

volumes:
  nextcloud:
  db:
 
networks:
  nextcloud_network:

Much to my surprise it worked "out of the box" - I can access NextCloud on port 8080.
However not on 4443 (nothing happens).

NOT running synology webstation so port 443 should be available (I think...)
 

Rusty

Moderator
NAS Support
4,098
1,179
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
NOT running synology webstation so port 443 should be available (I think...)
Web station doesnt need to be running. DSM by default is using both 80 and 443. There is nginx version running on the NAS itself (Control Panel > Application portal > Reverse Proxy).

So you are running a docker compose to get running NC up and running with all that it needs. You could run this partial and set up your SQL and NC containers separated and use the built in Reverse Proxy to get it up and running via https.

Still, saying that, what error do you get when trying to get to it on 4443?
 
Web station doesnt need to be running. DSM by default is using both 80 and 443. There is nginx version running on the NAS itself (Control Panel > Application portal > Reverse Proxy).
Thought it was running on 5000/5001 by default (mine seems to)
So you are running a docker compose to get running NC up and running with all that it needs. You could run this partial and set up your SQL and NC containers separated and use the built in Reverse Proxy to get it up and running via https.
Good idea - let me give it a try :)
Still, saying that, what error do you get when trying to get to it on 4443?
503 Service Temporarily Unavailable
nginx/1.17.6
 

Rusty

Moderator
NAS Support
4,098
1,179
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Thought it was running on 5000/5001 by default (mine seems to)
Those are also the ports that are "reserved". I'm just saying that 80 and 443 are used and reserved by default on DSM considering that nginx is running

503 Service Temporarily Unavailable
nginx/1.17.6
The 503 means that the service is unresponsive. This could be due to resources and not just wrong configurations. Also, you could get this when a timeout occurs for any number of reasons.
 

Telos

Subscriber
1,719
574
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
It could be a blocking thingy too if you have excessive logins blocked. That happened to me over in the Community two months ago after they made some security changes, and I would have to wait for the block to time out. I got hit with 503s quite often.
 
13
3
NAS
DS720+,DS212
Operating system
  1. Windows
Mobile operating system
  1. Android
This might be a silly question, but can I make a reverse proxy rule for a site running on Synology webstation? I have several sites in the web folder and would like to use subdomains for them. I have the reverse proxy setup for docker containers as those use hostname/port, but is there a way to point it to a webstation address?
 

Rusty

Moderator
NAS Support
4,098
1,179
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Try with Virtual Host settings. Define a VH for your apps, but configure them on specific ports (IP will be your NAS IP ofc). Then just use RP as usual, point a forward name to that internal virtual host port on your NAS IP.

Screenshot 2020-11-25 at 12.32.46.png
 
13
3
NAS
DS720+,DS212
Operating system
  1. Windows
Mobile operating system
  1. Android
Beautiful, that worked perfectly!

And, now I see a use for virtual hosts... never understood them before.
 

fredbert

Moderator
NAS Support
Subscriber
2,604
1,054
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
You don't have to use a Reverse Proxy for a Web Station Virtual Host. Provided you have a unique domain name for the VH then you can use ports 80 and 443.

Also, for a VH you don't have to use a folder in /web.
 
13
7
NAS
DS1010+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Linux
  2. macOS
  3. Windows
  4. other
Mobile operating system
  1. Android
  2. iOS
too bad RP is not available on DSM 5.2 😢
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

if we are talking about the host side of a docker container port mapping, then yes, this is not going to...
Replies
12
Views
571
wizard99 submitted a new resource: Performing the Synology Memory Test and Extracting the "hidden"...
Replies
0
Views
182
fredbert submitted a new resource: Synology Product Security Advisory - A link to the latest DSM and SRM...
Replies
0
Views
179
Know about it but no ios app for it as far as I see so not really my main target platform
Replies
2
Views
382
As above. SMB has been refined considerably by Apple so that even the minor Terminal tweaks are no longer...
Replies
20
Views
907

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top