Synology Reverse Proxy

Tutorial Synology Reverse Proxy

Currently reading
Tutorial Synology Reverse Proxy

8
0
NAS
DS920+
Operating system
  1. Linux
Mobile operating system
  1. Android
Unless I've done something wrong here as well.

Screenshot_20210922_053952.png
 
6
0
NAS
DS218j, DS920+
Operating system
  1. macOS
Mobile operating system
  1. iOS
Last edited:
The primary DNS for synology.me will have a record for xyz.synology.me that is dynamically updated to your ISP IP address. There will also be a wildcard entry *.xyz.synology.me that also points to your ISP IP address.

So is there is an explicit DNS record for www.xyz.synology.me then that IP will be returned, otherwise the wildcard IP address is returned.

Within RP it is looking at the FQDN, e.g. app.xyz.synology.me:443, as a text match not a DNS resolution. It sees the text of the FQDN/port combo match a rule and so does what it's told to do ... forward to the new destination.
What you say makes perfectly sense to me. Unfortunately for me it doesn't work. I have set up DDNS in my Syno to my-name.synology.me and configured Reverse Proxy to test.my-name.synology.me. My Fritz Box redirects ports 80 and 443 to my Syno where both ports are open in Syno firewall. nslookup to test.my-name.synology.me via 1.1.1.1 returns the correct ip assigned by my ISP. From within my network test.my-name.synology.me connects to the right app but from extern (tested with my smartphone with wifi off) test.my-name.synology.me returns 'server not found'. No clue why. What am I doing wrong? Or does this not work via Synology's DDNS service because of 4th level domain? Any hint appreciated. Thanks folks.

Addition: I've now tested with my own domain. So I added DDNS in my Syno to my-domain.org and configured RP to test.my-domain.org with unfortunately the same negativ result 'server not found' even though nslookup test.my-domain.org returns my ISP IP. But RP doesn't seem to pick up the subdomain test (which is nowhere else configured than in RP). Even with Syno firewall disabled it doesn't work. But I think that is not the right place to search. Maybe it's worth noting that I'm running Pi-Hole with unbound in a docker environment on a different Syno. But from my understanding that has no influence on this. Also that this is a virtual DSM should have nothing to do here. I'm at a loss...
 
404
161
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
If you ping test.my-domain.org from outside your local network, do you get "no response", or do you get "ping request could not find host test.my-domain.org"? If the latter, you need to go into DNS settings at your ISP, and explicitly set up a DNS entry for that hostname (not just the domain name).
 
6
0
NAS
DS218j, DS920+
Operating system
  1. macOS
Mobile operating system
  1. iOS
If you ping test.my-domain.org from outside your local network, do you get "no response", or do you get "ping request could not find host test.my-domain.org"? If the latter, you need to go into DNS settings at your ISP, and explicitly set up a DNS entry for that hostname (not just the domain name).
The answer is 'Can't resolve host' (using ping network utility on iPhone) while connected with mobile data. But... when I'm connected to my friend's wifi RP works as expected. Same thing when I'm connected to VPN. No VPN to my home but NordVPN. Maybe it is related to IPv4 or IPv6. I've disabled IPv6 in both Fritz Box and Syno.
 
Can you tell us if you have a dual stack (public ipv4+ public ipv6) or ds-lite (natted ipv4 + public ipv6) connection?
With a ds-lite connection incomming ipv4 connections from the internet won't work, as the wan ip already is a natted private-ip, which can not be reached from the internet. Outgoing ipv4 connection will work regardless whether it's dual stack or ds-lite.

With ds-lite, the only way to expose a service to the internet is by either using ipv6 (dns record needs to resolve the target machine, not the router!) , use a vpn connection that allows port forwarding (dns record needs to point to the vpc endpoint) or a service like ngrok - secure introspectable tunnels to localhost (does not allow bring your own domain).
 
6
0
NAS
DS218j, DS920+
Operating system
  1. macOS
Mobile operating system
  1. iOS
Can you tell us if you have a dual stack (public ipv4+ public ipv6) or ds-lite (natted ipv4 + public ipv6) connection?
With a ds-lite connection incomming ipv4 connections from the internet won't work, as the wan ip already is a natted private-ip, which can not be reached from the internet. Outgoing ipv4 connection will work regardless whether it's dual stack or ds-lite.

With ds-lite, the only way to expose a service to the internet is by either using ipv6 (dns record needs to resolve the target machine, not the router!) , use a vpn connection that allows port forwarding (dns record needs to point to the vpc endpoint) or a service like ngrok - secure introspectable tunnels to localhost (does not allow bring your own domain).
Thanks for your explanation. I guess it's not DS-Lite. See screenshot.
Bildschirmfoto 2022-01-22 um 09.21.42.JPG
 
6
0
NAS
DS218j, DS920+
Operating system
  1. macOS
Mobile operating system
  1. iOS
I am not sure if this information from the FB-Dashboard qualifies to distinguis Dual Stack and DS-Lite. As in both cases you have an ipv4 and internet, though in one case it is an internet ip and in the other case a natted ip in the isp's network.

Try Open Port Check Tool -- Verify Port Forwarding on Your Router and see if a forwarded port on your FB can be reached from the internet.
Thanks. The result is Success: I can see your service on ... on port (443)
 
Then it realy should be a dual stack line.

You own a domain like my-domain.org and added a subdomain test.my-domain.org in your dns (or by the DDNS). You checked in the dns server where you administrate the domain that the entry exists and points to the right wan-ip?
You forward WAN port 80/443 to the Syno-RP, in the Syno-RP you have an entry where the hostname is test.my-domain.org (and in case of https, a valid certificate assigned to it) and the firewall does not block traffic? Then I can't see a reason that it's not working

But what realy is concerning is that the domain can not be resolved from all devices. Since it works if 1.1.1.1 is used as dns-resolver, I would assume that it just takes time for the new dns entry to be propagated to the rest of the world, especialy if the ttl and expiry setting for the domain/entry are default values. You should set it to a value you are willing to wait until the ip change is propated. I use 120sec.
 
6
0
NAS
DS218j, DS920+
Operating system
  1. macOS
Mobile operating system
  1. iOS
Then it realy should be a dual stack line.

You own a domain like my-domain.org and added a subdomain test.my-domain.org in your dns (or by the DDNS). You checked in the dns server where you administrate the domain that the entry exists and points to the right wan-ip?
You forward WAN port 80/443 to the Syno-RP, in the Syno-RP you have an entry where the hostname is test.my-domain.org (and in case of https, a valid certificate assigned to it) and the firewall does not block traffic? Then I can't see a reason that it's not working
Thanks again. Let me try to sort this out: I create a subdomain at my Domain Provider like test.my-domain.org which get's updated by Syno DDNS correctly with the current WAN IP. In my FB I forward port 443 to my Syno running RP. In RP I create a rule forwarding test.my-domain.org to my service which I want to expose. So far so good, that works. But if I create a RP rule like app.test.my-domain.org to expose another service this address can't be resolved from mobile data. From within my friend's wifi it works, also when I connect my mobile phone via NordVPN. Only mobile data doesn't work. Hope that makes sense...
 
6
0
NAS
DS218j, DS920+
Operating system
  1. macOS
Mobile operating system
  1. iOS
Did you create that subdomain?
No, because in my opinion that should be handled by RP.
If not, did you create a wildcard subdomain for *.test.my-domain.org?
That's not supported with my domain provider.

Meanwhile I switched to synology.me as DDNS. So I have my-name.synology.me and a wildcard certificate for that. nslookup via 1.1.1.1 to bla.my-name.synology.me resolves to my WAN IP and RP works as expected. But again not from my mobile. The behavior is as described.

So I question myself what is the difference between e.g. my friend's wifi or NordVPN and mobile data.
 
Last edited:
No, because in my opinion that should be handled by RP
Either you confuse responsibilities or I simply don't understand your problem.

  • The RP is responsible to "listen" for a specific domain - it only relies on the "host" header or SNI which is part of the request. It doesn't care for dns at all.
  • The authoritative DNS Server on the other side is the one that MUST have the entry to resolve a domain to your wan ip. In your case by the absolute subdomain entry. You can not simply add a sub-level in front of the subdomain level and expect it to work without having created a wildcard domain entry that covers it.
  • DNS-Resolvers are responsible for name resolution. You use Cloudflare as a dns resolver. Resolvers can be chained and typical cache entries to lower the load on the systems.
    • If you change an entry in your dns-server, it will take time to be propageted around the world. This can take minutes, hours, days - regarding on multiple factors. For Domains provided by DDNS the time span is typicaly withing minutes.
 
404
161
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Did you create that subdomain?
== No, because in my opinion that should be handled by RP.

I suspect this is your problem. At whichever provider is handling your DNS resolution, you need to create a subdomain (a CNAME record) that points to your domain. So, for example, apps.yourdomain.com would point to yourdomain.com . Or, use a wildcard subdomain. (But I'd strongly suggest using the former method). Neglecting to do so would would cause a lot of DNS servers to not be able to find apps.yourdomain.com . In fact, I'm surprised that ANY of them can.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I can do that with an HDD... Me: My NAS' LAN bandwidth seems quite low. Synology Support: You have...
Replies
66
Views
3,359
SynoMan submitted a new resource: NextCloud on Synology NAS using Docker compose (with Portainer) - The...
Replies
0
Views
462
Your note of success was most appreciated.... and do post an update after your "bigger module" test. Those...
Replies
5
Views
1,112
fredbert submitted a new resource: Synology Product Security Advisory - A link to the latest DSM and SRM...
Replies
0
Views
333
Know about it but no ios app for it as far as I see so not really my main target platform
Replies
2
Views
1,088
Of course, more details in the link below: mac-clients-smb-cache-issues.7009 Hope this helps. ☕️
Replies
27
Views
2,868
Geeked submitted a new resource: How to setup and run Reactive Resume in Docker on Synology - A...
Replies
0
Views
660

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top