Synology Reverse Proxy

Tutorial Synology Reverse Proxy

Currently reading
Tutorial Synology Reverse Proxy

7,554
2,270
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Rusty submitted a new resource:

Synology Revers Proxy - Tutorial on setting up revers proxy for various apps and services hosted on your NAS via built in RP

This tutorial will cover a few short steps that you need to know and setup in order to make your apps and services accessible via the internet (or LAN) using a specific domain name and custom (or default) port. It will also help you to avoid exposing your real IP address, custom port or simply to have a nice load balance solution in case you need it.

So whats reverse proxy?
No reason to break it down here considering there is a perfectly good explanation here

[URL...

Read more about this resource...
 
Last edited:
In reverse proxy settings, you’re setting the app name. How does app.xyz.synology.me resolve from outside the LAN, when xyz.synology.me is connected to the ddns updater
 
It will work for synology.me domain as well as 3rd party ones
But by using your own domain you aren't tied to the future decisions of who owns the domain you use.

As well as my nas.synology.me DDNS I also use another DDNS service. I've been a long time user of OpenDNS and they also have a DDNS update service called dns-o-matic. I have DSM update dns-o-matic and it updates OpenDNS and Namecheap. At Namecheap I have one of my personal domains. And all this is free after I've bought the domain.
 
I am using duckdns for a long time and really happy with it. You can even have a container running to check if your external changes. Here is my docker from docker-compose.yml.

Code:
###### duckdns #########
  duckdns:
    container_name: Duckdns
    restart: unless-stopped
    image: linuxserver/duckdns:latest
    environment:
    - TZ=Europe/Brussels
    - TOKEN=your_token
    - SUBDOMAINS=your_chosen_name
    - LOG_FILE=true
    volumes:
    - /volume1/docker/Duckdns/config:/config
    labels:
    - "com.example.description: DDNS"
 
In reverse proxy settings, you’re setting the app name. How does app.xyz.synology.me resolve from outside the LAN, when xyz.synology.me is connected to the ddns updater
This is exactly the task RP was designed to do.

When the request hits your router and pushes that request to your NAS IP address it will hit your RP and check what you have configured there for that FQDN that you are requestioning and push it to the bind local destination that is configured. So in the case of app.xyz.synology.me your request will be handled by RP and forward it towards a service running on your NAS on a custom port that you have configured in the Destination section.
 
This is exactly the task RP was designed to do.

When the request hits your router and pushes that request to your NAS IP address it will hit your RP and check what you have configured there for that FQDN that you are requestioning and push it to the bind local destination that is configured. So in the case of app.xyz.synology.me your request will be handled by RP and forward it towards a service running on your NAS on a custom port that you have configured in the Destination section.

But, How does app.xyz.synology.me resolve to my public ip? In order for that url to resolve it needs to hit the RP, how does it get there when app.xyz.synology.me isn’t connected to a ddns updater. Only xyz.synology.me is connected to the ddns updater.

Do you have to enter xyz.synology.me then /app? I could see this as telling the browser, look for the ddns associated with my public ip, then the /app in that url will tell the rp where to go from there?
 
forward it towards a service running on your NAS on a custom port
Or other LAN web server you run.

For example, if you have two DSM NAS you can use RP on the one that gets all the Internet HTTPS/443 requests. The RP rule would be to the LAN IP of the other device and the server's port number.
 
Only xyz.synology.me is connected to the ddns updater.
To begin with, this is all that's needed. Domain resolution is going from right to left. So xyz.synology.me will hit your NAS via port forward. After that RP will grab that request and read the full fqdn(including app.xxxxxxx.xxxx.xxxx) and translate it to the destination that you have configured.

Do you have to enter xyz.synology.me then /app?
No for RP dialog box you cant configure it to work with app subfolder (/app), just as a subdomain.
 
Or other LAN web server you run.

For example, if you have two DSM NAS you can use RP on the one that gets all the Internet HTTPS/443 requests. The RP rule would be to the LAN IP of the other device and the server's port number.
Absolutely correct. Just trying to keep things simple here. I have one RP that's routing to multiple NAS devices on my LAN that are covered by same domain name but resources are distributed across multiple Syno devices (virtual and appliances)
 
Domain resolution is going from right to left.

Thanks guys, this makes sense. I didn’t realize it works right to left. I’ll have to give this a try. My expertise stops at regular ddns level domains. I was even a bit confused when setting up LE cert and the fields for sub domains; some how got it working. (Think real issue there was dyndns wasn’t working, synology.me worked - but that’s another topic)

I also have a purchased dyndns account, where I’m allowed up to 30 hostnames. I usually use those for different locations that I manage. This will be expiring next year and may look into some other service providers, but dyndns has been no issues.
 
But, How does app.xyz.synology.me resolve to my public ip? In order for that url to resolve it needs to hit the RP, how does it get there when app.xyz.synology.me isn’t connected to a ddns updater. Only xyz.synology.me is connected to the ddns updater.
The primary DNS for synology.me will have a record for xyz.synology.me that is dynamically updated to your ISP IP address. There will also be a wildcard entry *.xyz.synology.me that also points to your ISP IP address.

So is there is an explicit DNS record for www.xyz.synology.me then that IP will be returned, otherwise the wildcard IP address is returned.

Within RP it is looking at the FQDN, e.g. app.xyz.synology.me:443, as a text match not a DNS resolution. It sees the text of the FQDN/port combo match a rule and so does what it's told to do ... forward to the new destination.
 
Thanks guys, this makes sense. I didn’t realize it works right to left. I’ll have to give this a try. My expertise stops at regular ddns level domains. I was even a bit confused when setting up LE cert and the fields for sub domains; some how got it working. (Think real issue there was dyndns wasn’t working, synology.me worked - but that’s another topic)

I also have a purchased dyndns account, where I’m allowed up to 30 hostnames. I usually use those for different locations that I manage. This will be expiring next year and may look into some other service providers, but dyndns has been no issues.
Syno still hasn't implemented (via their UI) the ability to create LE cert in wild-card format. One reason why I use a docker image for that in a combination with a custom 3rd party domain. This way I cover an infinite number of my subdomains and I can change them however and whenever I want. I'm not tied to using the SAN names issued by Syno LE process. But for more this method will work. If you get into a territory that you need multiple apps covered and want the freedom of your subdomain names, wild-card cert is a way to go.
 
So I'm back and trying to work through this tutorial, but I'm a bit hung up on the DDNS address. I already have an LE certificate and a DDNS from Synology (lets say myname.synology.me). Do I have to go and get another one to try and run say bitwarden from within docker, or can I just create a subdomain by entering bitwarden.myname.synology.me as the hostname? I think gerard was asking pretty much the same question, I just wanted to make sure I understood correctly.
 
So I'm back and trying to work through this tutorial, but I'm a bit hung up on the DDNS address. I already have an LE certificate and a DDNS from Synology (lets say myname.synology.me). Do I have to go and get another one to try and run say bitwarden from within docker, or can I just create a subdomain by entering bitwarden.myname.synology.me as the hostname? I think gerard was asking pretty much the same question, I just wanted to make sure I understood correctly.

Yes essentially in reverse proxy, you’ll create some name, which would be application specific: example bw.yourname.synology.me or photostation.yourname.synology.

Both of these are using your ddns name (your name.synology.me) which will forward to your synology. It will then hit the reverse proxy and do a lookup of bw or photostation, where it will redirect to the correct application. This redirect essentially works by looking up the port in rp and sending the connection to the app. You’ll have to apply the correct ports in rp.
 
@Gerard said it spot on. Would just like to add one thing. If @NAS Newbie your service will be accessed via https then you will need to have that resource bind to a specific cert as well (LE in this case).
Now if your certificate (current one) covers this desired name (bitwarden.myname.synology.me) then you are good to go. After setting up a RP rule you will just to need to bind that rule/resource to your cert for secure traffic to be applied to it.

If this is not the case, and you still want to use https, then you will need to get a cert for your domain that covers this name. Atm, via Syno cert wizard, you will not be able to get a wild card certificate that covers *.myname.synology.me, so you can issue a new cert for your domain and fill in the Subject Alter Names values for all the subdomain names that you will need/might use in the future. All those names that you wanna use must be covered via a cert if you wanna use https and get a nice green lock.

Another thing you can do is get a wild card certificate (but that will not be possible for *.synology.me domain via DSM atm) for a custom domain and use that certificate to cover all your resources under your own domain name.

For this you will need:
a) a registered domain name​
b) a wild card cert imported into DSM and setup as a cert for your desired services.​
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Thank You for the great input. I try not to Muck around with SSH on the NAS. I mistakenly waited too long...
Replies
3
Views
1,695
Hi geekau, I am trying to do the same thing as you mentioned here following your steps. But I encountered...
Replies
4
Views
1,572
SynoMan submitted a new resource: NextCloud on Synology NAS using Docker compose (with Portainer) - The...
Replies
0
Views
2,221
If you can't pin down the issue, you might try removing the new NIC Card and disconnect all external...
Replies
15
Views
4,843
fredbert submitted a new resource: Synology Product Security Advisory - A link to the latest DSM and SRM...
Replies
0
Views
1,386
Know about it but no ios app for it as far as I see so not really my main target platform
Replies
2
Views
3,995

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top