Synology Reverse Proxy

Tutorial Synology Reverse Proxy

Currently reading
Tutorial Synology Reverse Proxy

Unless I've done something wrong here as well.

Screenshot_20210922_053952.png
 
Last edited:
The primary DNS for synology.me will have a record for xyz.synology.me that is dynamically updated to your ISP IP address. There will also be a wildcard entry *.xyz.synology.me that also points to your ISP IP address.

So is there is an explicit DNS record for www.xyz.synology.me then that IP will be returned, otherwise the wildcard IP address is returned.

Within RP it is looking at the FQDN, e.g. app.xyz.synology.me:443, as a text match not a DNS resolution. It sees the text of the FQDN/port combo match a rule and so does what it's told to do ... forward to the new destination.
What you say makes perfectly sense to me. Unfortunately for me it doesn't work. I have set up DDNS in my Syno to my-name.synology.me and configured Reverse Proxy to test.my-name.synology.me. My Fritz Box redirects ports 80 and 443 to my Syno where both ports are open in Syno firewall. nslookup to test.my-name.synology.me via 1.1.1.1 returns the correct ip assigned by my ISP. From within my network test.my-name.synology.me connects to the right app but from extern (tested with my smartphone with wifi off) test.my-name.synology.me returns 'server not found'. No clue why. What am I doing wrong? Or does this not work via Synology's DDNS service because of 4th level domain? Any hint appreciated. Thanks folks.

Addition: I've now tested with my own domain. So I added DDNS in my Syno to my-domain.org and configured RP to test.my-domain.org with unfortunately the same negativ result 'server not found' even though nslookup test.my-domain.org returns my ISP IP. But RP doesn't seem to pick up the subdomain test (which is nowhere else configured than in RP). Even with Syno firewall disabled it doesn't work. But I think that is not the right place to search. Maybe it's worth noting that I'm running Pi-Hole with unbound in a docker environment on a different Syno. But from my understanding that has no influence on this. Also that this is a virtual DSM should have nothing to do here. I'm at a loss...
 
If you ping test.my-domain.org from outside your local network, do you get "no response", or do you get "ping request could not find host test.my-domain.org"? If the latter, you need to go into DNS settings at your ISP, and explicitly set up a DNS entry for that hostname (not just the domain name).
 
If you ping test.my-domain.org from outside your local network, do you get "no response", or do you get "ping request could not find host test.my-domain.org"? If the latter, you need to go into DNS settings at your ISP, and explicitly set up a DNS entry for that hostname (not just the domain name).
The answer is 'Can't resolve host' (using ping network utility on iPhone) while connected with mobile data. But... when I'm connected to my friend's wifi RP works as expected. Same thing when I'm connected to VPN. No VPN to my home but NordVPN. Maybe it is related to IPv4 or IPv6. I've disabled IPv6 in both Fritz Box and Syno.
 
Can you tell us if you have a dual stack (public ipv4+ public ipv6) or ds-lite (natted ipv4 + public ipv6) connection?
With a ds-lite connection incomming ipv4 connections from the internet won't work, as the wan ip already is a natted private-ip, which can not be reached from the internet. Outgoing ipv4 connection will work regardless whether it's dual stack or ds-lite.

With ds-lite, the only way to expose a service to the internet is by either using ipv6 (dns record needs to resolve the target machine, not the router!) , use a vpn connection that allows port forwarding (dns record needs to point to the vpc endpoint) or a service like ngrok - secure introspectable tunnels to localhost (does not allow bring your own domain).
 
Can you tell us if you have a dual stack (public ipv4+ public ipv6) or ds-lite (natted ipv4 + public ipv6) connection?
With a ds-lite connection incomming ipv4 connections from the internet won't work, as the wan ip already is a natted private-ip, which can not be reached from the internet. Outgoing ipv4 connection will work regardless whether it's dual stack or ds-lite.

With ds-lite, the only way to expose a service to the internet is by either using ipv6 (dns record needs to resolve the target machine, not the router!) , use a vpn connection that allows port forwarding (dns record needs to point to the vpc endpoint) or a service like ngrok - secure introspectable tunnels to localhost (does not allow bring your own domain).
Thanks for your explanation. I guess it's not DS-Lite. See screenshot.
Bildschirmfoto 2022-01-22 um 09.21.42.JPG
 
I am not sure if this information from the FB-Dashboard qualifies to distinguis Dual Stack and DS-Lite. As in both cases you have an ipv4 and internet, though in one case it is an internet ip and in the other case a natted ip in the isp's network.

Try Open Port Check Tool -- Verify Port Forwarding on Your Router and see if a forwarded port on your FB can be reached from the internet.
Thanks. The result is Success: I can see your service on ... on port (443)
 
Then it realy should be a dual stack line.

You own a domain like my-domain.org and added a subdomain test.my-domain.org in your dns (or by the DDNS). You checked in the dns server where you administrate the domain that the entry exists and points to the right wan-ip?
You forward WAN port 80/443 to the Syno-RP, in the Syno-RP you have an entry where the hostname is test.my-domain.org (and in case of https, a valid certificate assigned to it) and the firewall does not block traffic? Then I can't see a reason that it's not working

But what realy is concerning is that the domain can not be resolved from all devices. Since it works if 1.1.1.1 is used as dns-resolver, I would assume that it just takes time for the new dns entry to be propagated to the rest of the world, especialy if the ttl and expiry setting for the domain/entry are default values. You should set it to a value you are willing to wait until the ip change is propated. I use 120sec.
 
Then it realy should be a dual stack line.

You own a domain like my-domain.org and added a subdomain test.my-domain.org in your dns (or by the DDNS). You checked in the dns server where you administrate the domain that the entry exists and points to the right wan-ip?
You forward WAN port 80/443 to the Syno-RP, in the Syno-RP you have an entry where the hostname is test.my-domain.org (and in case of https, a valid certificate assigned to it) and the firewall does not block traffic? Then I can't see a reason that it's not working
Thanks again. Let me try to sort this out: I create a subdomain at my Domain Provider like test.my-domain.org which get's updated by Syno DDNS correctly with the current WAN IP. In my FB I forward port 443 to my Syno running RP. In RP I create a rule forwarding test.my-domain.org to my service which I want to expose. So far so good, that works. But if I create a RP rule like app.test.my-domain.org to expose another service this address can't be resolved from mobile data. From within my friend's wifi it works, also when I connect my mobile phone via NordVPN. Only mobile data doesn't work. Hope that makes sense...
 
Did you create that subdomain?
No, because in my opinion that should be handled by RP.
If not, did you create a wildcard subdomain for *.test.my-domain.org?
That's not supported with my domain provider.

Meanwhile I switched to synology.me as DDNS. So I have my-name.synology.me and a wildcard certificate for that. nslookup via 1.1.1.1 to bla.my-name.synology.me resolves to my WAN IP and RP works as expected. But again not from my mobile. The behavior is as described.

So I question myself what is the difference between e.g. my friend's wifi or NordVPN and mobile data.
 
Last edited:
No, because in my opinion that should be handled by RP
Either you confuse responsibilities or I simply don't understand your problem.

  • The RP is responsible to "listen" for a specific domain - it only relies on the "host" header or SNI which is part of the request. It doesn't care for dns at all.
  • The authoritative DNS Server on the other side is the one that MUST have the entry to resolve a domain to your wan ip. In your case by the absolute subdomain entry. You can not simply add a sub-level in front of the subdomain level and expect it to work without having created a wildcard domain entry that covers it.
  • DNS-Resolvers are responsible for name resolution. You use Cloudflare as a dns resolver. Resolvers can be chained and typical cache entries to lower the load on the systems.
    • If you change an entry in your dns-server, it will take time to be propageted around the world. This can take minutes, hours, days - regarding on multiple factors. For Domains provided by DDNS the time span is typicaly withing minutes.
 
Did you create that subdomain?
== No, because in my opinion that should be handled by RP.

I suspect this is your problem. At whichever provider is handling your DNS resolution, you need to create a subdomain (a CNAME record) that points to your domain. So, for example, apps.yourdomain.com would point to yourdomain.com . Or, use a wildcard subdomain. (But I'd strongly suggest using the former method). Neglecting to do so would would cause a lot of DNS servers to not be able to find apps.yourdomain.com . In fact, I'm surprised that ANY of them can.
 
@OP : did you finally manage to have it working ?
Because I wanted to have my nginx proxy manager working for a long time, I tried a couple of times with no success so I had some pages on that topic still open (inc. this one)
I don't know what happened in my mind, but I did a fresh install and had it working in just minutes.

My setup in detail :

I have a DDNS from synology pointing to the nas or the router
I have a domain hosted at IONOS, and a verified star certificate (example.com)
I already have some subdomains created on that domain (toto.example.com)
I configured it with just a CNAME pointing to my DDNS
I installed a fresh install of Nginx proxy manager
On the router, I forwarded all incoming trafic on port 80 and 443 to the docker host IP (nginx PM needs to run on legacy 80/443 ports)
I have added a simple proxy host on NPM, with : host : toto.example.com > destination : docker IP > port : container port
In SSL tab, I have added my certificate, so I can enable https on all containers that supports it

And voila :)

To be the key things where i previously failed is that I wanted to preserve the public port 80 from being available. I suppose this is the main issue I had because everything was straight forward when it worked
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Thank You for the great input. I try not to Muck around with SSH on the NAS. I mistakenly waited too long...
Replies
3
Views
1,691
Hi geekau, I am trying to do the same thing as you mentioned here following your steps. But I encountered...
Replies
4
Views
1,571
SynoMan submitted a new resource: NextCloud on Synology NAS using Docker compose (with Portainer) - The...
Replies
0
Views
2,221
If you can't pin down the issue, you might try removing the new NIC Card and disconnect all external...
Replies
15
Views
4,841
fredbert submitted a new resource: Synology Product Security Advisory - A link to the latest DSM and SRM...
Replies
0
Views
1,385
Know about it but no ios app for it as far as I see so not really my main target platform
Replies
2
Views
3,994

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top