Make your services and docker containers available on your own subdomain.
In this guide we will be exposing services and or docker containers to a subdomain. This will mean exposing a service or docker container to the internet, which will will secure with a TLS (SSL) certificate because of security.
Table of Contents
Prerequisites
Note: In order to obtain a certificate, external access must be configured, and your router must forward all HTTP
and HTTPS
traffic from your public IP to your Synology. This is required because Let's Encrypt
uses this to check that you are the valid owner of the domain in qeustion.
Guide
To configure either a service or a docker container to be available on a subdomain, their are 3 steps which must be completed. This tutorial provides step two, twice on for when you want to configure a Synology service and one when you want to configure a docker container to be available on a subdomain.
In this guide we will be using the domain name mynas.diskstation.me
with the subdomain service
. The FQDN (Fully Qualified Domain Name) will be service.mynas.diskstation.me
. Please replace this with your own.
Real world example: portainer.mynas.diskstation.me
Step 1: Get a Certificate
We want our service to be secure, so the website of the Synology server which we will be exporting or the website serviced by a docker container will be secured by a HTTPS connection with a official certificate.
We will be using Let's Encrypt
as certificate provider, this will mean that our certificate will be official and that every browser will recognize it as valid.
The certificates obtained from Let's Encrypt
are valid for 90 days, don't worry, Synology DSM will automatically refresh the certificate before it's expiration date.
So lets start.
- Login into DSM as an administrator
- Open
Control Panel
- Open
Security
- Goto tab
Certificate
- Choose
Add
- Choose
Add a new certificate
- Click
Next

8. Choose Add a new certificate
9. Type a description, either enter a description or put in the complete domain name, the description can be omitted.
10. Select Get a certificate from Let's Encrypt
11. Click Next

12. Enter the full domain name into Domain name:
13: Enter a email address, where you want to receive notifications from Let's Encrypt
about certificate expiration. Entering a email address is required.
14. Optional, Subject Alternative Name
with this option you will be able to create a certificate that will be valid for multiple domains. This can be used when you want multiple subdomains redirect to the same service and all of them use the same certificate. Multiple domains must be separated with a semicolon ;
Example multiple domains
Domain Name: admin.mynas.diskstation.me
Subject Alternative Domains: management.mynas.diskstation.me;dsm.mynas.diskstation.me
This certificate will be valid for the following domain names:
- admin.mynas.diskstation.me
- management.mynas.diskstation.me
- dsm.mynas.diskstation.me
15. Click Apply
This will issue the certificate from Let's Encrypt

The certificate will be issued and appear in the Certificate
overview tab of the Control Panel
.
If you have requested a certificate for a Synology service go here:
Step 2: Configure a Synology Service
If you have requested a certificate for a docker container go here:
Step 2: Configure a Container
Step 2: Configure a Synology Service
- Open
Control Panel
- Open
Application Portal
- Goto tab
Application
This tab will list the Synology applications which you will be able to export externally. In this example we will be configuringVideo Station
to be available on a subdomain. This would mean that in the previous step we would have aquired a certificate forvideo.mynas.diskstation.me
- Uncheck all options
- Select
Enable customized domain
- Enter your domain name:
video.mynas.diskstation.me
- Enable
HSTS
for additional security - Optional; you can configure the login screen on the tab
Login Style
- Click
OK

In order to be able to access it we now assign our requested certificate to this service. Jump to Step 3: Assign Certificate for doing so.
Step 2: Configure a Container
Configuring a docker container is a little bit different then configuring a built-in Synology service. In order to achieve what we want, we must use something which is called a reverse proxy.
We will be manually creating the domain name, and tell it where it must go. Several guides I've already written or will write in the future will use this to export a docker container to a subdomain.
But for this guide, we will be exporting the Synology DSM as dsm.mynas.diskstation.me
. Currently you're probably logging into your nas with an address which looks like: http://x.x.x.x:5000
Let's change this to dsm.mynas.diskstation.me
- Open
Control Panel
- Open
Application Portal
- Goto tab
Reverse Proxy
- Click
Create
Description: DSM
Source:
- Protocol:
HTTPS
- Hostname:
dsm.mynas.diskstation.me
- Port:
443
Destination:
- Protocol:
HTTP
- Hostname:
localhost
- Port:
5000
Change the Source hostname
, Destination hostname
and Destination Port
to the destination where you want the traffic to go, in case of a docker container this will be the container IP and Port where the application or website is running.
Other guides will provide this information and reference this guide.
Optionally you can activate HSTS
for more security.
Websockets: If you are running an application in a docker container which requires websockets, then you must set additional Headers on the reverse proxy.
This can be done by going to the tab Custom Header
, click the arrow down next to Create
and select WebSocket
this will create the following headers
Header Name | Value |
---|---|
Upgrade | $http_upgrade |
Connection | $connection_upgrade |
5. Click OK
Your reverse proxy is now configured, goto Step 3: Assign Certificate to assign a certificate to this newly created subdomain.
Step 3: Assign Certificate
- Open
Control Panel
- Open
Security
- Goto tab
Certificate
- Click
Configure
- Find the service or reverse proxy you want to configure with a certificate
- Use the dropdown menu on the right of the service / reverse proxy entry to select the certificate you want to assign.
- Click
OK
Now you can access your service or container on https://service.mynas.diskstation.me
and you're browser will not complain about insecure connection or an invalid certificate.
I hope you enjoyed this guide.