Synology: Reverse Proxy

Make your services and docker containers available on your own subdomain.

In this guide we will be exposing services and or docker containers to a subdomain. This will mean exposing a service or docker container to the internet, which will will secure with a TLS (SSL) certificate because of security.

Table of Contents

• Prerequisites
• Guide
  • Step 1: Get a Certificate
  • Step 2: Configure a Synology Service
  • Step 2: Configure a Container
  • Step 3: Assign Certificate

Prerequisites

• Synology External Access

Note: In order to obtain a certificate, external access must be configured, and your router must forward all HTTP and HTTPS traffic from your public IP to your Synology. This is required because Let's Encrypt uses this to check that you are the valid owner of the domain in qeustion.

Guide

To configure either a service or a docker container to be available on a subdomain, their are 3 steps which must be completed. This tutorial provides step two, twice on for when you want to configure a Synology service and one when you want to configure a docker container to be available on a subdomain.

In this guide we will be using the domain name mynas.diskstation.me with the subdomain service. The FQDN (Fully Qualified Domain Name) will be service.mynas.diskstation.me. Please replace this with your own.

Real world example: portainer.mynas.diskstation.me

Step 1: Get a Certificate

We want our service to be secure, so the website of the Synology server which we will be exporting or the website serviced by a docker container will be secured by a HTTPS connection with a official certificate.

We will be using Let's Encrypt as certificate provider, this will mean that our certificate will be official and that every browser will recognize it as valid.

The certificates obtained from Let's Encrypt are valid for 90 days, don't worry, Synology DSM will automatically refresh the certificate before it's expiration date.

So lets start.

1. Login into DSM as an administrator
2. Open Control Panel
3. Open Security
4. Goto tab Certificate
5. Choose Add
6. Choose Add a new certificate
7. Click Next

8. Choose Add a new certificate

9. Type a description, either enter a description or put in the complete domain name, the description can be omitted.

10. Select Get a certificate from Let's Encrypt

11. Click Next

12. Enter the full domain name into Domain name:

13: Enter a email address, where you want to receive notifications from Let's Encrypt about certificate expiration. Entering a email address is required.

14. Optional, Subject Alternative Name with this option you will be able to create a certificate that will be valid for multiple domains. This can be used when you want multiple subdomains redirect to the same service and all of them use the same certificate. Multiple domains must be separated with a semicolon ;

Example multiple domains

Domain Name: admin.mynas.diskstation.me

Subject Alternative Domains: management.mynas.diskstation.me;dsm.mynas.diskstation.me

This certificate will be valid for the following domain names:

• admin.mynas.diskstation.me
• management.mynas.diskstation.me
• dsm.mynas.diskstation.me

15. Click Apply
This will issue the certificate from Let's Encrypt

The certificate will be issued and appear in the Certificate overview tab of the Control Panel.

If you have requested a certificate for a Synology service go here:
Step 2: Configure a Synology Service

If you have requested a certificate for a docker container go here:
Step 2: Configure a Container

Step 2: Configure a Synology Service

1. Open Control Panel
2. Open Application Portal
3. Goto tab Application
   This tab will list the Synology applications which you will be able to export externally. In this example we will be configuring Video Station to be available on a subdomain. This would mean that in the previous step we would have aquired a certificate for video.mynas.diskstation.me
4. Uncheck all options
5. Select Enable customized domain
6. Enter your domain name: video.mynas.diskstation.me
7. Enable HSTS for additional security
8. Optional; you can configure the login screen on the tab Login Style
9. Click OK

In order to be able to access it we now assign our requested certificate to this service. Jump to Step 3: Assign Certificate for doing so.

Step 2: Configure a Container

Configuring a docker container is a little bit different then configuring a built-in Synology service. In order to achieve what we want, we must use something which is called a reverse proxy.

We will be manually creating the domain name, and tell it where it must go. Several guides I've already written or will write in the future will use this to export a docker container to a subdomain.

But for this guide, we will be exporting the Synology DSM as dsm.mynas.diskstation.me. Currently you're probably logging into your nas with an address which looks like: http://x.x.x.x:5000

Let's change this to dsm.mynas.diskstation.me

1. Open Control Panel
2. Open Application Portal
3. Goto tab Reverse Proxy
4. Click Create

Description: DSM

Source:

• Protocol: HTTPS
• Hostname: dsm.mynas.diskstation.me
• Port: 443

Destination:

• Protocol: HTTP
• Hostname: localhost
• Port: 5000

Change the Source hostname, Destination hostname and Destination Port to the destination where you want the traffic to go, in case of a docker container this will be the container IP and Port where the application or website is running.

Other guides will provide this information and reference this guide.

Optionally you can activate HSTS for more security.

Websockets: If you are running an application in a docker container which requires websockets, then you must set additional Headers on the reverse proxy.
This can be done by going to the tab Custom Header, click the arrow down next to Create and select WebSocket this will create the following headers

Header Name	Value
Upgrade	$http_upgrade
Connection	$connection_upgrade

5. Click OK

Your reverse proxy is now configured, goto Step 3: Assign Certificate to assign a certificate to this newly created subdomain.

Step 3: Assign Certificate

1. Open Control Panel
2. Open Security
3. Goto tab Certificate
4. Click Configure
5. Find the service or reverse proxy you want to configure with a certificate
6. Use the dropdown menu on the right of the service / reverse proxy entry to select the certificate you want to assign.
7. Click OK

Now you can access your service or container on https://service.mynas.diskstation.me and you're browser will not complain about insecure connection or an invalid certificate.

I hope you enjoyed this guide.