Synology Reverse Proxy with DSM 6.0

The latest Synology DSM 6.0 version now supports out of the box reverse proxy configuration. So no need to build and edit internal configuration files. Everything can be done now on the DSM web frontend.

To configure the reverse proxy we need to go to the DSM web application, select the Control Panel and then the Application Portal icon:

Application portal Configuration
Application portal Configuration

We can see that I already have some applications configured and with the HTTP internal ports defined. For example the Notes application is accessed internally by the URL http://diskstation:9350. Note that I haven’t defined a HTTPS port because I’ll use the reverse proxy as the HTTPS frontend.

So we take note of the ports for the applications that we want to make available at the reverse proxy, in my case the port 9350 for the Notes application, and create a new reverse proxy configuration by selecting the Reverse Proxy tab and pressing the Create button:

Notes Reverse Proxy Configuration
Notes Reverse Proxy Configuration

Take note of the following:

– I’m using one of the available domains provided by synology
– The Synology domains, at least the supports sub-domain wildcarding.
– So I can have the as my main domain
– And I can have all subdomains below the, like, for example,

So I will make the Notes application available at the and that is the hostname that I need to define under my reverse proxy configuration.

So with the above rule all requests to will be routed to the localhost server running on the port 9350…

And that’s it. Just make another set of rules for the other application under their own sub-domains.

Edit: The following configuration shows the Note Station, File Station and Video Station reverse proxy configuration that allows those “apps” to be accessible from the external IP. Note that this means that port 80 (plain HTTP, if used) and port 443 (HTTPS) must be forwarded on the router configuration to the Synology internal IP:


In my case only HTTPS is used, so I’ve not forwarded the port 80 from the external interface of the router to the Synology.

Edit: For reverse proxy URL paths, instead of full sites, this post explains how to do it in the latest DSM version.

41 thoughts on “Synology Reverse Proxy with DSM 6.0

  1. Hello, 10x for you article.
    i got what you wrote but i couldt make it work on my synology
    maybe i misse some steps

    can you please tell me exactly what to do?
    here is my config

    i have dsm 6 7321 update 3
    i have static white ip address (for example which goes to my router
    i have A dns record to this ip address ( –
    synology behind NAT (
    i changed default internal dsm ports from 5000 to 5015 and 5001 to 5016 for https
    i have web station packet without any settings (clear install)
    my router is asus rt-n66u
    usually i make port forwarding for cctv and other things on synology, but now i want to use only reverse proxy
    is it possible to use only reverse proxy and delete all port forwarding setting on router?

    i want DSM and Filestation be accessible from WAN (from external places like hotels, airports and other places where all ports except 80\443 are closed) using reverse proxy.
    can you help me?
    or portforwarding port 5016 (synology dsm) to 443 on my router make the same thing that i want or it is absolutly different things?
    thanks for your time

    1. Hi: you only need one (or two) forward rules on your router: From the external IP to the Synology intenal IP, and to ports 80 and 443 (HTTP and HTTPS).
      Now you need on the DNS define a name for each service that you want to reverse proxy, for example:,,, and so on. All entries use the same external IP, so, for example: points to and also points to, and so on.

      The reverse proxy will receive the request and redirect to the internal synology service based on the domain name, so you must create a rule for reverse proxying the domain name to localhost port 5000, another rule to reverse proxy the domain to localhost port 7700 (for example and so one).

      So after this configuration the router rules doesn’t need to be modified in any way, just add the domain and IP address on the DNS and create the reverse proxy rule.

      Hope this helps.

      1. thanks again.
        now i finally get the idea.

        but it doesnt work for 80\443 using web ui.
        maybe you know how to edit nginx\apache using CLI (telnet\ssh)
        web ui doesnt allow you to use 80\443 in dsm 6-7321 update 3 and even if you will be able to insert this numbers – it will not work
        but i try to use for example 5050 for dsm, reverser proxy to 7000 (filestation), open only 5040 on router and it works.
        so method is working but not for 80\443
        i think it can be done by editing conf files but i dont know how to make it and how to make it safe (not to ruin web ui of dsm totally)

        thank you

  2. Hi, yes it works for the port 80 and 443 at the web ui. You must define write 80 or 443 on the port box. It’s an UI design error. Just make sure that the domain name is the one specified on the A record DNS.

    1. yeah, already try.
      i record a video, if you want i can upload it to youtube- you will see that it doesnt work.
      but i am absolutly sure that it doesnt work in this version of firmware dsm 6 7321 update 3. i update from 4.2 to 6 update 2 than update 3
      maybe you have earlier version or beta of dsm6 where you made this trick
      so i define 80 or 443, type my domain and other neccesary things (localhost with port 5050 for dsm). after i close this window with settings – i dont see port 443 or 80 near string with my domain (http://test.mydomain), but i see https:// localolhost:5050
      but if change 80 or 443 to something else,for example 5040 and my domain, and localhost 5050 – everything works as it should, also i need open 5040 (source\destination) on my router to make it work.
      if it was 80\443 i need only to open this two ports and use subdomains to work as i want.

      so it seems like i need to manually edit conf nginx\apache files.

      or if i want only dsm to be accesible by 443 i will port forward 5050 to 443 and thats it. but in this case i wount be able to usee my synology as a web server with https

      1. Strange. I’m pretty sure that I’m also at the same DSM level as you. I’ve never used the betas.

        I have the “normal” web station available at the external IP port 443, and also at the same external IP and port 443 the note station as shown above on the screenshots.

  3. Ok. Both of your configurations are right but each one are for different scenarios. The first configuration redirects to localhost:5015 and the second configuration redirects to localhost:5015. In this last case you have to open the port 7979 on the router and forward it to the synology port 7979… On the first case the 443 port isn’t needed to be added to the url since it’s the default https port. Still you need to have a rule forwarding the port 443 from the router to the synology.

    As I’ve said you only need to open and redirect ports 80 and 443 on the router. Then you can add all the rules to map domains to local ports as your first case, to the internal services.

    You may have problems testing *inside* from your network, try from outside, for example by mobile phone.

    Also see my last screenshot that I’ve added to show my full configuration. It works fine and the only thing that I have is a rule on the router forwarding the port 443 from the external router interface to the port 443 of the synology device.

    1. ok thank you for your time and attention to my question
      i will try soon and give you info

      i am already outside
      trying different combinations (over vpn or by static ip, over vpn – when i loses connection to my nas due to changing port forwarding settings on router)
      i have access to router and synology and can do port forwarding and other stuff from outside

      thank you

    2. lol i am

      everything works
      shame on me

      what do you think about performance? is it slow or the same for working with files using reverse proxy?

      thank you very much

      1. Glad it worked!

        Regarding speed, so far, for me is the same. It really depends more on your upload speed than anything else. I can’t complain since I have 5Mbits/s…

      2. i see

        i have 100\100

        dream about gigabit speeds

        thank you
        it s a cool trick
        you help me so much
        its cool when people sharing that kind of info

        now i have what i want

        but there are more things i want to know

        maybe you know somethin about it and if you have time or good mood, can you please look through my question below

        i want to type in address bar only domain name (for example i want to share my link with somebody without explaining “you need to type https before my domain). just domain like

        like and automaticly redirect to
        when you type – internet browser automaticly set http but i dont have anything on http (80 port)

        but second time in the same browser when i manually type it redirects me to and that is ok
        but if i reset browser with deleting cache cookie etc – the same thing. so i guess people to whom i will give my link without https woudnt be able to access my synology dsm and etc

        how to make it work for the first time only by domain name
        i try different combinations hsts\ redirect http to https in dsm settings – it only work in intranet

        maybe apache\nginx need to be configured or some kind of rules on a router?

        and what about fav.ico – can i change fav.ico for dsm\filestation? now there is fav.ico – |blue DSM|

      3. The only way that I see you can change from the HTTP to HTTPS without modifying the nginx configuration files is to create for each site on HTTP a single page that the only content is to redirect to HTTPS.

      4. made it

        create virtual host in web station
        choose only 80 port
        name of my domain
        choose web folder
        choose apache instead of nginx
        in web folder (empty) just insert htaccess with Redirect 301 /

        open 80 port for synology synology

        everythin works ok

        if i delete htaccess file – and go – i will get standart error from synology web station that nothing here

        so i think i made it right

        now i need only to type – and automaticly go to https
        i’ve tested all browsers i have- clean cache history and etc
        after this – still works

        thank you

      5. yes you do
        and i also made a favico
        change standart favico of blue dsm to my own
        if you interested i will tell you step by step how to do this
        and you can rephrase my words in your style and put it in your blog

      6. Hi, thanks, Jut put it on the comments, if you want, then all the people can read it with the proper author associated.

  4. Hi, sorry to resurrect an old thread! Trying to use a reverse proxy to access another server in my lan. Is this possible? I’ve set up my source like:, destination like

    I have a port forward on my router for all 443 to go to my syno ip on the port set by in the syno network>dsm settings

    Whenever I try to access my via, all i get is dsm login screen – any thoughts?

    Any help gratefully received πŸ™‚

      1. It seems you are right. I did a small test, and the reverse proxy only works for Synology hosted services… Rather strange. The reverse proxy uses the nginx server while there is also the Apache server that really serves the sites. So nginx is only the frontend. You might want to see my other posts regarding the virtual sites for DSM, and that will work for sure.

  5. Thanks for the guide. I followed this as a test to allow access to my Download station on internal port 8000 (http). I have a valid LE cert for my domain and I can login to the admin console and get a valid cert. If I try to access, I get a cert error and am required to make an exception in FF to move forward. Do you know how to fix this? I thought the one cert would allow me to certify all subdomains.

  6. The certificate error can be solved by two different ways: The first is on the default certificate, on the Subject Alternate name to add all the required domain names. Not sure if the alternate domain name * works (with the wildcard), but it is something easy to test.
    Another way is to add a new certificate specifically for the new site. Just go to Control Panel -> Security -> Certificate and add a new LE certificate. After that, select the certificate, press configure and associate the certificate to the required domain name. This is how I have it configured.

    Hope this helps.

  7. I’ve been using the same method and it works well but I can’t get it working for Surveillance Station.
    Every time I try to log in using the windows client it fails, am I missing something?

  8. Yeah I’ve tried that port, strange how everything else has always worked, might have to contact Synology then.

    1. I suppose so… never tried myself but nothing stops mapping your own domain to some other domain. But in this case the HTTPS certificate validation will fail since you are accessing the site through another name.

Leave a Reply to Clint Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.