Synology Reverse Proxy revisited (again..)

Work is taking too much time, so I haven’t updated the blog for a long time. Anyway a series of quick posts are on the publishing queue, and this is one of the first ones.

In February, my single disk installed in my Synology DS212 failed, after working for 7 long years. It still does work, but the bad sector error count is too high, and so can’t be used on the NAS anymore.

Anyway, this means that I needed to replace it, and this time I replaced it with two disks for RAID 1, instead of using a single disk on the NAS.

So why the long introduction?

Well installing new disks implied I needed to do a full DSM install from scratch which meant that several things changed from the previous DSM version that I had and be upgraded along, as the years passed by.

One of such things that changed, for the better, was the reverse proxy support using nginx and dropping the Apache http server use as the reverse proxy.

While reverse proxy now is supported out of the box on the Application portal, it only works for sub domain sites. For example If I want to reverse proxy Audio Station, it is quite easy to do it on the Control Panel -> Application Portal. The same is true for reverse proxy any other service running on the network. An example of such configuration is in this post: DSM 6.0 Reverse Proxy

What is not still able to do on the DSM interface is to map URL paths to other servers as I’ve explained on this post: Reverse proxy for URL paths. For example mapping the path /api to a back end server from the main Synology site.

Still, it is quite simple to do, and here are the instructions.

  1. First we need to have ssh or telnet access to the DSM. Of course recommendation is to use ssh.
  2. We need to change to this directory: /usr/local/etc/nginx/conf.d
    root@DiskStation:/usr/local/etc/nginx/conf.d# pwd
    /usr/local/etc/nginx/conf.d
    
  3. Now we create in this directory a file that must have the following naming convention: www.our_name.conf.
    For example, let’s create the following file, named

    www.rproxy.api.conf

    with the following content:

    location ~ /api/ {
      proxy_pass http://192.168.4.20:3001;
    }
    

    This means that on the main Web Station site, the /api is passed out to the above server, in this case the http://192.168.4.20:3001.

  4. We save the file and test now the configuration:
    root@DiskStation:/usr/local/etc/nginx/conf.d# nginx -T > /tmp/nginx.conf
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    

    We can check the file /tmp/nginx.conf to see if there are no errors, and if the above configuration is in the file.

  5. So all we need now is to restart the nginx server:
    nginx -s reload
    

And that’s it, our Web Station URL path /api should be redirected to the back end server.

Advertisements

21 thoughts on “Synology Reverse Proxy revisited (again..)

    1. Id does matter. The name used most point to your public IP. As long that the domain is registered, it can be anything, even the www ca be other thing, like, for example: subsite.site.com

  1. I followed every step and tested the syntax of my .conf is correct. However, I can’t access the web service I’m pointing to. Is that because I’m using subdomain like my.synology.me?

    Actually I found even using the GUI of Synology reverse proxy, I can only use port 443 forhttps and port 80 for http . Other custom ports all failed

    Is this method still work on latest DSM? Thanks!

    1. Hi, as far as I’m aware it still works, and I’m using it.

      Make sure that for testing use a device outside of your network, like a 4G connected mobile phone to test, since it might not work as expected when using your internal network.

  2. Hi, first of all, thank you, great help.
    I ve done the complete tutorial and same problem, my sintax is correct, i use a subdomain, but using http from outside my intranet is not possible to achieve the local ip:port/home.

    Any ideas please ?
    I m sure the subdomain is pointing to my serer cause i ve created a CNAME on my domain/subdomain config on my provider.

    Thanks again and congratultions

  3. Finally achieved at 75% !
    What i ve done:

    1. create the file with name: subdomain.domain.com.conf folowing the sample you pominted
    2. Add a Reverse proxy entry on DSM:
    HTTP
    subdomain.domain.com
    80

    http
    localIP
    PORT

    And works !
    Now I would like to be able to do a https on SOURCE, and http on Destination…. To do this, i ve created a LEtsEncrypt Certificate to subdomain.domain.com.

    I ve changed Reverse Proxy:
    HTTPS
    subdomain.domain.com
    443

    http
    localIP
    PORT

    But this time does not work… any ideas please ?

    1. Hi, it should work. We can use the Synology reverse proxy as a HTTPS frontend and the backend servers be at HTTP standard 80 port. That is how I use it. Use the let’s encrypt certificates for the frontend but all the servers at the backend are plain HTTP. So, on the second case, is PORT defined as 80 or 443? It should be an HTTP port and not a HTTPS port, except if you also have HTTPS enabled on the backend.

      1. The Destination Port is 8181, and it is HTTP connection. The redirection is to a service called Tautulli (plexpy). As you say, I use often VPN, so all my services inside my net ara http… I have tested this idea with DSM (using as destination port 5000-HTTP), and works… I dont know why isn’t working now…the only parameter that is suspicius is the destination ip, is not localhost, is 192.168.1.12…but it shoud work right ?

        I ll try to figure out what the hell is happening…keep yoou informed ! If someboady has an idea please don’t hesitate to write here !
        Thanks in advacne

  4. Definetly not working for me… maybe missing something, but text config file on /usr/local/etc/nginx/conf.d looks like it doesn’t matter if its created or not. How can i be sure that this file is “read” by Nginx ?

    1. Either in new releases the nginx server changed the way where it pick ups files or there is a syntax error on your files that makes them unloadable. Did you check it with the nginx -T command ?

  5. I ve been googleing and finally i have some questioins :
    If you look at this folder :
    /etc/nginx/app.d/

    There is a file called: server.ReverseProxy.conf

    I ve seen this has the Nginx config of all Reverse PRoxies created on DSM…. i ve tried to modify the location line, including this:

    location ~ /PATH/

    With no success… (logically if done a nginx -s reload after each change on the file)

    Anyone can help with this ??

    There is a file called: server.ReverseProxy.conf

    I ve seen this has the Nginx config of all Reverse PRoxies created on DSM…. i ve tried to modify the location line, including this:

    location ~ /PATH/

    With no success… (logically if done a nginx -s reload after each change on the file)

    Anyone can help with this ??

      1. Yes, any change done using the DSM UI overwrites the file, but only if you modify any Reverse proxy “entry” on the DSM form.
        I m not sure what else to try… any suggestion would be listen.

  6. hmm I got things kind of working by only using the application portal.
    But that redirects Everything to one and only one server…
    In synology dsm you can assign a dns-name to your NAS, like myhost.synology.me.

    I just opened the application portal, selected the reverse Proxy tab and typed myhost.synology.me as source host name and port 80. And for target hostname I typed localhost and port 7070(tomcat).

    And it works, but I guess its not possible to redirect different /contextroots to different servers if not creating multiple dns-hostnames. Would be cool to be able to write myapp.synology.me to redirect to localhost:7070/myapp.

    I guess this breaks some services like /photo etc :/

    But I could never get the stuff in the article to work 😦

  7. It seems like this page helps alot: https://forum.synology.com/enu/viewtopic.php?t=119672

    So open up /etc/nginx/app.d/server.ReverseProxy.conf.

    Edit the line:
    location / {
    ….

    with
    location /myapp {

    proxy_pass http://:;

    restart nginx.

    He mentions that a scheduling task should be created to copy the reverseproxy file from home-dir everytime nas reboots, apparently it is overwritten at reboot.

    But it seems to work.
    /randomstuff gives me a dsm web server 404
    while
    /myapp redirects to my tomcat and shows my app.

  8. Can’t really help on your setups, but two things:

    – First I didn’t modified any Synology file. I’ve just added a NEW file with the required configuration. Modifying Synology files, is asking for trouble, on reboot/updates, new configurations…

    – Second Nginx configuration is related to nginx itself, not specific to Synology, so any issues, if the configuration files are correctly loaded is a nginx configuration failure. But still being a Synology implementation, it might be not be possible to do everything that we can do with standalone nginx.

    So as a fact, with the above post, that is over an year old, and with several DSM updates, reboots, it just works with no issue whatsoever.

  9. Hi, this seems to be a rare place where people are trying to do reverse proxy for local host services in virtual hosts, other ports, and internal machines or URLs inside and outside one’s nextwork, it would be super cool and useful to do an updated article / blog post on how to configure DSM with each of these scenarios. If given the right direction for each one, I’d be happy to co-write or help test this out. I’ve been trying to do it with a bunch of techniques and it’s burned a bunch of time.

    1. Hi, thanks for the input and helping out on a article co-write.

      The fact is that my opinion of using the Synology NAS itself (or other NAS ) where my data is stored, to be the entry point for my services is making me nervous. Any failure on NGINX security may affect or impact the NAS.

      So right now I’m moving out the reverse proxy and sites from the NAS to docker based containers running on Odroid/RPI. I can spin up containers for providing those services, and in case of attack, just delete and restart the container from a secured image.

      Also with the use of Docker containers, other alternatives to Nginx, namely Traefik that also has LE certificate support, is a better solution in my opinion.

      So in short, I’ll probably won’t mess anymore with Synology Reverse Proxy configuration, and I’ll do it everything outside.

Leave a Reply to PrimalCortex Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.