How to use a Synology NAS as reverse http/https Proxy

Like most people i suffer from the one IP address on your home internet connection syndrome.
For normal people this is not a problem but geeks like us like to run their https sites and then this can be a pain on a single IP Address.
Now you think, a problem? Cmon…. So for the not so geekies, normally you can only run a single https site on one IP address. You simply only have one port 443 🙂
You can run your sites on a different port but that’s just ugly.

This problem can be simply solved by using a reverse proxy.

IC100149

In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though they originated from the proxy server itself.[1] While a forward proxy acts as an intermediary for its associated clients to contact any server, a reverse proxy acts as an intermediary for its associated servers to be contacted by any client.

So you can set up a small linux machine that runs Nginx or HAProxy and that does the trick just fine for free. Even a nice Kemp loadmaster or F5 load balancer does this trick but then you have to have a big wallet and no wife 🙂

But.. Then i found out my Synology NAS can do this also and even stupid simple!
Synology build this functionality in it’s NAS software since DSM 6. Based on nginx.

So here is how you config a Synology as a reverse proxy.

In the control panel go to the application portal and click “reverse proxy”

Synology

Synology

Click “Create”

Now fill in the details:
You can either choose http or https as a protocol. Source is your external url you want the Synology to respond to and destination it the internal IP address of the machine you want to serve.

Screen Shot 2016-06-30 at 18.17.06

Now click on “OK”
You can do this as much as you need to. in my case i run my blog, a VMware Horizon environment and a Exchange server. all on HTTPS on port 443.

Screen Shot 2016-06-30 at 18.00.28

Next thing you need to do is add the appropriate certificates on the Synology for your https websites.

Screen Shot 2016-06-30 at 18.00.07

Synology expects you to import the certificate with a private key. if you have your PFX you can convert it with the beneath commands using openssl. With the new DSM you can also setup certificates with let’s encrypt! The renewal process will be done automatically every 3 months so no worries on that! Just be sure to put in all SAN domains.

export the private key file from the pfx file

openssl pkcs12 -in filename.pfx -nocerts -out key.pem

Export the certificate file from the pfx file

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

Remove the passphrase from the private key

openssl rsa -in key.pem -out server.key

Use the cert.pem and server.key with your intermediate cert to get it imported.

Screen Shot 2016-06-30 at 18.25.26

When imported you need to go to configure and map the right certificate to the correct service.

Screen Shot 2016-06-30 at 18.00.17

And press “OK”

Now just simply map the port 443 in your router to your Synology and you are up and running! Multiple https sites on 1 IP address.

17 thoughts on “How to use a Synology NAS as reverse http/https Proxy

  1. Ferry

    Great blog post!
    This helped me a greatly.
    Was trying to set it up using a Kemp LB but this is much easier to accomplish!

    thanks a lot!

    Reply
  2. pl0xs

    My reverse proxies do not show up as a service when I go to configure the certificate.

    Reply
  3. Pingback: How to create a Let’s Encrypt wildcard certificate on a Synology NAS – vDrone

  4. icarus

    can you start up your apps using reverse proxy?
    for example if you want to start dsaudio with audio.vdrone.nl

    I use an linux client for reverse proxy and was trying to get this to work…. in the browser it’s working fine but the DSaudio app wouldn’t connect

    Reply
    1. LaurensvanDuijn Post author

      Yeah works fine here but add the correct port for app usage. Different port!

      Reply
          1. icarus

            the strange thing is I’ve tried 5000 (I’m in testing phase of reverse proxy) this should be the http port, but that wasn’t working.
            so I tried 5001 and it worked audio.example.com is working, did some more testing and disabled port forward to 5001 in my router and it wasn’t working again.
            so for some reason it still needs a port forward what isn’t the intended solution….

            thanks for the help anyway

          2. LaurensvanDuijn Post author

            The apps are coded to use the ports unfortunally

  5. trev

    I simply cannot get this to work with https. Http is not a problem, but everytime I try with HTTPS, I get an error that the server has unexpectedly closed the connection. ANy advice on how to get this to work with HTTPS?

    Reply
  6. adam

    For cert usage – use the wildcard cert feature from Let’s Encrypt – then there is no need to map individual certs at that point for any service running on your synology.

    i.e. – you have plex is running on 32400 on your synology, you would typically need to go to your synology.domain.com:32400 to get to plex
    – you own a domain called mydomain.com, along with a wildcard cert for mydomain.com already installed on your Synology

    1. go to your router and map the hostname to your IP

    set system static-host-mapping host-name plex.mydomain.com inet {ip address of synology running plex]
    set system static-host-mapping host-name plex.mydomain.com alias plex

    2. open your browser and go to https://plex.mydomain.com INSTEAD of https://synology.domain.com:32400

    Plex will open (and use the wildcard cert already installed for ) – no need for individual certs and the admin overhead for them….

    Reply
  7. Kami

    Hi,
    I used to have this running to expose multiple AD FS farms, with client cert authentication. Since a couple of months the certificate auth is no longer working; the client cert details are being filtered from the request.
    This behaviour usually happens when a proxy is doing ssl termination, which breaks the certauth. I believe the DS is doing SSL termination (decrypting, inspecting and recrypting the request), since you need to bind a cert+key to the entry.
    I just can’t seem to get this confirmed by Synology, nor can I find any information on how to disable SSL termination (offloading).
    Also I’m puzzled how this has worked a couple of months ago.
    Without Synology in between, all works as expected.
    Would you have any insights on the above?

    Kind regards,
    Kami.

    Reply
  8. Pingback: (14) Reverse Proxy – nur ein Port, viele Ziele | www.andrejansen.de

Leave a Reply to LaurensvanDuijn Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.