WARNING: there’s an update of this manual – read BOLD section (sorry, guys, i forgot an important part of assigning a certificates…)
Synology reverse proxy is quite nice tool when you manage to “get it”. I spent quite some time exploring this function and managed to “kind of” set it up. So, here are my observations (if there’s something not correct i’m open to suggestions):
First, you must set up port forwarding in your router. Correct port is 443, which is default port for https protocol. Maybe you’ll say, so there’s no need for this… but, it depends on router… many routers (like Asus) manage this port itself if not told different. By entering this port forwarding you’re telling your router to “leave this port alone” and let it DSM handle it. So, enter external port and local IP of your DSM.
Second thing is Synology. For this open Control Panel, Application Portal, Reverse Proxy. Click “Create”. Fill in description. Then:
– Protocol: HTTPS
– hostname: say, dsm.yourname.synology.me
EDIT: since we are creating https access for synology server we can also enter our main domain name, say “yourname.synology.me”, without prefix. We’ll only use prefixes for other pages we want to access.(picture below is modified accordingly).
– port: 443
under “Destination”:
– protocol: https
– hostname: local IP of your DSM station (say, 192.168.1.100)
– port: https port of your DSM station (default 5001).
I couldn’t manage to resolve meaning of two options “Enable HSTS” and “Enable HTTP/2” yet. i don’t see any difference between on and off…
Finally click “Custom Header”, click “Create”and “WebSocket. DO NOT MISS THAT PART!
That’s it, click “OK.
Now we need to get a certificate for this address. For this go to “Security”, then “Certificate”. Click “Add” and select “Add new certificate”. Click “Next” and select “Get certificate from Let’s Encrypt”. On next page enter domain name (from above example it’s “yourname.synology.me”), enter your email and click “Apply”.
UPDATE:
Now we have to assign this certificate to our new created domain, otherwise we’ll get a certificate error when we visit this page:
On Synology open “Control panel”, go to “Security” and click tab “Certificate”. Our new created sub-page should be there (just it doesn’t have a green arrow yet, i guess). Now click “Settings”. A new window will open. Find newly created (sub)domain, beside it click drop-down menu and select a certificate, created just before for this site. Click “OK” and now a green arrow should be beside our new (sub)domain, and web page should work with proper certificate. If not, refresh your page by CTRL+F5. On Windows there’s also even more thorough option to clear all: Press F12 (developer tools), then right-click on “refresh” button and select “Empty cache and hard-refresh”. Ok, i can’t tell if this option works for all browsers, but if it does this really clears all.
Now open web browser and enter: “https://yourname.synology.me”. DSM web interface should now open. If it doesn’t, clear your browser cache and try again.
Ok, i assume that this is now working. Now we’d like to add some more subdomains. I’ll focus on my HA instance. Go into Application portal/Reverse Proxy again. Click “Create” and enter new description (HA in my case).
Fill up other data:
– Protocol: HTTPS
– hostname: say, home.yourname.synology.me
– port: 443
under “Destination”:
– protocol: http
– hostname: local IP of HA application (say, 192.168.1.150)
– port: http port of HA application (default 8123).
Finally click “Custom Header”, click “Create” and “WebSocket (Again, DON’T forget this part!!). Click “OK.
Again, go to certificates and create a certificate for this new subdomain like above, only as domain enter “home.yourname.synology.me”. Now HA should also be accessible on this new address.
Again, we need to assign this certificate on this new subdomain. Read BOLD section above for this.
This way you can create as many subdomains as you like. Only difference is local IP and port. The good thing is that you don’t have to enter port forwarding for each local IP so you’re less exposed for attacks, and all pages have valid certificate.
Home Assistant entries
My friend from HA forums (thanks, Lindorm) warned me that i forgot to mention some entries in HA which must be made to have successfull connection to HA from outside world.
In HA’s configuration.yaml this is a must:
http:
ip_ban_enabled: true
login_attempts_threshold: 10
use_x_forwarded_for: true
trusted_proxies:
– 192.168.0.0/24
– 172.30.32.0/24
– 172.30.232.0/24
Some explanation:
IP entries: these are IP’s used in my virtual machine inside Synology, where my HA runs. Check Virtual machine –> select your HA instance and at the bottom in “General” tag there are, in my case, three IP’s stated. First one is IP of my HA, second and third are…well, i don’t know their’s official name, but i guess that they are proxy IP’s and they must be entered in HA. In my case they are 172.30.32.1 and 172.30.232.1. Note that last digit must be “0” (you define IP segment, not specific IP address, thus /24 at the end).
So, make these entries, restart HA and hope for the best…
Two lines “ip_ban_enabled: true” and “login_attempts_threshold: 10” are not “a must”. They are just some additional precautions against possible attackers – in above case when someone tries to enter my HA 10 times (or less, or more… you choose with that number at the end) without luck it’s banned out. Then admin must manually delete banned IP from HA: banned IP’s are in config folder, in file “ip_bans-yaml: delete entry and restart HA. Just make sure you don’t lock yourself out as admin! In this case it’s a good idea to have SSH enabled: install Advanced SSH & Web Terminal add-on in HA, if you have this addon installed you can log into HA via SSH from another PC, then just delete ip_bans.yaml and restart HA. (another option, if you have your HA in Synology VM: connect into your VM from VM manager).
When you are in HA console: click CTRL+ALT+F2, you’ll get into linux. Enter “cd /” (without quotes) to go to root. Then type: “cd /mnt/data/supervisor/homeassistant” (that’s the path in Syno’s VM, if yours is not there you’ll have to search for it). Command “ls” will get you a list of files, among them it’s “ip_bans.yaml“. Delete that file by typing “rm ip_bans.yaml“.
Now press CTRL+ALT+F1 to return to HA console, and type “core restart“. HA will restart and you’ll be able to login again.