Like most people i suffer from the one IP address on your home internet connection syndrome.
For normal people this is not a problem but geeks like us like to run their https sites and then this can be a pain on a single IP Address.
Now you think, a problem? Cmon…. So for the not so geekies, normally you can only run a single https site on one IP address. You simply only have one port 443 🙂
You can run your sites on a different port but that’s just ugly.
This problem can be simply solved by using a reverse proxy.
In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though they originated from the proxy server itself.[1] While a forward proxy acts as an intermediary for its associated clients to contact any server, a reverse proxy acts as an intermediary for its associated servers to be contacted by any client.
So you can set up a small linux machine that runs Nginx or HAProxy and that does the trick just fine for free. Even a nice Kemp loadmaster or F5 load balancer does this trick but then you have to have a big wallet and no wife 🙂
But.. Then i found out my Synology NAS can do this also and even stupid simple!
Synology build this functionality in it’s NAS software since DSM 6. Based on nginx.
So here is how you config a Synology as a reverse proxy.
In the control panel go to the application portal and click “reverse proxy”
Synology
Click “Create”
Now fill in the details:
You can either choose http or https as a protocol. Source is your external url you want the Synology to respond to and destination it the internal IP address of the machine you want to serve.
Now click on “OK”
You can do this as much as you need to. in my case i run my blog, a VMware Horizon environment and a Exchange server. all on HTTPS on port 443.
Next thing you need to do is add the appropriate certificates on the Synology for your https websites.
Synology expects you to import the certificate with a private key. if you have your PFX you can convert it with the beneath commands using openssl. With the new DSM you can also setup certificates with let’s encrypt! The renewal process will be done automatically every 3 months so no worries on that! Just be sure to put in all SAN domains.
export the private key file from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
Export the certificate file from the pfx file
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
Remove the passphrase from the private key
openssl rsa -in key.pem -out server.key
Use the cert.pem and server.key with your intermediate cert to get it imported.
When imported you need to go to configure and map the right certificate to the correct service.
And press “OK”
Now just simply map the port 443 in your router to your Synology and you are up and running! Multiple https sites on 1 IP address.
Great blog post!
This helped me a greatly.
Was trying to set it up using a Kemp LB but this is much easier to accomplish!
thanks a lot!
Great tutorial thank you very much. Worked like a charm
My reverse proxies do not show up as a service when I go to configure the certificate.
which Synology are you running?
I was too impatient! It works now, because of this guide, thank you!
Good to hear!
Pingback: How to create a Let’s Encrypt wildcard certificate on a Synology NAS – vDrone
can you start up your apps using reverse proxy?
for example if you want to start dsaudio with audio.vdrone.nl
I use an linux client for reverse proxy and was trying to get this to work…. in the browser it’s working fine but the DSaudio app wouldn’t connect
Yeah works fine here but add the correct port for app usage. Different port!
and which would that be?
5000 for http or 5001 for https.
https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Network/What_network_ports_are_used_by_Synology_services
the strange thing is I’ve tried 5000 (I’m in testing phase of reverse proxy) this should be the http port, but that wasn’t working.
so I tried 5001 and it worked audio.example.com is working, did some more testing and disabled port forward to 5001 in my router and it wasn’t working again.
so for some reason it still needs a port forward what isn’t the intended solution….
thanks for the help anyway
The apps are coded to use the ports unfortunally
I simply cannot get this to work with https. Http is not a problem, but everytime I try with HTTPS, I get an error that the server has unexpectedly closed the connection. ANy advice on how to get this to work with HTTPS?
For cert usage – use the wildcard cert feature from Let’s Encrypt – then there is no need to map individual certs at that point for any service running on your synology.
i.e. – you have plex is running on 32400 on your synology, you would typically need to go to your synology.domain.com:32400 to get to plex
– you own a domain called mydomain.com, along with a wildcard cert for mydomain.com already installed on your Synology
1. go to your router and map the hostname to your IP
set system static-host-mapping host-name plex.mydomain.com inet {ip address of synology running plex]
set system static-host-mapping host-name plex.mydomain.com alias plex
2. open your browser and go to https://plex.mydomain.com INSTEAD of https://synology.domain.com:32400
Plex will open (and use the wildcard cert already installed for ) – no need for individual certs and the admin overhead for them….
Hi,
I used to have this running to expose multiple AD FS farms, with client cert authentication. Since a couple of months the certificate auth is no longer working; the client cert details are being filtered from the request.
This behaviour usually happens when a proxy is doing ssl termination, which breaks the certauth. I believe the DS is doing SSL termination (decrypting, inspecting and recrypting the request), since you need to bind a cert+key to the entry.
I just can’t seem to get this confirmed by Synology, nor can I find any information on how to disable SSL termination (offloading).
Also I’m puzzled how this has worked a couple of months ago.
Without Synology in between, all works as expected.
Would you have any insights on the above?
Kind regards,
Kami.
Pingback: (14) Reverse Proxy – nur ein Port, viele Ziele | www.andrejansen.de