Synology Reverse Proxy Server Set-Up

Synology has a powerful nginx reverse proxy server built in, like practically everyone else who has a home internet connection i have a single public ip address, in my case its a static ip but the following works with dynamic allocations as well. If you would like to reach all your services through a single secure port (443) with SSL then continue reading. If you run Sonarr, Radarr, Deluge, Sabnzbd, Plexpy etc then your will benefit greatly by securing them behind a reverse proxy and by using Let Encrypt to secure those hosts.

Topology of a nginx proxy.

Topology of a nginx proxy.

First step is to get yourself some sort of domain name and a host name for your Synology. This can be done for free using Synology's built in Dynamic Domain Name Service (DDNS) if you have a dynamic ip address from your ISP and by purchasing a domain name of your choice from Hover, Namescheap or some other Domain registar.

Before proceeding any further make sure your Synology (and anything else that you want behind the proxy) has a static ip on your LAN, this is best done in the router by reserving 192.168.x.x to the Synology.

For dynamic Ip addresses only you need to set-up DDNS, this service checks your external IP address and reports it back to Synology so that the hostname properly reflects your external IP. Choose Synology as provider, the pick a hostname, click accept terms and conditions and press test connection. If all is well it should report your external IP address.

Setup DDNS if you have a dynamic ip.

Setup DDNS if you have a dynamic ip.

Once this is complete you need to head over to your Domain registrar and setup DNS.  First create a CNAME record with the hostname you require, I've used Sonarr here and have it pointed to the DDNS name you setup in the Synology. A CNAME is only required for dynamic IP addresses. What this does is create a DNS link between your Domain registrar and the host name you created with the Synology DDNS.  In this case sonarr.mydomain.com redirects to mynas.synology.me even as the IP address your ISP gives you changes. If you have a static ip then just use the IP you have in an A record.

cname for dynamic ip

cname for dynamic ip

If you have a static IP address you can use an A record instead.

A record for static IP

A record for static IP

Now connect to your router and port forward ports 80/443 to the internal static ip address of your Synology. This process will differ slightly depending on the router you have. Some routers call port forwarding by some other name like pinholes.


Now that the external routes are setup we now need to test them. Head to DNS Checker and check that what you have set-up directs you to your home IP.

USe cname check for dynamic ip.

USe cname check for dynamic ip.

A record for static IP.

A record for static IP.

Use the appropriate check to check if it forwards on to your details. This might take hours to fully propagate and return the correct details. If all tests well then move on to set up the internal parts. Here i haven't actually set any up so i get nothing returned.


Now on to the setup of the actual proxies. First off head to Control Panel > Security > Certificates on your Synology, This is the process for creating SSL certificates to secure your domain.

certs.png
lets encrypt.png
Cert Details.png
my certs.png

Occasionally you will have problems creating certs, sometimes you just need to try again later, but this will only work if you have forwarded ports 80/443 to your Synology.

Next head to Control Panel > Application Portal > Reverse Proxy.

 

Change internal details as required.

Change internal details as required.

Now go back to the certificate screen Control Panel > Security > Certificate and click on Configure. From there select the certificate that goes with the reverse proxy you just set up.

So in my example sonarr.mydomain.com goes to localhost:9003 but you can direct it to somewhere else like your router to make it accessible from outside your network. Example: https://router.mydomain.com:443 > http://192.168.1.254:80. Just remember to create a new certificate for every domain or sub domain your create. Lets Encrypt cannot (at this point anyway) do wildcard certs, and you have to renew the certs every 90 days or so but this can be automated with a cron job if needed.

Any questions just ask.