How to set up a reverse proxy on Synology NAS

SpaceRex

11 Nov 202420:43

Summary

TLDRIn this tutorial, the speaker explains how to set up a Synology NAS as a reverse proxy within DSM, highlighting its ease of use and powerful features. The reverse proxy allows multiple web services to run on a single IP, enhances security by masking internal servers, and simplifies SSL certificate management. By demonstrating how to proxy various applications like Synology Drive and Docker containers, the video emphasizes the flexibility and control reverse proxies offer for both internal and public-facing services. The speaker also discusses access control, wildcard certificates, and other advanced settings for secure and efficient web hosting.

Takeaways

😀 Reverse proxies in DSM (DiskStation Manager) simplify the process of securely exposing specific applications without directly exposing your Synology NAS to the internet.
🔐 A reverse proxy allows you to run multiple instances of DSM on the same public IP, enhancing functionality and security by only exposing certain applications.
🌐 By using a reverse proxy, you can secure web services with SSL certificates and limit internet access to specific apps on your NAS.
💻 Synology's built-in reverse proxy interface is one of the easiest to use, even compared to setups on Linux servers, allowing for simplified configuration.
🔒 Reverse proxies improve security by masking the internal web server from direct internet access, requiring users to know specific hostnames to access services.
⚙️ DSM allows users to configure a reverse proxy with custom headers and advanced settings for more tailored setups, although most standard apps work without customization.
🌍 Applications like Synology Drive can be securely exposed to the internet with a reverse proxy while hiding the underlying DSM interface from public view.
📈 Reverse proxies provide a central location for managing SSL certificates, making it easier to secure multiple applications on your NAS without handling certificates individually for each one.
🚀 You can use DNS server settings to map subdomains (e.g., drive.d.space.co) to internal applications, creating a more organized and secure network structure.
📊 Docker containers and other networked services can be proxied through DSM, allowing them to be accessed using custom domain names and ports, without exposing the actual container ports externally.
🔧 While reverse proxies are typically used with HTTP and HTTPS, they can be adapted to work with various internal network setups, such as Docker containers or additional NAS servers.

Q & A

What is a reverse proxy, and how does it work?
-A reverse proxy is a server that acts as an intermediary between a client and a web server. It allows multiple websites or services to run on the same public IP address and port, directing traffic based on the host name in the URL. For example, a reverse proxy can forward traffic for 'search.google.com' to one web server and 'drive.google.com' to another, even though both sites use the same IP address.
Why is setting up a reverse proxy useful for security?
-A reverse proxy enhances security by hiding the actual server's IP address and only exposing the proxy server to the public internet. This minimizes the attack surface, as the reverse proxy filters and routes traffic based on the hostname, making it harder for attackers to directly access your web servers.
What specific functionalities does Synology DSM's reverse proxy feature provide?
-Synology DSM's reverse proxy feature allows users to run multiple instances of DSM on the same public IP, expose only selected applications to the internet, manage SSL certificates centrally, and enhance security by requiring access via specific hostnames rather than direct IP addresses.
How do you set up a reverse proxy rule in DSM?
-To set up a reverse proxy rule in DSM, go to Control Panel, then Login Portal > Advanced > Reverse Proxy. You can then create new rules by specifying the source (protocol, hostname, and port) and the destination (the internal server's IP or hostname and port). You can also configure advanced options like custom headers if necessary.
How does Synology DSM's reverse proxy handle SSL certificates?
-DSM's reverse proxy feature can handle SSL certificates by allowing you to configure them centrally. You can use a wildcard certificate for all your subdomains, or get individual certificates for each application. DSM then assigns the appropriate SSL certificate for each reverse proxy rule.
Can you use a reverse proxy to expose specific applications like Synology Drive to the internet?
-Yes, you can use a reverse proxy to expose specific applications like Synology Drive to the internet. This is done by configuring a custom hostname (e.g., 'drive.yourdomain.com') and setting up a reverse proxy rule to route traffic to the Synology Drive application, which improves accessibility and security.
What is the role of the Access Control profile in DSM's reverse proxy setup?
-The Access Control profile in DSM's reverse proxy setup allows you to define rules based on the source IP address. This means you can restrict access to certain applications or services, ensuring that only trusted IPs can reach the reverse-proxied applications.
What is the benefit of using DNS records for reverse proxy instead of relying on public IP addresses?
-Using DNS records for reverse proxy provides a more organized and human-readable way of routing traffic. Instead of accessing services via IP addresses and port numbers, users can access services using domain names (e.g., 'drive.yourdomain.com'), making it easier to manage and providing an extra layer of security.
How does DSM's reverse proxy improve accessibility for Docker containers?
-DSM's reverse proxy allows Docker containers running on the NAS to be accessed via custom domain names and ports, eliminating the need for users to remember specific IP addresses and port numbers. This simplifies access and enhances the organization of services running in Docker containers.
What is the difference between HTTP and HTTPS when configuring reverse proxy for services?
-The difference between HTTP and HTTPS in reverse proxy configuration is that HTTPS encrypts the communication between the client and the server, while HTTP does not. When setting up reverse proxy for both protocols, you need to create separate rules for HTTP (usually port 80) and HTTPS (usually port 443) to ensure secure and non-secure traffic is properly routed.