Disabling external http access?

casperse · June 7, 2018, 11:37am

Hi All

I managed to get my Synology running letsencrypt, pointing by reverse proxy to my RASP3 HA
and it works perfectly.

BUT, I can still access the HA by writing the HTTP://IP-ADRESS:PORT

Is there any smart way to tell HA to redirect all HTTP to my new https://sub.domain.com adress?

Sorry this might be a noob question, but in other micro services I can set redirect all calls to HTTPS

Thanks
Casperse

flamingm0e · June 7, 2018, 1:14pm

To disable external access, you remove the port forward

stephenmg12 · June 7, 2018, 2:54pm

If you are talking on your local network, you would have to mess with firewall rules.

casperse · June 7, 2018, 4:06pm

Sorry talked to soon, for some reason I cant get pass the logon screen
(Firewall is ok port 8123 is open)

See this post here which is not the same question BTW
I guess it dosent matter if I disable http if I always just remember to access it remotely by https LOL

bonterra · June 7, 2018, 4:56pm

Depending on what reverse proxy you’re running, you could make it forward all http requests to https. AFAIK all major rev-proxies can do that.

digiblur · June 7, 2018, 5:07pm

Yep, typically what I do, sometimes I just remove the port 80 forward as well until the Let’s Encrypt renewal time since they had to change to http challenges.

creakyshrimp · June 7, 2018, 8:43pm

fwiw, i have the same setup. i keep port 80 closed except when it’s time to renew letsencrypt.

maybe you know, but letsencrypt will send an email reminder, and you can manually renew right away from the synology command line:

fwd port 80 to 80 on your synology box
ssh to your synology box
$ sudo /usr/syno/sbin/syno-letencrypt renew-all
close port 80

if it’s successful your synology box will show the updated exp date in control-panel --> security.

stephenmg12 · June 8, 2018, 3:22am

If you have a reverse proxy in front of home-assistant, letsencrypt can renew on 443.

casperse · June 8, 2018, 2:06pm

Synology will update all letsencrypts automatically you dont have to do anything

casperse · June 8, 2018, 2:08pm

I didnt find a way to close access, but if all access goes to HTTPS then the information is save from people snooping your data when accessing the HA

But I dit find a workaround to have Synology maintaining all your letsencrypt certificates for all your devices.

Solution here:

TEMPLATE CHANGE
To allow WebSocket by default for all service exposed by NGINX, you can enable it in the template file located in /usr/syno/share/nginx/Portal.mustache. Please be really careful in editing this file since you may break access to the DSM UI. Please backup this file before any edition.

Open /usr/syno/share/nginx/Portal.mustache and add the followings in the Location section:

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
proxy_read_timeout 86400;
Then restart the NGINX daemon:

sudo synoservicecfg --restart nginx

Thats it then it works! and I have working cert. from Synology on my external RASP3! :lol:

creakyshrimp · June 8, 2018, 3:21pm

it won’t auto-renew for me with only 443 open. so CLI method is a nice way of limiting the time 80 is open.