Disabling external http access?

Hi All

I managed to get my Synology running letsencrypt, pointing by reverse proxy to my RASP3 HA
and it works perfectly.

BUT, I can still access the HA by writing the HTTP://IP-ADRESS:PORT

Is there any smart way to tell HA to redirect all HTTP to my new https://sub.domain.com adress?

Sorry this might be a noob question, but in other micro services I can set redirect all calls to HTTPS

Thanks
Casperse

To disable external access, you remove the port forward

If you are talking on your local network, you would have to mess with firewall rules.

Sorry talked to soon, for some reason I cant get pass the logon screen
(Firewall is ok port 8123 is open)

See this post here which is not the same question BTW
I guess it dosent matter if I disable http if I always just remember to access it remotely by https LOL

Depending on what reverse proxy you’re running, you could make it forward all http requests to https. AFAIK all major rev-proxies can do that.

Yep, typically what I do, sometimes I just remove the port 80 forward as well until the Let’s Encrypt renewal time since they had to change to http challenges.

fwiw, i have the same setup. i keep port 80 closed except when it’s time to renew letsencrypt.

maybe you know, but letsencrypt will send an email reminder, and you can manually renew right away from the synology command line:

  1. fwd port 80 to 80 on your synology box
  2. ssh to your synology box
  3. $ sudo /usr/syno/sbin/syno-letencrypt renew-all
  4. close port 80

if it’s successful your synology box will show the updated exp date in control-panel --> security.

If you have a reverse proxy in front of home-assistant, letsencrypt can renew on 443.

Synology will update all letsencrypts automatically you dont have to do anything :slight_smile:

I didnt find a way to close access, but if all access goes to HTTPS then the information is save from people snooping your data when accessing the HA

But I dit find a workaround to have Synology maintaining all your letsencrypt certificates for all your devices.

Solution here:

TEMPLATE CHANGE
To allow WebSocket by default for all service exposed by NGINX, you can enable it in the template file located in /usr/syno/share/nginx/Portal.mustache. Please be really careful in editing this file since you may break access to the DSM UI. Please backup this file before any edition.

Open /usr/syno/share/nginx/Portal.mustache and add the followings in the Location section:

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
proxy_read_timeout 86400;
Then restart the NGINX daemon:

sudo synoservicecfg --restart nginx

Thats it then it works! and I have working cert. from Synology on my external RASP3! :lol:

it won’t auto-renew for me with only 443 open. so CLI method is a nice way of limiting the time 80 is open.