Home Assistant SSL/HTTPS configuration on Synology with blocked Port 80

Hi HA community, after spending the entire long weekend trying to setup HTTPS access to my Home Assistant instance I’ve decided to reach out to the community for help.

My setup is:
Netgear DD-WRT router > Synology DSM6 (192.168.1.2) running Docker with Homebridge (marcoraddatz/homebridge) & Home-Assistant containers

I’ve tried following this guide but my ISP blocked port 80. Using 443 & tls-sni-01 results in an error saying my port 443 is already binding. I’m assuming it’s being used by my NAS as https:// 192.168.1.2:5001 & https:// 192.168.1.2:443 takes me to DSM. I ended up using Plesk Let’s Encrypt in my domain tools to generate a certificate.

The problem I have now is:

http:
  api_password: !secret http_password
  ssl_certificate: fullchain.pem
  ssl_key: key.pem

When the last 2 ssl lines are uncommented, my HA frontend fails to load, just a white screen with no errors shown in the logs. With the 2 line commented out I can access the HA locally at http:// 192.168.2:8123 & externally at http://:8123.

My port forwards have been setup as below, however when ssl_certificate & ssl_key is enabled, I get the error below, both internally/externally:

The certs sit in the /config folder same directory as the configuration.yaml & I’ve given full RW access to all users from /docker/home-assistant/config down to the file level.

I’d admit this is the first time I’ve worked with certs & I would probably give up if I can’t find the answers here :disappointed: Thanks all!

1 Like

Hi,

I will have almost the same setup as you.
My play is to have a certificate in the synology, not home assistant and create a proxy_pass in synology nginx to map https://xxx/ha to http://local_ha_ip:8123

Awesome, thanks for the tip @z0mbieprocess. I managed to get it working doing what you suggested by loading the certificate in the Synology but rather than load my own .conf file as instructed in this guide (for some reason this didn’t work for me), I just used the Reverse Proxy feature in DSM 6.

I forwarded port 443 on the router to my Synology port 443. Loaded the ZeroSSL certificate into the Synology & set it as default. Finally I created a reverse proxy rule (Control Panel > Application Portal > Reverse Proxy) to listen for https://<subdomain>.<domain>:443 & send the traffic to http://<Synology IP>:8123

@patn: Can you provide some more details about how you got this to work? I am running Home Assistant on my Synology (not using Docker though, since my DS414 doesn’t support Docker). I created a Let’s Encrypt certificate through Synology control panel->Security->Certificate->Add. I am also forwarding port 443 on my router to 443 on my synology, and then using the Reverse Proxy feature to send it to port 8123. You can see details of my setup at the link below. I keep getting a 502 Bad Gateway nginx error.

How are you able to have a different subdomain for accessing home assistant vs for accessing the synology web portal? I using synology’s DDNS (I also tried duckdns… doesn’t seem to make a difference)

Thanks!

Sorry @smazman, I wasn’t online for a while. Hope you’ve figured it out in the meantime, if not I’ve added some pointers to help. From memory, I only saw the 502 Bad Gateway nginx error when I was playing with the nginx config file in /etc/nginx but that didn’t work so I backed out the changes. So what I ended up doing was:

  1. I created sub-domains on my web hosting service I wanted to use for Synology. Altered the DNS Settings for each of these sub-domains to add A records pointing to my WAN external network IP.
  2. DSM 6 > Control panel > Security > Certificate > Add
    (I used the import certificate option & generated the certs using ZeroSSL with DNS verification as my ISP blocks port 80. I created a certificate for each sub-domain in ZeroSSL & imported them separately into DSM. Ultimately ended up with multiple records in DSM > Control panel > Security > Certificate, one for each sub-domain. E.g. ha.<domain>.com, synology.<domain>.com, etc.)
  3. Port forwarded port 443 from any destination to Synology port 443 on my router
  4. DSM 6 > Control panel > Application Portal > Reverse Proxy
    Created a new rule for each sub-domain in Step 1. For each sub-domain:
    Source - Protocol: HTTPS
    Source - Hostname: < subdomain.parent_domain > e.g. ha.xyz.com
    Source - Port: 443 (HSTS/HTTP/2 disabled)
    Destination - Protocol: HTTP
    Destination - Hostname: < Internal Synology IP >
    Destination - Port: < Port for Synology app you want to access, e.g. 8123 for HA, 5000 for DSM, etc. >

Hope that helps, let me know if you need clarification of anything. Cheers!

Hey patn, thank you for your explanation.

I already did what you suggested but this works for all my services (plex, sonarr etc) but not for home assistant.

I can reach the page from remote but then it get stuck on “connecting”.

Can you please support me?

Thank you in advance!

Sure @Jokerigno, on your Home Assistant login page, after you click “Log In” & while it’s saying “Connecting”, can you right-click anywhere on the webpage & click “Inspect” from the menu

Then click on the Console tab & provide a screenshot of the errors you’re seeing. This should provide us with some more insight into the error.

I regenerated the certificate and the issue is gone.

thank you!

Hi @patn,

Sorry for bumping this old thread. May I know what did you put for the http component in HA configuration?

This is what I put.

http:
  api_password: !secret http_password
  base_url: ha.xyz.com

However, I can only access the frontend via http://< Internal Synology IP >:8123/ but not https://ha.xyz.com. It gives “Unable to connect to Home Assistant.” error.

@masterkenobi

http:
  api_password: <password>
  server_port: <port number>
  base_url: https://<domain>
  cors_allowed_origins:
    - https://<domain>
    - http://192.168.1.2
  use_x_forwarded_for: True

Password: Can be anything.
Port number: Same port used in Control Panel > Application Portal > Reverse Proxy > Destination port. Your router also needs to forward an external port, e.g. 443 to your internal Synology IP.
Domain: The domain you’re using to access your Synology box.

NB: You need to create a reverse proxy in Synology > Control Panel > Application Portal > Reverse Proxy > Create. The source needs to be HTTPS, ha.xyz.com, 443. None of the checkboxes need ticking. The destination is HTTP, <your internal synology ip>, 8123. Essentially this routes https://ha.xyz.com:443 to http://<internal synology ip>:8123.

NBB: Make sure you create a websocket Custom Header for the Reverse Proxy Rules for the domain otherwise you might see the HA login page but won’t be able to log in properly

1 Like

I didn’t realize I can include https:// in the base_url and never really understand how cors_allowed_origins works. Anyway, it seems to be working now. Thank you so much!

Hi, can you please suggest how to create websocket custom header in synology reverse proxy?

Thanks

If you’re running HA on your DSM 6 Synology and you’re using the built-in reverse proxy (Control panel > Application Portal > Reverse Proxy):

For each reverse proxy entry you create to access your HA instance, click on Custom Header > Create > Web Socket

This should create 2 new entries: Upgrade & Connection.

1 Like

Thanks for help.

Hi,
I’ve recently installed Home Assistant in a 918+ Synology using docker. I´m trying to acces to it from outside my local lan but I can’t do it. I can acces to DSM by user.synology.me:5000 and I don’t know if is there some way to access the same way to Home Assistant.
I not really good at this things, so, do you know any tutorial?
Thanks a lot!

Ideally you’d have a domain name, eg. xyz.com, resolving to your external IP address then you can create a reverse proxy through Control Panel > Application Portal > Reverse Proxy, then create a port forwarding rule in your router to send traffic coming in on a specific port to your Synology box.

If you don’t have a domain name , you can use your external IP:

  1. Give your Synology box a static IP: Control Panel > Network > Network Interface
  2. Find your external IP address (https://whatismyipaddress.com/)
  3. Login into your router & setup a port forwarding rule to send traffic for a specific port to your Synology box.
    E.g. If your Synology box static IP is 192.168.1.10 and you want to access this through port 5000 on your router then your router port forwarding rule would look something like:
    External port: 5000
    Internal port: 8123 <-- This is the default port Home Assistant runs on
    Internal IP address: 192.168.1.10
  4. Once this is all setup, you should be able to access your HA instance through the browser using your external IP from step 2 & the external port on your router from step 3:
    E.g. <external_ip>:5000

Thanks a lot!!!, it works!!!