Remote SSH tunnel with reverse proxy on Synology

Hi all,
i already find many information about this topic but none of them worked so far.
Here’s my setup:
I did a remote SSH tunnel with autossh on Hassio (RPI).

packages:
  - autossh
init_commands:
  - >-
    autossh -N -M 18123 -o StrictHostKeyChecking=no -o
    UserKnownHostsFile=/dev/null -o "PubkeyAuthentication=yes" -o
    "PasswordAuthentication=no" -i /config/syno -R 6789:localhost:8123
    [email protected]_URL.ch -p 2208 &

I also did the following on configuration.yaml

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - 192.168.1.140  (internal IP of the Synology)

Then on the Synology i setup the reverse proxy


And i created the custom header with websocket and added as well X-Forwarder-For
I setup the reverse proxy on HTTPS & HTTP (port 8080) but each time i get 400 bad request.

If i do a curl on localhost in the Synology on the remote port (6789) i get the page from HA.
So i imagine the problem to be in the Synology reverse proxy but i don’t know what to do else :slight_smile:

Edit:
I did a tcpdump on Hassio:

sudo tcpdump -i any port 8123 or port 6789
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
13:04:02.369574 lo    In  IP6 localhost.48802 > localhost.8123: Flags [S], seq 236201766, win 65476, options [mss 65476,sackOK,TS val 2971113484 ecr 0,nop,wscale 7], length 0
13:04:02.369705 lo    In  IP6 localhost.8123 > localhost.48802: Flags [S.], seq 1803098247, ack 236201767, win 65464, options [mss 65476,sackOK,TS val 2971113484 ecr 2971113484,nop,wscale 7], length 0
13:04:02.369827 lo    In  IP6 localhost.48802 > localhost.8123: Flags [.], ack 1, win 512, options [nop,nop,TS val 2971113484 ecr 2971113484], length 0
13:04:02.372153 lo    In  IP6 localhost.48802 > localhost.8123: Flags [P.], seq 1:438, ack 1, win 512, options [nop,nop,TS val 2971113486 ecr 2971113484], length 437
13:04:02.372250 lo    In  IP6 localhost.8123 > localhost.48802: Flags [.], ack 438, win 509, options [nop,nop,TS val 2971113486 ecr 2971113486], length 0
13:04:02.381158 lo    In  IP6 localhost.8123 > localhost.48802: Flags [P.], seq 1:167, ack 438, win 512, options [nop,nop,TS val 2971113495 ecr 2971113486], length 166
13:04:02.381279 lo    In  IP6 localhost.48802 > localhost.8123: Flags [.], ack 167, win 511, options [nop,nop,TS val 2971113495 ecr 2971113495], length 0
13:04:02.383181 lo    In  IP6 localhost.8123 > localhost.48802: Flags [P.], seq 167:183, ack 438, win 512, options [nop,nop,TS val 2971113497 ecr 2971113495], length 16
13:04:02.383372 lo    In  IP6 localhost.48802 > localhost.8123: Flags [.], ack 183, win 511, options [nop,nop,TS val 2971113497 ecr 2971113497], length 0
13:04:02.385677 lo    In  IP6 localhost.48802 > localhost.8123: Flags [F.], seq 438, ack 183, win 512, options [nop,nop,TS val 2971113500 ecr 2971113497], length 0
13:04:02.388927 lo    In  IP6 localhost.8123 > localhost.48802: Flags [F.], seq 183, ack 439, win 512, options [nop,nop,TS val 2971113503 ecr 2971113500], length 0
13:04:02.389038 lo    In  IP6 localhost.48802 > localhost.8123: Flags [.], ack 184, win 512, options [nop,nop,TS val 2971113503 ecr 2971113503], length 0

As you can see that the requests come with IPv6
Thank you for you support

P.S. I want to do it this way because the RPI hosting HA will be behind a router with a SIM card. So I won’t be able to reach it through DDNS

By default, a ssh tunnel is only bound to 127.0.0.1 on the host, so you can pnly access HA from the synology.

Try

 -R 0.0.0.0:6789:localhost:8123

EDIT: That being said, as the reverse proxy is on the synology, it’s probably not that.
Maybe try “127.0.0.1” on the proxy config, to eliminate ipv6 issues.

Hi i already put 127.0.0.1/8 in the trusted proxies in the configuration.yaml.

In the “Reverse proxy rules” of the synology…

Of course … sorry
no still same effect.

I finally found some of my errors.
So let me post the actual configuration that i have now.
In the Synology:
I added the websocket header and as well
X-Forwarded-For $proxy_add_x_forwarded_for

In HA:
autossh tunnel:
Here i forced the tunnel to use 127.0.0.1 and not localhost

autossh -N -M 18123 -o StrictHostKeyChecking=no -o
    UserKnownHostsFile=/dev/null -o "PubkeyAuthentication=yes" -o
    "PasswordAuthentication=no" -i /config/syno -R 6789:127.0.0.1:8123
    MYSYNO -p 2208 &

In configuration.yaml
i used

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - 192.168.1.140

And i restarted the HA server