Reverse proxy through Synology

Configuration
1

I want to integrate Smartthings in HA and have therefore created a reverse proxy in DSM with a subdomain for HA.
I have also created a certificate (let´s encrypt) in DSM which includes the new subdomain for HA.

But from now on I dont know what to do, like what must be done with the certificate and should I make changes to the config.yaml?

By the way I am still on 0.103.6 but I guess the integration to Smartthings should still be possible.

2

No one has experience with using reverse proxy through Synology for integrating smartthings?

3

I do… and in fact use it quite heavily for all of my home systems :slight_smile:
So normal workflow for me is:

  • create entry in application portal (either enable native Synology app in Applications tab or adding entry under Reverse Proxy for systems not integrating with Synology DSM).

  • In caes of HA this would be something like on the screenshot below:

    Screenshot 2021-02-06 at 11.26.20
    Screenshot 2021-02-06 at 11.26.20489×607 35.4 KB

    and, if you want to use https (I assume so) also this one:
    Screenshot 2021-02-06 at 11.27.26
    Screenshot 2021-02-06 at 11.27.26488×605 35.2 KB

  • for both of above go to Custome Header tab and add websocket to HA; click on Create->WebSocket and 2 entries like on screenshot below will be created automatically:
    Screenshot 2021-02-06 at 11.28.05

  • In Control Panel -> Network -> DSM Settings check Automatically redirect HHTP connection to HTTPS for DSM desktop. This will force all connection, even these not secure to be redirected to HTTPS:
    Screenshot 2021-02-06 at 11.31.57

  • create certificate in Security -> Certificate -> Add -> Add. Choose either Add new or Replace and existing, depending on your situation. In first case you will have a chance to make it default later.

  • Select Get a certificate from Let’s Encrypt and click Next.

  • Fill in required data on next screen; your domain name, contact email and in subject Alternative Name put all of your subdomeins you want to use (unfortunatelly there is no easy way to use wildcards for Let’s Encypt at the moment from UI). So for my domain from screenshots above it would look like:

    Screenshot 2021-02-06 at 11.37.35
    Screenshot 2021-02-06 at 11.37.35658×555 54.3 KB

    If you want to use more subdomains list theme all, separated with semicolon:

hassio.mydomain.com;mail.mydomain.com;synology.mydomain.com
  • click apply and wait for NAS to complete certificate creation
  • if not done this way during creation make it default cetrificate for your system; select certificate on the list, right click on it and select Edit. Check Set as default certificate box and clisk OK
    Screenshot 2021-02-06 at 11.37.35
    Screenshot 2021-02-06 at 11.37.35658×555 54.3 KB
  • make sure that hassio will use this particular certificate. While still in certificates list select Configure button and on the list of reverse proxy entries make sure all of them have proper certificate selected on the right and click OK:
    Screenshot 2021-02-06 at 11.45.22
  • make sure that ports 80 and 443 on your router are redirected to your LAN IP of NAS (or alternatively put it into DMZ, but this is less secure, as it exposes it entirely to Internet).
  • test connection by going to https://hassio.mydomain.com. you should see locked padlock icon in the address bar of your browser (or whatever your browser uses to signal safe connection).

Important to understand; using this method Synology NAS works as gateway to your network and certificate that was just created is used to validate that connection through your NAS to devices on the LAN are secure upt to NAS. This method does not secure connection to the actual device (as if you would create certificate directly on HA or use Nabucasa. Yet from perspective of connecting from outside of your LAN ensure security of connection.

16 Likes
4

Thanks very much for this guide :slight_smile:
I had everything but one thing the same way.
I used the main domain name as Subject Alternative Name instead of the sub domain used for HA.
Now I can access HA from outside with https :+1:

5

Now I have to figure out how to make the integration with Smartthings and/or IFTTT.
Smartthings needs SSL but I guess I don´t have to create certificates with the reverse proxy working… or?

6

Sorry, I can’t help with SmartThings, do not have one… Jest lets try and see what will happen! :slight_smile:

7

I will try out a few things, but thanks again for helping :slight_smile:

8

Everything worked for me, but now it gives me an error:

400: Bad Request

9

No issues here… Did you updated HA recently by chance? starting 2021.06 it is required to define trusted proxies, otherwise HA will throw some errors.

10

Yes, I updated.
How do I set it up?

11

Prints this error:
A request from a reverse proxy was received from 192.168.1.210, but your HTTP integration is not set-up for reverse proxies

12

I did this by adding this code:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.0.0.200      # Add the IP address of the proxy server
    - 172.30.33.0/24  # You may also provide the subnet mask
13

I have following in my configuration.yaml:

http:
  use_x_forwarded_for: true
  trusted_proxies: 192.168.52.21 # this is IP of my NAS, running reverse proxy

in my case it is only one and it is IP of Synology NAS. In your config I’m not sure how it would work. Given error message it seems that your subnet is set to 192.168.1.x, so I guess you should add IP of your Synology NAS from the same subnet. Your current IP addresses do not match main subnet.

2 Likes
14

Hi,
I am trying to figure out reverse proxy for HA on synology for some time and still cannot make it through. I have everything configured as said here in this guide or elsewhere, but in the scenario of trying the ha.mydomain.cc from LAN, I got ERR_CONNECTION_REFUSED, in the scenario from the internet, it connects directly to the DSM. It looks like the DSM prefers itself over the reverse proxy. Any ideas?

15

ok solved, this was my lovely PiHole. How could it sink my personal domain???

16

I’m hoping you can provide even just a bit more insight into your situation, getting reverse proxy working for HA through a Synology NAS. I’ve been through all the setups about five times, with no success… year you say it worked after you discovered something going on with Pi Hole… but I don’t have Pi Hole running. :frowning:

Thanks in advance for anything.

19

I have three reverse proxies for three ports: https DSM, 80, 443. I am forcing htts everywhere, for dsm and for reverse proxy. Then I think you have to patient until it is propagated to dns tables. Forget pihole, that was my special problem. I had whitelist my home domain. Dor some reason pihole killed all requests

1 Like
20

Did it work?

21

@mirekmal, thanks this is a great manual! My DSM reverse proxy is working also the seperate photo and drive links. Bitwarden is also running fine. i only have an issue with the 2 reverse proxy rules which point to my HA (ha config and on an other port my unifi controller). Both give ERR_CONNECTION_REFUSED. I added the syno IP as trusted proxy. Not sure what i still need to do.
image

22

So when you say you have reverse proxies for three ports, I’m getting stuck… I’m just not understanding the three. When I try to set something up for https DSM, I assume you’re talking about the port that you’ve assigned to your DSM’s https. But when I try to set one up for my DSM https, let’s just say that’s port 1000 and http is port 2000, in either case, trying to send one to the other, I get “port already used by another application” or something like that.

So with that and all, can you give an example of for each on the source and destination you’re using? Not looking for private info, and really appreciate your time. I’m looking to do the exact same thing you have done, with just “ha.mydomain.com”, and having the exact result you originally had with it just going to the main DSM sign-in when I hit it.

Thanks in advance for the examples.