Reverse proxy through Synology

Laco_Jurdik · August 1, 2021, 9:17am

Everything worked for me, but now it gives me an error:

400: Bad Request

mirekmal · August 1, 2021, 10:45am

No issues here… Did you updated HA recently by chance? starting 2021.06 it is required to define trusted proxies, otherwise HA will throw some errors.

Laco_Jurdik · August 1, 2021, 11:14am

Yes, I updated.
How do I set it up?

Laco_Jurdik · August 1, 2021, 11:23am

Prints this error:
A request from a reverse proxy was received from 192.168.1.210, but your HTTP integration is not set-up for reverse proxies

Laco_Jurdik · August 1, 2021, 11:29am

I did this by adding this code:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.0.0.200      # Add the IP address of the proxy server
    - 172.30.33.0/24  # You may also provide the subnet mask

mirekmal · August 1, 2021, 11:34am

I have following in my configuration.yaml:

http:
  use_x_forwarded_for: true
  trusted_proxies: 192.168.52.21 # this is IP of my NAS, running reverse proxy

in my case it is only one and it is IP of Synology NAS. In your config I’m not sure how it would work. Given error message it seems that your subnet is set to 192.168.1.x, so I guess you should add IP of your Synology NAS from the same subnet. Your current IP addresses do not match main subnet.

Vahaldor · November 18, 2021, 8:41pm

Hi,
I am trying to figure out reverse proxy for HA on synology for some time and still cannot make it through. I have everything configured as said here in this guide or elsewhere, but in the scenario of trying the ha.mydomain.cc from LAN, I got ERR_CONNECTION_REFUSED, in the scenario from the internet, it connects directly to the DSM. It looks like the DSM prefers itself over the reverse proxy. Any ideas?

Vahaldor · November 18, 2021, 9:12pm

ok solved, this was my lovely PiHole. How could it sink my personal domain???

Illinoid · February 4, 2022, 3:01am

I’m hoping you can provide even just a bit more insight into your situation, getting reverse proxy working for HA through a Synology NAS. I’ve been through all the setups about five times, with no success… year you say it worked after you discovered something going on with Pi Hole… but I don’t have Pi Hole running.

Thanks in advance for anything.

Vahaldor · February 4, 2022, 6:25am

I have three reverse proxies for three ports: https DSM, 80, 443. I am forcing htts everywhere, for dsm and for reverse proxy. Then I think you have to patient until it is propagated to dns tables. Forget pihole, that was my special problem. I had whitelist my home domain. Dor some reason pihole killed all requests

Vahaldor · February 6, 2022, 12:10pm

Did it work?

fschade · February 11, 2022, 7:07am

@mirekmal, thanks this is a great manual! My DSM reverse proxy is working also the seperate photo and drive links. Bitwarden is also running fine. i only have an issue with the 2 reverse proxy rules which point to my HA (ha config and on an other port my unifi controller). Both give ERR_CONNECTION_REFUSED. I added the syno IP as trusted proxy. Not sure what i still need to do.

Illinoid · February 12, 2022, 3:21am

So when you say you have reverse proxies for three ports, I’m getting stuck… I’m just not understanding the three. When I try to set something up for https DSM, I assume you’re talking about the port that you’ve assigned to your DSM’s https. But when I try to set one up for my DSM https, let’s just say that’s port 1000 and http is port 2000, in either case, trying to send one to the other, I get “port already used by another application” or something like that.

So with that and all, can you give an example of for each on the source and destination you’re using? Not looking for private info, and really appreciate your time. I’m looking to do the exact same thing you have done, with just “ha.mydomain.com”, and having the exact result you originally had with it just going to the main DSM sign-in when I hit it.

Thanks in advance for the examples.

fschade · February 12, 2022, 8:11pm

@Illinoid ,
This is what i have:

Source: https://drive.domain.com:443 destination: http:drive.domain.com:port

Does this help?
I only got it working for the DSM and for drive, photo and bitwarden. I can’t get it working for home assistant and unifi controler which is also running on my ha.

Illinoid · February 12, 2022, 8:51pm

Ok… I think you and I have gone about this differently, but have about the same result. I have a wildcard SSL cert for my personal domain, which is applied to any of the Synology package services like drive, photo, etc. In those cases, it’s just https://mydomain.com/drive, for example, and I didn’t have to put in any type of reverse proxy to do it. But… I think I should be able to apply my wildcard cert to my HA system, by doing exactly what you’re doing, but it ends up giving my my main DSM page when I hit the ha.mydomain.com. So alas, we end up with the same problem, I think.

fschade · February 13, 2022, 1:56pm

@Illinoid, how did you setup DNS? And do you have webservice enabled?

Illinoid · February 13, 2022, 7:21pm

@mirekmal, first thanks for this tutorial. Unfortunately I’ve been through it a dozen times and it just doesn’t work for me. The ONLY difference that appears to be in our systems is that I have a wildcard SSL which automatically takes care of alternative names. Without doing anything other than adding a reverse proxy, it then shows the “ha.mydomain.com” that I’m trying to see as a subdomain serviced by the cert. So I don’t think that’s the issue. I have altered the trusted proxies settings in my config.yaml file, to point to my Synology NAS, with no subnet information, as you have shown you successfully done.

Yet I still get the main DSM login page when I go to ha.mydomain.com.

@fschade, thanks for sticking with this thread too. For my DNS, (done through GoDaddy), I have a CNAME record set up for the “ha” subdomain. As for having webservice enabled, I’m assuming you’re referencing the “Web Service Portal” configurations available through the Web Station package? Don’t know if that’s what you were referring to or not, but I have Web Station installed and have tried to create a new Service Portal entry, using the “Alternative Portal of Default Server” option. If I attempt to use the named option, with the “ha” subnet, it doesn’t allow me as long as I have Reverse Proxy entries in for it, saying “domain already in use by another application”. But when I delete the Reverse Proxy records and create it that way, it still doesn’t work.

Man, I wish Synology would just come up with an option in the Application Portals section, where you could direct it to the IP of anything running as a Docker or VM on the unit. I’m not afraid of trying to figure out the technical details, but I’ve been at this so long, all I want is something easy.

I just want to access “https://ha.mydomain.com”… that’s all!

Thanks for everything, and thanks in advance for any further insights from either of you!

fschade · February 13, 2022, 7:56pm

@Illinoid, same same. i have this frustration also. Do you have HA running as a docker on your syno or on a PI? And do you have a local DNS server running? or is that your router?

Illinoid · February 13, 2022, 8:53pm

@fschade, I have HA running as a VM in Synology VMM. Right now, the only way to get at it externally is to keep it http, vs. https, and that’s not great. I have to hit it with http://mydomain.com:12345 (just an example, I have a custom port on my HA, so at least it’s security through obscurity).

fschade · February 14, 2022, 8:43am

@Illinoid, try to make the reverse proxy setup like this: http://localhost:12345 as destination. I have my bitwarden in a docker running on my syno. i had difficulty getting that running with the reverse proxy. But when i did this it worked:
souce: https://bitwarden.mydomain.com:443 and destination: http://localhost:12345