Does this help?
I only got it working for the DSM and for drive, photo and bitwarden. I can’t get it working for home assistant and unifi controler which is also running on my ha.
Ok… I think you and I have gone about this differently, but have about the same result. I have a wildcard SSL cert for my personal domain, which is applied to any of the Synology package services like drive, photo, etc. In those cases, it’s just https://mydomain.com/drive, for example, and I didn’t have to put in any type of reverse proxy to do it. But… I think I should be able to apply my wildcard cert to my HA system, by doing exactly what you’re doing, but it ends up giving my my main DSM page when I hit the ha.mydomain.com. So alas, we end up with the same problem, I think.
@mirekmal, first thanks for this tutorial. Unfortunately I’ve been through it a dozen times and it just doesn’t work for me. The ONLY difference that appears to be in our systems is that I have a wildcard SSL which automatically takes care of alternative names. Without doing anything other than adding a reverse proxy, it then shows the “ha.mydomain.com” that I’m trying to see as a subdomain serviced by the cert. So I don’t think that’s the issue. I have altered the trusted proxies settings in my config.yaml file, to point to my Synology NAS, with no subnet information, as you have shown you successfully done.
Yet I still get the main DSM login page when I go to ha.mydomain.com.
@fschade, thanks for sticking with this thread too. For my DNS, (done through GoDaddy), I have a CNAME record set up for the “ha” subdomain. As for having webservice enabled, I’m assuming you’re referencing the “Web Service Portal” configurations available through the Web Station package? Don’t know if that’s what you were referring to or not, but I have Web Station installed and have tried to create a new Service Portal entry, using the “Alternative Portal of Default Server” option. If I attempt to use the named option, with the “ha” subnet, it doesn’t allow me as long as I have Reverse Proxy entries in for it, saying “domain already in use by another application”. But when I delete the Reverse Proxy records and create it that way, it still doesn’t work.
Man, I wish Synology would just come up with an option in the Application Portals section, where you could direct it to the IP of anything running as a Docker or VM on the unit. I’m not afraid of trying to figure out the technical details, but I’ve been at this so long, all I want is something easy.
@Illinoid, same same. i have this frustration also. Do you have HA running as a docker on your syno or on a PI? And do you have a local DNS server running? or is that your router?
@fschade, I have HA running as a VM in Synology VMM. Right now, the only way to get at it externally is to keep it http, vs. https, and that’s not great. I have to hit it with http://mydomain.com:12345 (just an example, I have a custom port on my HA, so at least it’s security through obscurity).
On Synology NAS wildcard certificates work only with Synology DDNS (or rather can be create by DSm only for Synology DDNS). LetsEncrypt even does not allow to create such certificate. Who is your certificate provider?
Ok… I got it to work. I’ll try and keep this concise…
I followed the original directions on this post… many, many times.
I use custom ports for everything, changing ALL common ports for sake of security.
This means I don’t use 5000/5001 for DSM, and don’t use 8123 for Home Assistant.
I interpreted directions above literally. Reverse Proxy for SSL showing port 443, while DSM HTTPS port at 5000.
On a whim, I changed Reverse Proxy records to reflect my custom DSM port settings instead of 80 and 443 respectfully.
The minute I did that, it started working.
But that leaves me to ask the question… how could these directions above work if my changing 443 and 80 to my custom DSM ports in the Reverse Proxy records worked for me? If the pictures in the original response post above worked for him, I don’t understand how he wouldn’t have had to put 5000 as the port in the HTTP Reverse Proxy Record, and 5001 in the HTTPS.
But hey… I’m working now. Logging into iOS client and through browser with https://ha.mydomain.com… just as I’d been hoping for so long. Don’t know why I’m arguing about how at this point!!
Thanks for the continued ideas and encouragement, all!
@Illinoid , great! So you are using the syno reverse proxy right? Can you share a screenshot? with blur on the sensitive domain parts. I’m trying to get ha also working but no success.
Sorry for the delay, but yep… here ya go. A shot of my actual portal settings for DSM… for reference, you can see my custom HTTP port ends in 0, and custom HTTPS port ends in 1. The only thing I did, (after following all other directions on this page), is to just change 80 and 443 in my two Reverse Proxy rules to those custom ports assigned to DSM.
Again, all other directions on this page followed, including the Trusted Proxy settings in configuration.yaml, as well as the CNAME record in DNS management for the “ha.mydomain.com” subdomain. Let me know if I can be of any help with other information. I just can’t believe it was finally that easy.
@Illinoid, thanks again. Where do add the CNAME record? In the DNS server in the syno? And if it’s a CNAME you will not point to an IP but to an other domain. Only A records point to IP’s. Can you share your setup on DNS?
CNAME records are done at whomever your registrar is. In my case, Godaddy. Each domain registrar may feel a little different as to how you go manage DNS for your custom domain. But they all must let you creat a CNAME record… that’s what tells the entire internet how/where to route your subdomain back to you syno… make sense?
@Illinoid , YES super happy! Joined forces! Local DNS can be handy for easy urls like ha.home or something like that. But no need. See on the next project quest!
Did anyone tried to use login without password in this setup? (i mean “trusted_networks” inside HA)?
My acces from outside to HA inside Synology VM works perfectly, but i’d like to access my HA without entering password each time when i access my HA inside my local network with local HA IP. But, it just doesn’t work, no matter what i do, no matter which IP range i enter in “trusted_networks”…i always get this computer is not allowed.