Reverse proxy through Synology

robertklep · April 26, 2022, 10:04am

Perhaps using trusted_proxies, possibly together with use_x_forwarded_for.

Protoncek · April 26, 2022, 11:43am

I have trusted proxies entered, IP’s are IP of NAS segment and those two which are stated in virtual machine: 172.30.0… and 172.17…
use_x_forwarded_for is set to true. doesn’t work…

robertklep · April 26, 2022, 12:01pm

If you’re trying to access HA “inside my local network with local HA IP”, as you say, how does that relate to the reverse proxy setup?

Protoncek · April 26, 2022, 2:24pm

So, i have external access set-up via Synology reverse proxy, so i access to it via, say, “homeassitant.mydomain.synology.me”. For local acces i would use local IP of my HA setup, so, say, 192.168.0.200:8123.

What i would like is this:

if i enter “homeassitant.mydomain.synology.me” → username and password is asked
if i enter “192.168.0.200:8123” → i go directly to HA lovelace, without entering username/password.

If i understand THIS PAGE correctly this should be possible, but it doesn’t work for me…

robertklep · April 26, 2022, 2:50pm

And you’re using a configuration similar to this?

auth_providers:
  - type: trusted_networks
    trusted_networks:
      - 192.168.0.0/24

(assuming that you’re accessing 192.168.0.200 from an IP address in the range 192.168.0.X)

Protoncek · April 26, 2022, 2:57pm

Yes. I also tried to add other IP segments, as stated in Syno’s virtual machine (as said above: 172.30.0… and 172.17.0…), but i always get computer is not allowed.

robertklep · April 26, 2022, 4:18pm

I’m not too familiar with Synology VM’s (I mainly use Docker, and the times I did use a VM it got an IP address from my router, so in the 192.168 range that all my local computers use), but where does the mapping between the 192.168.0.200 and the internal VM address range (172.X) take place?

Protoncek · April 26, 2022, 5:11pm

I guess that it happens inside Synology’s virtual machine manager. But, there must be either some other IP involved…

robertklep · April 26, 2022, 6:14pm

Then I’m out of ideas In any case though, it doesn’t sound like your issue is related to the reverse proxy.

desosav · May 28, 2022, 10:18am

Hi @mirekmal
just a question about the “important to understand” portion of your guide, would it make any difference setting up a docker reverse proxy like nginx proxy manager instead of using the out of the box provided reverse proxy? or is it the same thing security wise? The fact that docker is using a bridge network instead of my LAN’s subnet makes it hard for me to understand the differences, if any, since i am not a network expert.
Thanks.

mirekmal · May 28, 2022, 12:45pm

Desosav, I believe Synology Reverse proxy is under the hood actually nginx, as entire Synology DSM is linux based… It just has nice UI integrated into DSM. So Security wise it should not make any difference. Stll traffic is secured up to edge device (proxy server) and once enters the LAN it connects to target device same way. Difference while using docker based proxy is that there is additional layer of NAT between LAN (e.g. 192.168.x.y) and internal docker network (172.30.32.x, if I’m not mistaken).

litio2001 · December 5, 2022, 10:55am

Hi Guys
In my case I could not access (error 400) because I had not added the docker network gateway (in my case 172.18.0.1):

http:
  use_x_forwarded_for: true
  trusted_proxies: 
  - 192.168.1.100 # IP my NAS
  - 172.18.0.1 #docker network gateway  "docker-brigde"

smi · January 13, 2023, 9:56pm

Hi and thanks for you explanation!

I’m unfortunately always getting 400 errors and tried each ip address for trusted_proxies which can be found in this thread as well as the ip of my NAS which runs the proxy server.

Any idea how I would find the correct IPs to list here?

Thanks!

mirekmal · January 14, 2023, 10:04am

I only have NAS IP configured for trusted_proxies:

http:
  use_x_forwarded_for: true
  trusted_proxies: 192.168.52.21 # IP of my NAS

I have HA configured as VM running on ESXi host and never needed to add docker bridge to config…
So hard to say what might be wrong here

aslabsalbeh · January 30, 2023, 3:25pm

After a lot googling, this simple solution fixed my external access to my HA on synology! I’ve had everything setup correctly but was getting the “unable to log in” error.

CamilleMonroe · January 30, 2023, 6:00pm

You may need to modify your configuration file. Regarding the certificate from Let’s Encrypt, you’ll need to make sure that it’s properly installed and configured for the subdomain. If the certificate isn’t properly installed, your integration may not work as expected. You may receive security warnings. Besides, you’ll have to configure your reverse proxy in DSM to use the certificate for the subdomain for HA. Make sure that the reverse proxy is properly forwarding requests to the HA server. I hope I helped. This method worked when I was trying to do the same thing. However, my proxies from https://shiftproxy.io/pricing-isp were a bit different from yours. But I hope it will work for yours too.

Protoncek · January 30, 2023, 6:41pm

Certificate is in this case installed in Synology (under security -->certificate), not in HA. Synology accesses HA through proxy with local IP and http.

jbouwh · March 30, 2023, 10:09pm

Hi, I am also using my Synology as a reverse proxy for HA, but the last time I am experiencing issues. Sometimes HA pages are not loading or generating errors. This also happens with the add-on pages. It used to work flawless before. Now I am thinking of using haproxy or something else.
Is there anyone that has a similar experience?

jbouwh · March 31, 2023, 10:55am

If have switched to haproxy and that is much, much faster. My issues have gone away now.

Protoncek · March 31, 2023, 3:41pm

Where did you install haproxy?