SSL access behind Synology NAS and own domain

I have a Synology NAS set up as a VPN server with a Let’s Encrypt certificate.
Ports 80 and 423 are redirected to my NAS for certification.
I use a DynDNS service provided by OVH (my domain host).
Both DynDNS and Let’s Encrypt are automatically updated by my NAS.

While it is true I can connect to my HAS through my VPN, I would like to be able to directly access it through SSL, in order to connect Google Assistant to it.

And this is where my lilited knowledge of networking stops. Is that even possible? If so, how? I tried copying my Let’s Encrypt certificate to my HAS and using Nginx, but that doesn’t seem to work.

Any feedback would be greatly appreciated.

Thank you!

Pick a port and point your domain to that (5123 for example)

Forward incoming 5123 to HA https port
All requests go straight to HA

You can add reverse proxy if you have many other services and use that to forward requests to appropriate service, limiting the ports open on router.

That’s what I did.

I have home.mydomain.com that points to my external IP thanks to DDNS.

And hassio.mydomain.com that redirects to home.mydomain.com:5123 (and 5123 is redirected to the 8123 port of HAS).

But neither hassio.mydomain.com nor home.mydomain.com:5123 work with https

Does http work?

You also must setup HA for https with cert.
Example here

If you didn’t do above HA won’t provide cert when https browser attempt connection. Supply the info in config and all should be ok presuming you haven’t done this already

Yes http works.

As I said I’m trying to set up https with Nginx but I have a feeling I’m doing something wrong. Should I forgo Nginx and use the method in the link you posted?

I imported the Let’s Encrypt certificate from my NAS, but I am wondering if I should not be generating a new one for HAS. I keep getting a ERR_SSL_PROTOCOL_ERROR when I try connecting through https.

Missed this

Cert goes to nginx

Example Ports forward to nginx

Nginx points to HA https
After this you must have correct config in nginx for it to work

Nginx logs will show attempted connections and any failures with failure cause

You must also setup HA config http section to allow x-forward-for and trusted proxies. The link I previously provide has example of HA setup for reverse proxy

You should post http section if HA(change domain and External ips before post) and nginx config (change sensitive info) here

Thanks for all the info, but I guess I don’t have enough networking knowledeg to set averything up.

On my router, HTTPS and 8123 ports are redirected to HA.

I’m not seeing anything in the NGINX logs, no connection attempt, nothing.

But I do have this in the main HA log:

ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/aiohttp/web_protocol.py", line 334, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
  File "aiohttp/_http_parser.pyx", line 551, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: 400, message="Bad status line 'Invalid method encountered'"

As requested, here is my NGINX config

domain: <home.mydomain.com>
hsts: max-age=31536000; includeSubDomains
certfile: cert.pem
keyfile: privkey.pem
cloudflare: false
customize:
  active: false
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf

And my http section in configuration.yaml:

http:
  use_x_forwarded_for: true
  trusted_proxies: 
    - 127.0.0.1
    - <internal IP of my NAS>

Go through this thread. Perhaps it brings you closer to a solution: Synology reverse proxy HTTP errors

Thank you so much! That definitely put me on the right track. Finally got everything working as it should.

I’ll take the time to post a detailed answer when I get the chance.

Thanks again @doubleUS !

please do get round to posting your answer, it will help plenty of others.