Synology reverse proxy HTTP errors

First off, apologies for repeating a topic that has been brought up numerous times, but i am two weeks into scouring the forum for a working answer, and i have not found one yet.

I have a Synology DS218+, running Docker. I have a working HA setup on a RPI, which i intend migrating across.

I have installed the HA container, and run a fresh image of HA. It starts up, and is accessible from :8123 - I am therefore content this is working.

I have a DUCKDNS setup, and i have setup certificates in the Synology certificate app. the certificates are configured to be used for https://www.MyDuck.duckdns.org:4443

I have setup the App portal Reverse proxy, with the following settings.

Source:
    protocol HTTPS
    Hostname: MyDuck.duckdns.org
    Port: 4443
Enable HSTS is checked
Destination:
    protocol: HTTP
    hostname: localhost
    Port: 8123
Websockets have been added through custom header, create WebSockets

From the basic auto generated configuration, i have the created the following HTTP section

http:
 base_url: https://MyDuck.duckdns.org:4443
 use_x_forwarded_for: True
 trusted_networks:
   - 127.0.0.1

I am using port 4443, as 443 is in use on my PI. To test i am using
https://MyDuck.duckdns.org:4443

When i attempt to connect, i get ERR_SSL_PROTOCOL_ERROR in my browser and in my HA log

[aiohttp.server] Error handling request

followed by all the errors associated.

I know i am missing something small, but ill be stuffed if i can find it.
I have attempted with SSL certs, without SSL certs,
I have changed my base_url to the localhost:8123

I know i’m close, but i need someone with the same setup to show me the way to correct my error.!

Many thanks in advance

I have accessed via the address using only http, but, obviously no certificates were available and it failed SSL checker.

Try removing the https:// and port number from the base_url:
base_url: MyDuck.duckdns.org

On your router, port forward 443 to your NAS IP at port 4443

I still get the same issue.
ERR_SSL_PROTOCOL_ERROR in my browser.
invalid HTTP method in my HA log.

My ports are forwarded as you mention.

Ive gotten the ha working by pointing HA at the synology downloaded duckdns certificates. Ive effectively bypassed reverse proxy and it is working. I would prefer to have the reverse proxy working.

Try removing the existing SSL certificates, check that time zone is correct and redownload the SSL certificates

Deleted certs, deleted Reverse Proxy.
Ensure Syno is set to my TZ
Downloaded fresh certs
Run HA docker with Environment added of TZ - Europe/London
HA available on port 8123
setup reverse proxy,
attempted access via HTTPS duckdns address
No change… HTTP errors in HA
invalid HTTP method

ive used NMAP to see the status of my port, and the results are

4443/tcp  open  ssl/http    nginx
http-methods: 
Supported Methods: GET
http-robots.txt: 1 disallowed entry 
http-title: Home Assistant
ssl-cert: Subject: commonName=MYDuck.duckdns.org
Subject Alternative Name: DNS:MyDuck.duckdns.org
Issuer: commonName=Let's Encrypt Authority X3/organizationName=Let's Encrypt/countryName=US
Public Key type: rsa
Public Key bits: 2048
Signature Algorithm: sha256WithRSAEncryption
Not valid before: 2019-01-05T12:25:12
Not valid after:  2019-04-05T12:25:12
MD5:   MD5 Details were here
SHA-1: SHA details were here
ssl-date: TLS randomness does not represent time
tls-alpn: 
h2
http/1.1
tls-nextprotoneg: 
h2
http/1.1

I’m not an expert on NMAP, but i think that all looks OK, so why is HA giving http errors??!!

Did you configure websockets on your reverse proxy?

36944×408 34 KB

yes, all set up. my full initial config is in my initial post, Ive tried most variants at present, It appears to be home assistant now stating the errors, as i get the blue upper border, showing me reaching a HA site.
I just need to work out what is causing the Home assistant errors.

Home assistant doesn’t need any changes to work with a reverse proxy, aside from the base URL.

I don’t think the problem is home assistant, but your reverse proxy

Did you connect the right certificate to your duckdns domain? I use more than one certificates and only one is a default certificate the others you manually have to connect to the right domain name.

The certificates are directed by synology, and for the duckDNS site, i am pointing the DuckDNS certs.

Am i supposed to be endeavouring to connect via https://myduck.duckdns.org (gives an error) or http://myduck.duckdns.org (attaches to HA?)

Ive never used reverse proxy before and assumed it should be https

should i be heading to my site via https or http?
https gives errors,
http attaches, and connects, but obviously not in a secure manner.
Confused!!

If you want it secure you should be using https. Ignore using http remotely altogether

this is where my issue occurs, as soon as i go to https i get HA errors on http

my App portal reverse proxy is as follows

Source:
    protocol HTTPS
    Hostname: MyDuck.duckdns.org
    Port: 4443
Enable HSTS is checked
Destination:
    protocol: HTTP
    hostname: localhost
    Port: 8123
Websockets have been added through custom header, create WebSockets

ive also tried with HSTS unchecked

my http section in HA is

http:
  api_password: mypassword
  base_url: myduck.duckdns.org

my duckdns certificates in synology are pointed at the reverse proxy. Ive used a cert checker, and they point to my duckdns address, so should be good.

Have you followed these instructions?

All followed. As i am a later iteration of DSM(up to date) i only follow the initial part including websockets. The lower half of the page i believe is for earlier DSM versions.

Are you sure about that? You need those options in your config for the reverse proxy…

from the page it states

It’s not necessary anymore to change the template anymore since Version DSM 6.2.1. Changing the Portal.mustache is not recommended! You should use the following part only if you’re using a Version before DSM 6.2.1. on your Synology.

from that point on, as my DSM version is > 6.2.1 i have not added the options…

I will look at the files to see if the options have been added automatically