Update: I’ve since moved on to using LinuxServer.io’s SWAG. You can run SWAG on a Synology NAS (if it supports Docker), but I’m running it in Ubuntu on other hardware. I’ve learned a lot since posting this, but I’m leaving it up in case it’s still helpful to anyone else.
In several previous posts, I detailed how to secure various services with a Let’s Encrypt certificate, installed in DSM. I approached each one individually, figuring out how to link the certificate in a way that each application accepted.
On my post about securing Ubooquity, jcd suggested I use Synology’s built-in reverse proxy server instead (and linked to this tutorial). Honestly, this was the best advice, and I’ve since switched away from the various methods I detailed before. Please check out Graham Leggat’s tutorial – this post isn’t meant to be a retelling, but hopefully adds some useful notes that I learned along the way.
Essentially, here’s how a reverse proxy works: you have a service running inside of your firewall over HTTP (not secured). Here are some of your options for opening that service outside of your network:
- Open it as-is, unsecured. This is generally not a good idea.
- Secure the service and open it outside of your network. You’ll need to read documentation, and possibly convert the certificate and put it in a place the application expects. Furthermore, as you open up more services outside of your network, you’ll need to open separate ports for each – it’s a lot to manage when you just want to access your service outside of your firewall.
- You can use a reverse proxy.
A reverse proxy is a separate server, sitting in between your service and the internet, which will encrypt all traffic, seamlessly. When you connect from outside of your firewall, you’ll communicate securely to your reverse proxy, which will then pass along your traffic to your unencrypted applications.
There are many benefits to this approach: this works with nearly every application, requires very little configuration (past the initial setup), allows you to set up memorable URLs without using weird ports, etc.
- First, I’m going to assume you have an application/service that you want to open outside of your network, securely. Set it up on an unused TCP port. I recommend checking this list to avoid commonly used ports.
- You’ll need a domain name, and be able to add custom DNS entries.
- You’re also going to need a wildcard certificate. I paid for one, but Let’s Encrypt offers them for free, too (you’ll probably need to use this script).
- If you don’t pay your ISP for a static IPv4 address, you’ll need to set up Synology’s QuickConnect service. It’s free, but requires a Synology.com account.
Now that you’ve got all of that squared away, let’s proceed.
- First, we’ll need to forward port 443 to your Synology server. See here for instructions on how to do that for most types of routers.
- Add your wildcard certificate to DSM.
- At your domain registrar, edit the DNS settings for your domain name. Add an entry with the following:
- Value: (your QuickConnect address –
- Unless your domain name is brand new, it shouldn’t take long for your new subdomain to resolve to your Synology server’s IP address.
- In DSM, click Control Panel, then Application Portal, then the Reverse Proxy tab. Click the Create button. Fill in these details:
- Description: (name of your application)
- (don’t check any of the boxes)
- Hostname: (the local IP address of the server running your application, such as
- Port: (the port you’re currently using to access your application, such as
- Click Save, then try to access
https://application.yourdomain.comin a web browser. If you did everything right (and I didn’t miss any steps!), you should be able to load your application and see that the connection is secure. If you click the lock, you should see your wildcard certificate.
Going forward, you can do this for multiple applications – and each one can use port 443, so you don’t need to open additional ports outside of your firewall or remember anything more than your unique subdomain for each application.
“You’ll need a domain name, and be able to add custom DNS entries.” Are you able to use Synology’s ****.synology.me Dynamic DNS for this?
Unfortunately, I don’t think that’d work. You’d need to be able to set up sub-subdomains from that, such as application.example.synology.me. You’d also need to have the SSL certificate for that, and since you’re not Synology, that wouldn’t be possible.
You might be able to get something working with Let’s Encrypt. When my certificate renewal comes up, I might try that route to save some money.
Thanks for this nice tutorial.. 2 things tough:
1. Cname for a subdomain? With not a A record instead?
2. Port forwarding on the router.. What’s the way to do it? Outside 443 to inside Synology 443 or Outside 443 to all synology ports?
3. Did you tried with Synology.me?
Hey Fred, I’m glad this was helpful! I noticed that Synology changed some parts of the interface in DSM 7, but hopefully this is still useful to people. I’ve since moved away from using DSM as my reverse proxy (I’m using SWAG as a Docker container now), so I’ll probably put a disclaimer at the top of this post.
That said, I’ll do my best to answer your questions:
1. You might be able to get away with an A record. If you have the option of a wildcard subdomain, I’d suggest using that instead.
2. 443 needs to be open outside of your network, and that traffic needs to be able to reach DSM. Inside of your LAN, you can use any port you’d like, as long as your router is sending that traffic back out as 443.
3. I’ve used Synology.me for dynamic DNS, but not for anything else.
The service you are setting up is also a dynamic DNS service/subdomain, not a QuickConnect service. QuickConnect is a reverse proxy that doesn’t require opening any ports on a firewall, however you cannot redirect to any sites, subdomains, or ports not supported by QuickConnect through it.
Rather than purchasing an additional certificate, your own dns domain, or anything extra, as long as you’re ok with using different external ports you could have a service running on your subdomain.Synology.me address using port 8083 forwarded to your Synology and it will reverse proxy to your application on port 80 internally, or whatever port you choose using port translation.