With setting up the Synology NAS for external access, we have already encountered a proxy-server. Cloudflare is a proxy server, it relays requests for your server between your server and the client. The proxy-server works best with web-services; (sub)domain names that link to a web-service. Other services like SMTP will not work behind a proxy-server. The client only sees the IP address of Cloudflare and never gets to see the IP address of the actual server, as Cloudflare proxies between the two:
Client [test.org] <–> 172.67.160.31 [Cloudflare Server] <–> 77.109.89.245 [Your Synology NAS]
The client types in the domain test.org and Cloudflare responds with its own IP address, while it gets the information for test.org from your Synology NAS. The Proxy server links a domain to one (different) IP address. A Reverse-Proxy does the reverse and links one IP address to a (multiple) different domain(s). The Reverse-Proxy server receives the domain name and then links that domain to an (internal) IP address. So you can have test.org link to an internal IP address and port and have sub.test.org link to a different internal IP address and port. Even though both test.org and sub.test.org link to the same external IP address and port. With a reverse-proxy you can have all your external connections and domains arrive at the same port (for example 443) and be redirected by the reverse-proxy to different internal IP address and/or ports.
Client [test.org] <–> 77.109.89.245 (port 443) [Reverse-Proxy server] <–> 192.168.10.2 (port 443) [Your Synology NAS]
Client [sub.test.org] <–> 77.109.89.245 (port 443) [Reverse-Proxy server] <–> 192.168.10.2 (port 8080) [Your Synology NAS]
Client [sub2.test.org] <–> 77.109.89.245 (port 443) [Reverse-Proxy server] <–> 192.168.10.10 (port 9000) [Your other device]
Remember one port can only have one service running on it. You could open for each service that you want to expose to the internet a port on your router, making your router look like a Swiss cheese. With a port scan you could see what services you are offering, which can create a security issue. With a Reverse-Proxy you would only open 1 port (443 in this example) and a port scan would only reveal that 443 is open. Reverse-Proxy in principal only works with web-services, but with a Reverse-Proxy server you can run multiple web-services from the same port.
The Synology NAS has several ways in which it uses a Reverse-Proxy technology or similar techniques. One you have already encountered in this step: Using subdomains to access your NAS. We will look at the other ways step by step here:
Login Portal
The first Reverse-Proxy technique in the Synology NAS can be found in Control Panel > Login Portal > DSM. There your “Customized Domain” is reverse-proxied to the DSM ports. For http it is standard port 5000 and for https port 5001. When you enter a customized domain, for example dsm.test.org – you only have to open port 443 on your router, linked to your Synology NAS and it responds from port 5001. How your DSM does this is not exactly clear but it reacts as similar to a Reverse-Proxy.
This technique is not limited to your DSM only, but can be used for some of the standard applications on the Synology. For example you can have your Synology-Photos application reached from the internet on a custom domain. When you install the package Synology-Photos you can go to Control Panel > Login Portal > Applications and assign the custom name:
You see 2 options to expose the Synology Photos application. You can either assign it a customized port (they give the examples 5080 and 5443) and then open these ports on your router. Or you can assign a customized domain and have the Synology Photos application being reached through your 443 port. Like with the DSM you would have to type https:// in front of the sub-domain, because you want to link to the secured port 443 and https will direct you to that port.
If you have only one domain and only one wildcard certificate (which is set as your default certificate) then you don’t have to assign a certificate to the application, as this is done automatically. If you have multiple domains or multiple certificates, you would need to assign the right certificate to the application. You do this via Control Panel > Security > Certificate > Settings. You see a list of all web enabled packages, websites or reverse-proxied services and you can assign the certificate to each service or website.
Web Station
The Web Station application is automatically installed by the Synology NAS because accessing your DSM, but also your other web-based applications are all done through the Web Station. Web Station is not a reverse-proxy server, but uses a different technique to server multiple websites. In the next section we will dive deeper into setting multiple websites under different subdomains. But suffice to say here is that Web Station links a (sub)domain name to a particular folder on your Synology NAS. Each (sub)domain uses the same port 443 (or 80 for http) but gets linked to different folders. So you could create a shared folder www on your Synology and have www.test.org linked to that folder, while dsm.test.org and photos.test.org also still work. They all use port 443 on your router but get reverse-proxied to different ports on your Synology NAS. Like this:
Client [dsm.test.org] <–> 77.109.89.245 (port 443) [Your Router] <–> 192.168.10.2 [Your Synology Reverse-Proxy] <–> (port 5001) [The DSM service]
Client [photos.test.org] <–> 77.109.89.245 (port 443) [Your Router] <–> 192.168.10.2 [Your Synology Reverse-Proxy] <–> (port 5443) [Synology Photos]
Client [www.test.org] <–> 77.109.89.245 (port 443) [Your Router] <–> 192.168.10.2 [Your Synology Reverse-Proxy] <–> (port 443) [Folder www]
Web Station uses the standard http and https ports (80 and 443). It doesn’t really use Reverse-Proxy to redirect to the different folders but uses the domain name in the HTTP header to route the direction. However it works together with the Reverse-Proxy Server to redirect the other web enabled services.
Synology’s Reverse Proxy
The Synology NAS has a build-in Reverse-Proxy. You can access and configure it Control Panel > Login Portal > Advanced > Reverse Proxy. There you can a configure a reverse-proxy for a custom service that is running on your NAS. All you need to know is the port where the (web) service is running on. For example if you have Home Assistant running, this application can be reached via port 8123. With the Synology Reverse Proxy you can open Home Assistant up via port 443:
You see in this configuration that home.test.org on port 443 is linked to 192.168.10.2 port 8123. You can see here that the HTTPS port is linked through the Reverse-Proxy server to the HTTP port, without the client knowing this. The crucial communication between client and the server is encrypted over HTTPS, but the communication between the server and Home Assistant is un-encrypted via HTTP. It is not essential to encrypt the internal communication, as it requires a lot processor power (to encrypt and un-encrypt) and internal communication cannot be intercepted from the internet.
As soon as the Reverse-Proxy rule is saved, it will show up as a service under Control Panel > Security > Certificate > Settings > Configure. If you have multiple domains or multiple certificates, you can assign the specific certificate to that service.
In this example we link port 443 to a service running on port 8123 locally, as in the service is installed on the Synology NAS. That is not a requirement, you can have the Reverse-Proxy rule also point to a service that runs on another device. For example if you installed Home Assistant on a Raspberry Pi, with ip address 192.168.10.40 you could link to that IP address too.
The magic of Reverse-Proxy
Remember you can have only 1 service running behind 1 port. So your router can only direct 443 to one service, in our case it redirects it to the Synology NAS where a Reverse-Proxy service runs. The Reverse-Proxy service then redirects it to another port on its own device, as port 443 is already used on the Synology NAS for the reverse-proxy service or to port 443 on another device, for example a Raspberry Pi. So the rule is 1 port, 1 service on 1 device. With Reverse-Proxy you create 1 service behind 1 port on 1 device that redirects to 1 (other) port for 1 service on 1 device. For the client it looks like there are multiple services on one port on one device – the magic of Reverse-Proxy.
The Reverse Proxy is the first point of contact for all incoming HTTP(S) traffic when it’s enabled. For domains or subdomains configured in the Reverse Proxy rules, it routes the traffic to the appropriate service (e.g., Home Assistant). If no Reverse Proxy rule matches the request, it passes the traffic to Web Station. Web Station uses its Name-based Virtual Hosting to serve the appropriate website folder based on the Host header in the request.