Applications on Synology NAS with HTTPS

Lukas Gabi

19.04.2020 (Updated: 19.04.2020)

Technology › Synology

This guide assumes you already have a basic web server running on your NAS that is accessible from the outside over HTTP/HTTPS. If not, check out my previous guide Setting up Synology Web Station.

Set up your application

This part is very specific to the application, as an example I will use a simple apache webserver inside a Docker container. It could be any web based application and does not necessarily have to run on the NAS, as it will just act as a reverse proxy and handle encryption. Before setting up the proxy and everything else, check if local access works, in my case I have published the server on port 20080.

local-access

Reverse Proxy for remote access

You could just directly forward http and https traffic to that port and manage everything from within the webserver, but that is a lot more complex than most people want, so to make things easy we will use Synology’s reverse proxy feature to manage everything from within DSM. The reverse proxy settings are located in the Control Panel -> Application Portal inside the reverse proxy tab.

HTTPS reverse proxy

Assuming you have a domain pointing towards your NAS, setting up the proxy is quite easy. In the Source section, we will have to enter the domain name that will be used for this application, as well as Port 443 for HTTPS. Make sure to enable HSTS, so clients will stick with the https connection. In the Destination, enter the local IP address and the Port of the appliciation, as well as the protocol that is used for the application.

Here is the setup for my Docker apache web server.

reverse-proxy-https

If your app is running on a Rasperry Pi for example, you would enter its local IP address or hostname instead of localhost and the respective port for the application.

if you try to access it over https://yourdomain.com now, you should get a certificate invalid warning, since the NAS will use whatever certificate is set as default. The reverse proxy is configured for https now.

Redirecting HTTP

Browsers will default to http if they are not aware of the site being accessible over https, the simplest way to fix this is to redirect from http://yourdomain.com to https://yourdomain.com. One solution is to have a virtual host running on apache within webstation, listening to http traffic on a custom port. This is especially practical if you have multiple applications, because this virtual host can be reused to rewrite any http request.

redirect-virtual-host

Inside the Document root we will have to create a .htaccess file with the following content.

1
2
3

RewriteEngine on  
RewriteCond %{HTTPS} off  
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Finally, we’ll send HTTP traffic to this virtual host with another reverse proxy entry.

reverse-proxy-http

Now, our http requests should be rewritten to make sure the application defaults to a secured https connection.

Getting a Let’s Encrypt certificate

The certificate settings can be found under Control Panel -> Security in the Certificate tab. Here we will have to add a certificate with Add -> Add a new certificate -> Get a certificate from Let’s Encrypt.

certificate-config

Next, we will have to set this as the certificate used for the application. This is also configured in the certificate settings under Configure. Here we have to find the application that we’ve just set up and assign the certificate.

certificate-config2

Now the setup should be complete and our application accessible from the outside, secured with https and a Let’s Encrypt certificate.

domain-access