A reverse proxy is a proxy that provides access to internal resources to external clients transparently. I have a couple resources on my home network that I would like to be made available to the outside world:

  • this blog I just setup
  • the feed from an IP camera I installed in the garage (I'm a bit OCD and there have been occasions where I have forgotten to close the garage door - this lets me quickly check that the garage is indeed secure from my phone)

Reverse proxies can be installed on routers, but the router I have runs dd-wrt firmware, and it is a bit cumbersome to get it setup. Fortunately Synology includes a reverse proxy with its DiskStation operating system, and it's a breeze to setup.

Port forwarding

The first step is to forward HTTPS requests to the router onwards to your DiskStation. How to do this varies from router to router, but you want to forward HTTPS requests on port 443 to your DiskStation's IP address (mine is 192.168.1.25) on the same port. My rule looks like:

Domain name

You'll need to get a domain name for a few reasons:

  • you'll need subdomains to support routing to different resources (e.g. camera.my-domain.com and blog.my-domain.com)
  • you'll probably want to use a Dynamic DNS service to keep your domain pointed at your DiskStation when your ISP changes your IP address, which is typical for residential accounts
  • you'll need a domain to procure a SSL certificate required for secure HTTPS communication

Getting a domain name is out of scope of this post, but if you're ok with not using a completely custom domain, you can piggyback off one of Synology's domains and leverage their DDNS service. (At the time of writing this, I'm using hardiegras.myds.me for my domain.)

Configuring the Reverse Proxy

I need to create a routing table so that the proxy knows where to direct requests. I want to route:

  • blog.hardiegras.myds.me -> 192.168.1.25:2368
  • camera.hardiegras.myds.me -> 192.168.1.178:30001

"blog" and "camera" are subdomains I came up with myself, they can be anything.

Open Control Panel -> Application Portal and open the Reverse Proxy tab:

Note that I can target any resource that's on my home network, not just resources on the DiskStation.

SSL Certificate

The HTTPS protocol requires an SSL certificate installed on the DiskStation. In addition to that, the certificate must be signed by a trusted authority in order to avoid your sites being served with a "Not Secure" warning. Fortunately, Synology has made this very easy to do.

Open Control Panel -> Security, and open the Certificates tab:

Click on the Add button, select "Add a new certificate" and click Next:

Select "Get a certificate from Let's Encrypt" and click Next

Enter your domain qualified with the subdomain from the reverse proxy's routing table:

Once you click Apply, Let's Encrypt will generate your certificate and it will be installed automatically onto your DiskStation:

Note the expiration date - the certificate will need to be renewed every few months.

Final step is to click Configure and map the certificate to the service you want to expose:

Now your DiskStation will serve HTTPS requests with a certificate from Let's Encrypt, a trusted authority. Browsers will now show a padlock when users visit to show that everything has been secured properly: