Book of Knowledge

Setup Reverse Proxy on Synology NAS using Docker

Alex Camilleri -

If you are runnign multiple services on your Synology NAS and/or self-hosting multiple websites, you might want all of them to be reachable via https protocol, and therefore making sure that all of them have a valid SSL certificate.

In order to do this, we can make use of linuxserver/letsencrypt, a docker image that allows us to self generate an SSL certificate and, among other things, allow us to setup a reverse proxy. Let's go one step at the time.

Important Introductionary Concepts

Our goal is to make sure that whenever we visit an url like *.mydomain.com from outside our local network, the traffic is routed to our NAS. You can reach the url with http (port 80) and https (port 443). In order to have secured access to the NAS when in remote access (via https) it is necessary to assign to our NAS an SSL Certificate, basically a piece of digital paper that says "yes, this website can be trusted".

When you normally setup your Synology NAS remote access, the http and https traffic needs to be routed to the DSM (port 5000 for http and port 5001 for https). This means that you can setup https://nas.mydomain.com to be routed to 192.168.x.x:5001 which will then show the Synology DSM.

This doesn't allow a lot of flexibility because we might want to use other subdomains (i.e. homeassistant.mydomain.com, plex.mydomain.com) and avoid being routed to the Synology DSM. On top of that you might need to generate separate SSL certificates for different needs, and it easily becomes messy.

Introducing Reverse Proxy

The idea is that we want to route http (port 80) and https (port 443) to a Reverse Proxy, a magic box that will then take responsibility for where to direct the traffic while sharing and automatically regenerating your SSL certificate making all of your services secure.

This Reverse Proxy is Let's Encrypt container that we will run on Docker.

Setting up Letsencrypt on Synology NAS via Docker

Let's now check, step by step, how we can arrange our Reverse Proxy setup.

Step 1: Install Docker and access the NAS via SSH

  1. Install Docker via the Package Center of your Synology NAS (not all models support this)
  2. Access the Synology NAS via SSH and gain root access

Step 2: Create the Let's Enctypt container on Docker

First of all we need to prepare some folders where we will store our container. My personal preference is a docker folder with one subfolder for every container that Docker will run. So in this case volume1\docker\letsencrypt.

Now we need to create the container via SSH (it is possible to do it via the Docker GUI but takes more effort to setup correctly). Open the terminal that we started in Step 1.  

Here is the code that we will type in the terminal. This will need to be customized with your own data.

docker create \
--name=letsencrypt \
--cap-add=NET_ADMIN \
-e PUID=1027 \
-e PGID=100 \
-e TZ=Europe/Stockholm \
-e URL=mydomain.com \
-e SUBDOMAINS=wildcard \
-e EXTRA_DOMAINS=www.myseconddomain.com, www.mythirddomain.com \
-e VALIDATION=dns \
-e DNSPLUGIN=cloudflare \
-e EMAIL=myemail@email.com \
-e DHLEVEL=2048 \
-e ONLY_SUBDOMAINS=false \
-e STAGING=false \
-p 1443:443 \
-p 1080:80 \
-p 9443:8443 \
-v /volume1/docker/letsencrypt/config:/config \
--restart unless-stopped \
linuxserver/letsencrypt

Let's see what the main elements do:

  • --name: name of the Docker container we are going to create.
  • -e: stands for Environmental Variable. These are all variables that need to be edited to fit your own data.
  • PUID, PGID: your User ID and Group ID. To obtain it, before switching to root access, type id in the terminal. This should return information on your user, giving both the info you need.
alex@xxx.xxx.x.xxx:~$ id
uid=1027(alex) gid=100(users) groups=100(users),101(administrators)
  • TZ: stands for Timezone. You can find your timezone here
  • URL: the domain that you want to generate your SSL certificate for. Without www.
  • SUBDOMAINS: the subdomains that the SSL certificate will cover. using wildcard allows the certificate to cover *.mydomain.com, meaning that test.mydomain.com, whatever.mydomain.com, plex.mydomain.com and so on will all be safely acessible via https.
  • EXTRA_DOMAINS: other domains that you want the certificate to cover. Comma separated.
  • EMAIL: your email address
  • -p: stands for Port. This is where the reverse proxy takes effect. We want the Container ports (1080 and 1443) to route back the http and https web traffic (80 and 443). So to the left we have the port of the Letsencrypt container, and to the right the port we want to route back to.
  • -v: stands for Volume. The format is mylocalpath:mountedpath. You want to change mylocalpath to the folder we created at the beginning of Step 2 (in my case volume1\docker\letsencrypt\config\.