[HOWTO] Valid SSL certs and subdomains for DSM services

Discussion room for Docker, a lightweight virtualization application that gives you the ability to run thousands of containers created by developers from all over the world on DSM
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
LuHe
I'm New!
I'm New!
Posts: 7
Joined: Wed Dec 10, 2014 2:32 am

[HOWTO] Valid SSL certs and subdomains for DSM services

Postby LuHe » Wed Jan 20, 2016 5:10 am

This thread covers different topics, so it didn't really fit in one particular forum. I hope I've chosen the right one.

Scope of this project
After following this project, your Diskstation services will be available publicly on the Internet using easy-to-remember domains names and secured with official, valid SSL certificates.
You could make your DSM Manager available on https://nas.example.com, your Photo Station on https://photos.example.com, your File Manager on https://files.example.com and even Gitlab on https://git.example.com - you no longer need to remember any random port numbers and have trusted SSL certification without warning signs.

Prerequisites
You'll need a domain name. For this howto, I'll use the domain example.com
Create as many as many subdomains as you like - for example nas, files, photos and git.
These subdomains need to point to the IP address of your Synology box. If you have a dynamic one, you can still use Synologys DDNS service. Just create a CNAME and point it to the DDNS address Synology gave you (e.g. photos.example.com will be resolved to example.myds.me, which will have your IP).

Now make sure your Diskstation is reachable using HTTP on your network and there is no redirect to HTTPS (this will be handled by a docker container later).

Howto

Start Docker and download the steveltn/https-portal image.
Create a container of this image with the following settings:
Forward the container port 80 to any host port (like 180).
Forward the container port 443 to any host port (like 1443).
Forwarding to 80 or 443 is not allowed by the Diskstation.

Create a volume for /var/lib/https-portal

Now listen every service you want to map in the DOMAINS variable.
For example the management web interface:
nas.example.com -> http://dockerhost:5000

I have the following config:

Code: Select all

nas.example.com -> http://dockerhost:5000, photos.example.com -> http://dockerhost, git.example.com -> http://git, grafana.example.com -> http://grafana:3000, home.example.com -> http://192.168.0.30:8123, plex.example.com -> http://dockerhost:32400

Basicially, every subdomain you listed will now be forwarded to the respective host.
This will also work for any other Docker services you start (like git or grafana). Just make sure you also list those containers in the Links settings. You can also forward any other Web service of another server on your local network.

If you are absolutely sure your config works, set also the PRODUCTION environment variable to true.

For further descriptions about this process, have a look at the documentation of the container (https://github.com/SteveLTN/https-portal).
The docker container will use Let's Encrypt to get your official certificates.

Now go to your router and configure the port forwarding.
You need to forward port 80 to your Synology, but instead of port 80 use the port you've configured before (180). Forward the incoming port 443 to your Synology port 1443.

Now you can start the container.
The SSL certificates will automatically be generated. If anyone connects to your host from outside, they'll be redirected to the HTTPS page and be greeted with valid certificates.

If you want to use the Photo Station, you'll have the mount the following file (read-only) to /var/lib/nginx-conf/photos.example.com.conf.erb :

Code: Select all

server {
    listen 443 ssl http2;

    server_name <%= domain.name %>;

    ssl on;
    ssl_certificate <%= domain.chained_cert_path %>;
    ssl_certificate_key <%= domain.key_path %>;

    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:50m;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
    ssl_prefer_server_ciphers on;

    ssl_dhparam <%= dhparam_path %>;

    location / {
       return    301 https://$server_name/photo/;
    }

    location /photo/ {
        proxy_pass <%= domain.upstream %>;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}


For your mobile clients, make sure to use nas.example.com:443 as address in DS File and photos.example.com:443 for DS photo.

Have fun with your new proxy!
rowox
Knowledgeable
Knowledgeable
Posts: 335
Joined: Sat Sep 03, 2011 6:15 am

Re: [HOWTO] Valid SSL certs and subdomains for DSM services

Postby rowox » Thu Jan 21, 2016 4:46 pm

Thanks a lot for posting those thorough instructions.

I've been very annoyed at the fact that my certificates are not valid and the warnings it send to users using the various services hosted on DSM.

One thing to note, however, for others not wanting to do the docker route (considering some of it's stability issues): I just read that DSM 6 will bring valid certificates using Let's encrypt. See here for details: https://www.synology.com/en-us/dsm/6.0beta/ReleaseNote

It doesn't bring everything that this posts suggests, but in my case, the Let's encrypt part was really what I was looking for.

Thanks again for taking the time to write this post.
Do you agree that you should be able to encrypt your important folders, such as Photo, Home (and Video and Music)? PLEASE VOTE and comment at the following thread and make your voice heard (you'll need to cut and paste the URL):
http://forum.synology.com/enu/viewtopic.php?f=3&t=93366

DS415+, 4 x 6TB Red
kareem613
I'm New!
I'm New!
Posts: 3
Joined: Sat Sep 19, 2015 3:07 am

Re: [HOWTO] Valid SSL certs and subdomains for DSM services

Postby kareem613 » Tue Jan 26, 2016 4:02 pm

This is a great setup. Thanks for sharing. I followed along and got it done in no time.

Two small notes that might prevent some confusion.

1. Until you switch to production mode, the cert authority won't be recognized by your browsers as trusted and will still give you the warning. The certs will be from "happy hacker fake ca". Once you switch to production, you're good to go.

2. You're only allowed 5 certs per domain while Let's Encrypt is in beta. So this only works for up to 5 subdomains for now.

Return to “Docker”

Who is online

Users browsing this forum: No registered users and 0 guests