DSM 6.0.1 b7393 update - reverse proxy guide!

Questions and mods regarding system management may go here
Forum rules
We've moved! Head over to Synology Community (community.synology.com) to meet up with our team and other Synology enthusiasts!
User avatar
Primithras
Trainee
Trainee
Posts: 14
Joined: Sun Dec 01, 2013 3:03 pm

DSM 6.0.1 b7393 update - reverse proxy guide!

Unread post by Primithras » Thu Jun 09, 2016 11:49 pm

I'm sure many of you use the reverse proxy feature of Synology and many others will have messed around the nginx.conf file before to create customized rules/aliases.
Unfortunately Synology just released an update which breaks the way custom reverse proxies used to work.

Prior to the update, you would edit your nginx.conf file, manually add your reverse proxy rules and afterwards reload the nginx proces.
You also had to make a backup of said config file and schedule an automated task to overwrite the nginx config with the backup file after each diskstation reboot.
This had to be done because each time the service was stopped (not reloaded), it overwrote the config back to the default.

Luckily for you guys so allow me to share my wisdom (*cough). I did some digging in the updated nginx config file and found out what Synology changed.
First of all, the nginx.conf file has now become utterly useless /etc/nginx/app.d/server.ReverseProxy.conf is now the new config file where the gold is at.
Before diving into the CLI, I recommend you already create a basic reverse proxy rules via the GUI. This can be done via the control panel > application portal > reverse proxy tab.

Just create a simple rule along the lines of:

Code: Select all

source: http://domain.com:80 
destination: http://localhost:5000
This rule also has the added benefit that you won't have to type in your port anymore when accessing your Synology remotely.
Also don't forget to change your port forwarding rules from 5000/5001 to 80/443 (HTTP/HTTPS).
Anyway after that open a CLI window and open the following file: /etc/nginx/app.d/server.ReverseProxy.conf

You should see something like this:

Code: Select all

server {
    listen 80;
    listen [::]:80;

    server_name domain.com;

    location / {
        proxy_set_header        Host                $host;
        proxy_set_header        X-Real-IP           $remote_addr;
        proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto   $scheme;
        proxy_intercept_errors  on;
        proxy_http_version      1.1;

        proxy_pass http://localhost:5000;
        }
    }
Now simply add the desired alias as follows, in my example I am assigning the sr alias to my SickRage package which runs under the 8083 port.
Also make sure to add the config directly under & after the last bracket of the previous location. It also needs to remain inside the server brackets.

Code: Select all

location /sr {
        proxy_pass http://localhost:8083;
        }

By the way, if you are a complete noob to CLI, I recommend copying the file to your shared drive, open/edit it with notepad and copy it back.
In my case, my shared folder is called Root and the shared folders can usually be found under /volume1, just enter your shared folder name instead of Root.

Code: Select all

    cp /etc/nginx/app.d/server.ReverseProxy.conf /volume1/Root/
    * edit and save the file on your shared folder
    cp /volume1/Root/server.ReverseProxy.conf /etc/nginx/app.d/
    cp /etc/nginx/app.d/server.ReverseProxy.conf /etc/nginx/server.ReverseProxy.bak
Anyway after editing the config file, use the following command to reload the nginx service and voila you are done.
After doing this, my Sickrage is now reachable through 'http://domain.com/sr'. (Note: you might also have to configure the alias in the package itself, this is necessary in sickrage for example .)

Code: Select all

nginx -s reload
Also don't forget to schedule an automated task, otherwise the config file will be overwritten after your next reboot.
This can be easily done in the control panel > task scheduler. Just create a new task which triggers after a boot and use the following script:

Code: Select all

     cp /etc/nginx/server.ReverseProxy.bak /etc/nginx/app.d/server.ReverseProxy.conf
     sudo nginx -s reload
This all took me a long time to figure out myself in the beginning since decent guides are scarce.
I hope my above explanation is clear enough and that it might help someone in the future.
Don't hesitate to ask any questions!

adejager
Student
Student
Posts: 68
Joined: Sat Nov 01, 2008 3:05 pm

Re: DSM 6.0.1 b7393 update - reverse proxy guide!

Unread post by adejager » Sat Aug 13, 2016 10:04 pm

Thanks,

Finally got Nginx reversed proxy with websockets working now that i found the config file

Added the following lines to my reverse proxy entry

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

And working again!

romu
Student
Student
Posts: 60
Joined: Wed Nov 26, 2014 10:12 am

Re: DSM 6.0.1 b7393 update - reverse proxy guide!

Unread post by romu » Sun Oct 16, 2016 6:09 pm

Hi,
Thanks a lot, this is really helpful. But I still need some help.

First, what are the pre-requisite packages to run such a setting? More specifically I think about WebStation, should it be installed first? What is strange is even if you remove WebStation and reload nginx, DSM still listens on the port 80.

Anyway, here is my testing setup:
  • DS1513+
  • DSM 6.0.2-8451 (last version available at time of writing)
  • The syno runs at the address 192.168.0.2 on my LAN
I installed Wallabag as a Docker container which listens on the the 4000. So, if I type http://192.168.0.2:4000, I get the wallabag homepage. Now, I would like to get wallabag on http://192.168.0.2/wallabag. Following this instructions above, I wrote to the /etc/nginx/app.d/server.ReverseProxy.conf file, the following lines:

Code: Select all

server {
    listen 80;
    listen [::]:80;

    server_name localhost;

    location /wallabag {
        proxy_pass http://localhost:4000;

    }
}
And I reloaded nginx of course. Now, if I try to reach http://192.168.0.2/wallabag, I get a "Synology Page Not Found". I tried to change the server.ReverseProxy.conf file to replace the proxy_pass line for this one:

Code: Select all

proxy_pass http://172.17.0.2:4000;
This address is the IP of the Wallabag container, and is reachable from the syno. Still no lock, always the "Synology Page Not Found".

Any idea? Thanks.

black_coder
I'm New!
I'm New!
Posts: 2
Joined: Tue Oct 18, 2016 3:40 pm

Re: DSM 6.0.1 b7393 update - reverse proxy guide!

Unread post by black_coder » Tue Oct 18, 2016 4:33 pm

Hi guys,

I came across this post while trying to solve my problem.

I have gitlab installed through docker running on port 30000 and I would like to access it using domain.com/gitlab . I tried to follow your instructions and add the following

Code: Select all

server {
    listen 80;
    listen [::]:80;

    resolver 10.10.2.11;
    set $backend "localhost:5000";

    server_name localhost;

    location / {
        proxy_set_header        Host                $host;
        proxy_set_header        X-Real-IP           $remote_addr;
        proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto   $scheme;
        proxy_intercept_errors  on;
        proxy_http_version      1.1;
        proxy_pass $backend;
    }

	location /gitlab
	{
		proxy_pass http://localhost:30000;
	}
}
but now I get error 404 when I get redirected , any tips ?
Last edited by black_coder on Fri Oct 21, 2016 6:42 pm, edited 1 time in total.

romu
Student
Student
Posts: 60
Joined: Wed Nov 26, 2014 10:12 am

Re: DSM 6.0.1 b7393 update - reverse proxy guide!

Unread post by romu » Wed Oct 19, 2016 9:14 am

Same to me, if I proxy my Wallabag service (port 4000) on the "/" location, it works. As soon as I specify a different location, I get a 404.

romu
Student
Student
Posts: 60
Joined: Wed Nov 26, 2014 10:12 am

Re: DSM 6.0.1 b7393 update - reverse proxy guide!

Unread post by romu » Wed Oct 19, 2016 1:24 pm

Indeed, you should wrote:

Code: Select all

   location /gitlab/
   {
      proxy_pass http://localhost:30000/;
   }
And it should work...for the default page. But not for the others. That's what I've been told, and the only way to make it work properly is to use sub-domain.

black_coder
I'm New!
I'm New!
Posts: 2
Joined: Tue Oct 18, 2016 3:40 pm

Re: DSM 6.0.1 b7393 update - reverse proxy guide!

Unread post by black_coder » Fri Oct 21, 2016 6:48 pm

There must be some kind of a wildcard that forwards all the :30000 traffic into the /github path, can anyone help with this ?

romu
Student
Student
Posts: 60
Joined: Wed Nov 26, 2014 10:12 am

Re: DSM 6.0.1 b7393 update - reverse proxy guide!

Unread post by romu » Mon Oct 24, 2016 2:35 pm

I've been told on another forum there is no other solution than using sub-domain. If not, the way you and me wanted to get it work is called namespace. And web apps are rarely setup to work properly with namespace. So, using "/" at the end of URIs will make the app homepage to be correctly redirected by the reverse proxy setup, but for sub pages, that would imply to change all URLs if the apps use absolute pathes, which is almost the case.

Personaly, I've started to set up sub-domains for my containers, and it's easy to setup. And, if you don't use SSL, you can even do this setup through the DSM GUI.

hardyg
I'm New!
I'm New!
Posts: 6
Joined: Fri Dec 02, 2016 12:33 pm

Re: DSM 6.0.1 b7393 update - reverse proxy guide!

Unread post by hardyg » Mon Jan 09, 2017 8:51 pm

Thx a lot! :D
Helped me with configuring the Nextcloud/Collabora setup!
Cheers!

bbdoc
Trainee
Trainee
Posts: 17
Joined: Mon Aug 25, 2008 8:42 am

Re: DSM 6.0.1 b7393 update - reverse proxy guide!

Unread post by bbdoc » Tue Feb 28, 2017 10:26 am

Hi Guys,

Thanks for this tutorial.

Does anyone know how I could add authentication on one of those sever { } blocks using htpasswd ?

Thanks

ubittner
I'm New!
I'm New!
Posts: 1
Joined: Wed Nov 08, 2017 6:11 pm

Re: DSM 6.0.1 b7393 update - reverse proxy guide!

Unread post by ubittner » Wed Nov 08, 2017 6:17 pm

Hi,

under DSM 6.1.4-15217 I can't get the script on startup to work.

I use the root user and the script content is

cp /volume1/data/nginx/server.ReverseProxy.bak /etc/nginx/app.d/server.ReverseProxy.conf
sudo nginx -s reload

After a reboot it is still the original Synology config file.

If I execute the script manually via the task manager it copy the file and everything is fine.

What went wrong?

Could it be possible, that the file is copied first before nginx reverse proxy is ready and then overwritten?

Regards

jonjcash
I'm New!
I'm New!
Posts: 1
Joined: Fri Dec 01, 2017 2:52 pm

Re: DSM 6.0.1 b7393 update - reverse proxy guide!

Unread post by jonjcash » Fri Dec 01, 2017 3:05 pm

^me too :(

User avatar
Primithras
Trainee
Trainee
Posts: 14
Joined: Sun Dec 01, 2013 3:03 pm

Re: DSM 6.0.1 b7393 update - reverse proxy guide!

Unread post by Primithras » Wed Dec 20, 2017 9:26 pm

ubittner wrote:Hi,

under DSM 6.1.4-15217 I can't get the script on startup to work.

I use the root user and the script content is

cp /volume1/data/nginx/server.ReverseProxy.bak /etc/nginx/app.d/server.ReverseProxy.conf
sudo nginx -s reload

After a reboot it is still the original Synology config file.

If I execute the script manually via the task manager it copy the file and everything is fine.

What went wrong?

Could it be possible, that the file is copied first before nginx reverse proxy is ready and then overwritten?

Regards
Completely forgot about this thread but I also ran into the same issue and found a fix in the meanwhile. It seems Synology does something special to the whole nginx folder. In my case, every reboot the back-up file would get deleted automatically. So simply put the back-up file somewhere else like one of your shared folders.

miicker
I'm New!
I'm New!
Posts: 1
Joined: Fri Jan 05, 2018 2:53 pm

Re: DSM 6.0.1 b7393 update - reverse proxy guide!

Unread post by miicker » Fri Jan 05, 2018 2:57 pm

Primithras wrote:
ubittner wrote:Hi,

under DSM 6.1.4-15217 I can't get the script on startup to work.

I use the root user and the script content is

cp /volume1/data/nginx/server.ReverseProxy.bak /etc/nginx/app.d/server.ReverseProxy.conf
sudo nginx -s reload

After a reboot it is still the original Synology config file.

If I execute the script manually via the task manager it copy the file and everything is fine.

What went wrong?

Could it be possible, that the file is copied first before nginx reverse proxy is ready and then overwritten?

Regards
Completely forgot about this thread but I also ran into the same issue and found a fix in the meanwhile. It seems Synology does something special to the whole nginx folder. In my case, every reboot the back-up file would get deleted automatically. So simply put the back-up file somewhere else like one of your shared folders.
Thanks for all the help, unfortunately, after a reboot, Synology always replaces the file. I've created the task in the task manager which should replace the file with the back up file on startup, but it does not work, or the file is replaced before it's written over by Synology. I've also tried putting the back up file in a different directory (not the nginx folder), but it has the same result. When I select the task in the taskmanager and run in manually it does replace the file and it works. But I have to do that every reboot. Do you have a solution for this problem?
A solution would be letting the script run automatically 10 minutes after booting, but I don't know whether that is possible or not.

Thanks in advance!

creakyshrimp
Trainee
Trainee
Posts: 13
Joined: Tue Aug 07, 2012 1:31 am

Re: DSM 6.0.1 b7393 update - reverse proxy guide!

Unread post by creakyshrimp » Thu Jul 05, 2018 8:29 pm

i think i got this working, so i thought i'd share. i'm on DSM 6.2-23739; i don't think the procedure has changed since 6.0

1) set up a reverse proxy in Control Panel --> Application Portal --> Reverse Proxy. this will create certificates and populate /etc/nginx/app.d/server.ReverseProxy.conf
2) $ sudo cp /etc/nginx/app.d/server.ReverseProxy.conf /etc/nginx/sites-enabled
3) copy the certificates somewhere else. e.g.:
$ sudo cp -r /usr/syno/etc/certificate /volume1/some-shared-folder
4) edit /etc/nginx/sites-enabled/server.ReverseProxy.conf as desired. make sure the certificate lines point to their new location.
5) delete the reverse proxy you made in Control Panel --> Application Portal
6) reboot (or you can probably just do 'sudo nginx -s reload')

i think it's stable for me. files in /etc/nginx/sites-enabled are retained.

Locked

Return to “System Managment Mods”