Hey everyone,
My personal server of choice is a DiskStation right now, and I’m using the default reverse proxy for all my subdomains. I went through a few stages to secure them, and now that I’m finally finished (famous last words heh?!) I thought I’d document my approach and provide some configs and code. I’ve seen a few unanswered questions here and there about how to do this on Synology, so hopefully this helps a few people.
The guide covers limiting access to local IPs, as well as adding Basic or SSO authentication. The main goal is to integrate well with the GUI and access control profiles, and to leave all existing and autogenerated files untouched, so updates and changes via the GUI still work as expected.
Here is the basic idea:
The nginx server config is located in
/etc/nginx/
, and the reverse proxies are defined in thesites-available/server.ReverseProxy.conf
file inside that folder. There’s oneserver
directive for every proxied site, and the DSM config adds ainclude .acl.<random string>.conf*
directive if you set up an access control profile for a site. That*
at the end there is crucial, because it means we can manually add more configuration files with the same prefix, and they will automatically be included and applied to all sites using this access control profile.There are also
include
directives for themain
andhttp
scopes, as well as for the default DSMserver
directives. This means we can inject configurations in these places, just by adding correctly named files to theconf.d
folder.For Single Sign-On (SSO) authentication we run a Vouch-Proxy instance to handle the communication between nginx and the OIDC server. We also need to spin up another nginx reverse proxy and forward requests to it, because the built-in one doesn’t support the required
auth_request
directive. Its container script just copies the default reverse proxy configuration with some modifications, and it is set up to reload whenenver the original file changes.
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!