Secure (HTTPS) public access to Synology NAS using Let’s Encrypt (free) SSL certificate

February 17, 2017 – 17:00 by Adnan Hodzic

Secure public access to your Synology?

Every time I’m outside of my home network, and I need to get something from my Synology NAS, I’m facing the same dillema. Who’s sniffing the network I’m on, and who will I hand over my credentials in plain text using HTTP.

Of course, you can add extra security to your Synology account by using 2 step authentication, or first establishing connection to (preferably private) VPN connection. But even then … footprint of sensitive data you’re leaving behind you is just not worth it.

To resolve this problem, you could get a self-signed SSL certificate, but whole process will cost you time and money. But thanks to good people at Let’s Encrypt, this whole process now takes 15 minutes process and is free!

Secure (HTTPS) access to Synology NAS using Let’s Encrypt (free) SSL certificate

There are couple of tutorials which cover this same topic, however reason why I wrote my own is because none of them worked for me.

Requirements:

1. DNS

First thing you need to do is add A record for sub/domain you want to point to your Synology’s external (WAN) IP. Example:

Name:   synology.hodzic.org
Class:  IN
Type:   A
Record: WAN IP

You can find your external IP/WAN IP if you have external access enabled via DDNS

Go to: Control Panel > External Access > DDNS

Control Panel > External Access > DDNS

DDNS dialog

Enabling Synology external access using DDNS

2. Certificate

Now it’s time to obtain Let’s Encrypt SSL certificate, which you can do by going to:

Control Panel > Security > Certificate > Add

Control Panel > Security > Certificate > Add

On next dialog click on “Add a new certificate”

Create certificate > Add a new certificate

Then select “Get a certificate from Let’s Encrypt”

Create certificate > Get a certificate from Let's Encrypt

Finally get a certificate from Let’s Encrypt with data as follows:

  • Domain name – sub/domain you setup as part of 1. DNS
  • Email – email you want to use to renew this certificate
  • Subject alternative name – alternative DNS record.
    You can use URL you use for external access (DDNS)

Create certificate - Get a certificate from Let's Encrypt

and click on Apply

If obtaining certificate fails, you need to setup port forwarding on your router, as mentioned under Requirements section.

3. Reverse Proxy

While other suggested setting up a web server, idea which makes most sense to me in this case is Reverse Proxy.

Go to Control Panel > Application Portal > Reverse Proxy > Create

Control Panel > Application Portal > Reverse Proxy > Create

By default, DSM ports will be running behind 5000/5001, so in that case we want to point external ports 80 and 443 to them with two rules.

ProxyPass/redirect traffic from example domain port 80 to 5000

ProxyPass/redirect traffic from example domain port 80 > 5000

ProxyPass/redirect traffic from example domain port 443 > 5001

ProxyPass/redirect traffic from example domain port 443 > 5001

4. Select certificate for your domain

Almost done, now you have to select which certificate you want to use for your sub/domain.

Go to Control Panel > Security > Certificate > Configure

 Control Panel > Security > Certificate > Configure

Finally, select newly generated Let’s Encrypt SSL certificate for your sub/domain and click Ok

Select newly generated Let's Encrypt SSL certificate for your sub/domain

After this, if you go to your sub/domain with https prefix (i.e: https://synology.hodzic.org) you’ll be greeted with secure page!

Synology external HTTPS request

However, only problem is that if you go to http://synology.hodzic.org, you won’t be automatically redirected to https and you’ll be left on unsecure page.

Synology external HTTP request

5. Redirect All traffic from http to https

To resolve this problem, go to:

Control Panel > Network > DSM Settings and select Automatically redirect HTTP connections to HTTPS

Control Panel > Network > DSM Settings > Automatically redirect HTTP connections to HTTPS

After which every http request will automatically redirect to https.

Recommendations:

  • Change DSM ports from default 5000/5001 to something else
  • Optionally you can also consider enabling following settings:
    • Enable HTTP/2
    • Enable HSTS

If you set “Subject Alternative Name” with your certificate, and want want to secure that URL with this same certificate. Don’t forget to set Reverse Proxy rules for that URL as well, and select correct certificate for that URL. Result:

External URL (DDNS) behind same certificate

Happy hacking!

Disqus Comments

foolcontrol