Geoblocking through Synology Reverse Proxy?

[Dreakon13 132]

Hi, this is probably more of a general Synology question, but whenever I try to ask questions on most tech/security-oriented subreddits or forums, I get absolutely ripped to shreds by people that have more interest in showing me how great they are, then actually humoring me and answering a question... so I'm hoping I can maybe get some kinder responses here since it is vaguely Emby related.

I have Emby running through the reverse proxy functionality on my Synology DS220+, along with a domain and cert provided by Synology/Lets Encrypt.  I have Emby disabled for remote access in the software itself, accessing it through the https://emby.synology.domain.name that was setup through the reverse proxy pointing to Emby's local port.  I know this isn't really a supported way of doing secure remote access and there's quite a bit I probably don't really know about reverse proxies... but it's quick, clean, easy and it seems to work.

I'd like to restrict access to my NAS entirely (including Emby) to only US IP addresses.  In a perfect world I'd only allow access to a handful of specific IP's but given how public IP's can change, this seems like the next best thing... I have no reason to open the NAS up to connections outside of the US.  If I try to do this through Synology's firewall, I lose access to Emby since presumably everything through the reverse proxy is seen as the local IP.  And if everything looks like the local IP, I can't block specific ones.  That's my guess though.  If I block all non-US IP's it doesn't work, if I allow the local IP it does.

 

Long story short... anyone with some deeper understanding of Synology NAS's, is there a way to block all access to the NAS, Emby, etc from all non-US IP's?  In particular also applying to Synology's reverse proxy and domain/cert?

Edited May 28, 2023 by Dreakon13

[Luke 37106]

Hi, does this help?

https://mariushosting.com/how-to-set-up-synology-firewall-geoip-blocking/

[Dreakon13 132]

Thanks, I'll go through that more tomorrow morning when the server is less actively used, but it's my (probably incorrect) understanding that the reverse proxy interprets the external connections as the local IP (using the local ports)... so allowing my local IP, since that'd encompass everything coming through, and blocking external IP's wouldn't really accomplish anything.

At least that's kinda the impression I was getting tinkering with it prior to posting the OP.

Edited May 28, 2023 by Dreakon13

[A32 15]

Hi,

You’ll need to enable the firewall with three simple rules:

Allow the local subnet (e.g. 192.168.1.0/24). This will allow unfiltered access on your LAN for all hosts and all protocols.

Allow the reverse proxy for U.S. only. Select it from the built-in applications (reverse proxy, https) and set the location to U.S.

Deny all. This rule should always be at the bottom of the list.

 

The firewall rules are parsed top to bottom. Execution of the rules stops when a match is found.

I can provide more details if needed.

[Dreakon13 132]

10 hours ago, A32 said:

Hi,

You’ll need to enable the firewall with three simple rules:

Allow the local subnet (e.g. 192.168.1.0/24). This will allow unfiltered access on your LAN for all hosts and all protocols.

Allow the reverse proxy for U.S. only. Select it from the built-in applications (reverse proxy, https) and set the location to U.S.

Deny all. This rule should always be at the bottom of the list.

 

The firewall rules are parsed top to bottom. Execution of the rules stops when a match is found.

I can provide more details if needed.

Worked perfectly, thank you!

I jumped around via VPN to a few different places and back to the US, and it worked/didn't work as expected after those changes.  I didn't realize there was a reverse proxy selection in the built in applications... but I should've figured allowing US only for HTTPS would've done the trick too.  Live and learn.  Thanks again

[A32 15]

Glad it worked