Help on reverse proxy on Synology

[rouq 23]

Hi

 

I'm trying to use https for remote connections using Synology reverse proxy and letsencrypt certificate installed using DMS control panel.

 

Here what I did so far:

1. Setup DDNS using synology.me service

2. Create a letsencrypt certificate for this domain using DMS control panel

3. Create a reverse proxy setting on port 8921 to redirect to localhost:8096

4. Setup the https://*:8921 service to use the "mydomain".synology.me certificate

5. Setup port forwarding on my router to forward port 8921 to my nas port 8921

6. Setup emby advance settings, I set the external domain, https port and the secure connection mode to "Handled by reverse proxy".

 

Everthing is working greate except for 1 thing.

 

If I use https://"mydomain".synology.me:8921, I get a secure connection to emby server with the message : Secure connection: verified by Let's Encrypt.

 

However, if I use this url instead:

https://"mypublicip":8921, I get to my emby server on a unsecure connection with this message: "mypublicip":8921 uses an invalid security certificate.  The certificate is only valid for "mydomain".synology.me.

 

I can add an exception in the browser and get to my emby server on an unsecure connection, which defeat the purposeto have a secure connection at the first place.

 

Did I miss a setting somewhere, anything that could explain why I can get to my emby server on a unsecure connection through my public ip?

 

Thank you

 

 

[mastrmind11 717]

certs roll up to a domain name not an IP.  the cert has to match the domain you're connecting to.  ie, this is working as intended.

[rouq 23]

certs roll up to a domain name not an IP.  the cert has to match the domain you're connecting to.  ie, this is working as intended.

 

Thanks for quick reply

 

Is there a way to set the reverse proxy to not forward unsecure connetion?

 

If not I guess the only solution would be to set the certificate directly on emby server and set the secure connection mode to "require for all remote connection".  I tried the reverse proxy at the first place because it seems easier and quicker to renew the certificate every 3 months.

[mastrmind11 717]

Thanks for quick reply

 

Is there a way to set the reverse proxy to not forward unsecure connetion?

 

If not I guess the only solution would be to set the certificate directly on emby server and set the secure connection mode to "require for all remote connection".  I tried the reverse proxy at the first place because it seems easier and quicker to renew the certificate every 3 months.

I'm not familiar w/ Synology's method of proxying, but this is possible w/ true web servers like nginx or apache.  It might also be the letsencrypt cert.  In all honesty, just go get a domain name from namecheap or wherever and get a free cert from cloudflare.  Costs like $10 and is way simpler and lasts like 7 years or something before you have to renew.  there are tutorials all over the internet to set it up this way (as well as a bunch of posts on these forums).

[rouq 23]

I'm not familiar w/ Synology's method of proxying, but this is possible w/ true web servers like nginx or apache.  It might also be the letsencrypt cert.  In all honesty, just go get a domain name from namecheap or wherever and get a free cert from cloudflare.  Costs like $10 and is way simpler and lasts like 7 years or something before you have to renew.  there are tutorials all over the internet to set it up this way (as well as a bunch of posts on these forums).

 

Thanks for the tips.

 

I got a domain name from freenom for 12 months and setup cloudflare.  I installed a set of certificates on emby server from cloudflare and it all working great.

 

I set the secure connection mode on emby server  to "required for all remote connections".  However, I still can log in and watch stuff using directly the publicip address and this connection is not secured.

 

What exactly does the parameter : secure connection mode?  I though setting this parameter would have blocked unsecure remote connection?

Edited December 19, 2018 by rouq