You can add more security globally to your synology with https connection and embeded reverse proxy, it's a little bit tricky but you can redirect all traffic to https/443 with a certificate and HSTS. with that you only have to open 80 and 443 ports to the internet.
Here is my setup, do all the steps locally to avoid network discruption.
- STEP 1 : open ports 8 and 443 to internet
log to your router, in my case in France it is a Freebox, redirect 80 and 443 to internal IP of your synology. 1 port = 1 rule
- STEP 2 : create a ddns name
in my case its a noip account, you can have 3 dynamic dns for free. create your account and your domain name. if you are creating it at your home the setup will put your public IP directly. create a DNS HOST (A) and fill the right public IP
- STEP 3 : configure DDNS update in the synology
in my case the DDNS is configured into my router but you can configure it in the synology. CONTROL PANNEL - EXTERNAL ACCESS - DDNS - CREATE
fill you DDNS service provider, domain name and account, by default the synology knows the external IP. test the connection, the status has to be normal
- STEP 4 : adding security
- STEP 4a : redirect all traffic to https/443 port
go to CONTROL PANNEL - NETWORK - DSM PARAMETERS and activate redirections http to https, HTTP/2 and ngynx, then activate personnal domain name with your DOMAIN NAME and HSTS
now your web server will restart, if you try to connect to your synology with http://<name>.ddns.net (in my case) it will redirect to https://<name>.ddns.net. with that you don't have to connect externaly to your synology with the 5000 or 5001 port (and blocked by firewalls generally). all the traffic pass through 443/https port
- STEP 4b : create a let's encrypt certificate
443 is good, certificate is better, go to CONTROL PANNEL - SECURITY - CERTIFICATE. choose LET'S ENCRYPT and fill your domain name and your mail address. The OTHER NAME is if you want multiple name with the same certificate.
in my case I have :
- XXXX.ddns.net is my primary domain name
- XXXXvideos.ddns.net is a second name for emby (you have to create it in your DDNS service provider)
- XXXXplex.ddns.net is my third name for plex (you have to create it in your DDNS service provider)
- and multiple other names
once create, you can show all the services mapped to your certificate
after reload of the syno web server, you have a valid certificate and crypted connections
- STEP 5 : reverse proxy emby
now we have to redirect 8096 emby port to 443 to enjoy https, HSTS and your certificate, but if XXXX.ddns.net is your synology, how connect to emby ? by creating redirecting host name in your DDNS service provider and reverse proxying
- STEP 5a : new DDNS host name
go back to your DDNS service provider and create a new host name :
- create a hostname
- record type : DNS ALIAS (CNAME)
- target : your domain name
so XXXXvideos.ddns.net will redirect to XXXX.ddns.net
- STEP 5b : reverse proxying
go to CONTROL PANNEL - APPLICATIONS PORTAL - REVERSE PROXY
create a redirection like this :
- you said : https connections to XXXXvideos.ddns.net (in my case) on the 443 port
- with HSTS and HTTP/2
- redirect to HTTPS, localhost, on port 8920 (8920 is the https port)
you can redirect to HTTP, localhost, on port 8096, I put 8920 for testing an other thing and I let it
and your done !
I don't configure anything else in emby, no external connection, the only security is for Ombi, all the configuration is made by the syno
- STEP 6 : add your second name to your certificate
you created a certificate with your domain name on STEP 4b but you did not create your second name, so if you connect to XXXXvideos.ddns.net you will have a certificate name problem. go back to CONTROL PANNEL - SECURITY - CERTIFICATE and renew your certificate, recreate it and add your second name
and voilà !
with that, I have multiple services on my synology (video station, file station, audio station, plex, emby, ombi, unifi controller, photos web server...), I reverse proxy everything so the only port accessible externaly are 80 (for let's encrypt renew) and 443.