Synology reverse proxy

Synology reverse proxy is quite nice tool when you manage to “get it”. I spent quite some time exploring this function and managed to “kind of” set it up. So, here are my observations (if there’s something not correct i’m open to suggestions):

First, you must set up port forwarding in your router. Correct port is 443, which is default port for https protocol. Maybe you’ll say, so there’s no need for this… but, it depends on router… many routers (like Asus) manage this port itself if not told different. By entering this port forwarding you’re telling your router to “leave this port alone” and let it DSM handle it. So, enter external port and local IP of your DSM.

Second thing is Synology. For this open Control Panel, Application Portal, Reverse Proxy. Click “Create”. Fill in description. Then:
– Protocol: HTTPS
– hostname: say,
– port: 443
under “Destination”:
– protocol: https
– hostname: local IP of your DSM station (say,
– port: https port of your DSM station (default 5001).

I couldn’t manage to resolve meaning of two options “Enable HSTS” and “Enable HTTP/2” yet. i don’t see any difference between on and off…

Finally click “Custom Header”, click “Create”and “WebSocket. That’s it, click “OK.

Now we need to get a certificate for this address. For this go to “Security”, then “Certificate”. Click “Add” and select “Add new cerfiticate”. Click “Next” and select “Get certificate from Let’s Encrypt”. On next page enter domain name (from above example it’s “”), enter your email and click “Apply”.

Now open web browser and enter: “”. DSM web interface should now open. If it doesn’t, clear your browser cache and try again.

Ok, i assume that this is now working. Now we’d like to add some more subdomains. I’ll focus on my HA instance. Go into Application portal/Reverse Proxy again. Click “Create” and enter new description (HA in my case).

Fill up other data:
– Protocol: HTTPS
– hostname: say,
– port: 443
under “Destination”:
– protocol: http
– hostname: local IP of HA application (say,
– port: https port of HA application (default 8123).

Finally click “Custom Header”, click “Create”and “WebSocket (DON’T forget this part!!). Click “OK.

Again go to certificates and create a certificate for this new subdomain like above, only as domain enter “”. Now HA should also be accesible on this new address.

This way you can create as many subdomains as you like. Only difference is local IP and port. The good thing is that you don’t have to enter port forwarding for each local IP so you’re less exposed for attacks, and all pages have valid certificate.

Was this helpful?

3 / 3