Synology reverse proxy

Synology reverse proxy is quite nice tool when you manage to “get it”. I spent quite some time exploring this function and managed to “kind of” set it up. So, here are my observations (if there’s something not correct i’m open to suggestions):

First, you must set up port forwarding in your router. Correct port is 443, which is default port for https protocol. Maybe you’ll say, so there’s no need for this… but, it depends on router… many routers (like Asus) manage this port itself if not told different. By entering this port forwarding you’re telling your router to “leave this port alone” and let it DSM handle it. So, enter external port and local IP of your DSM.

Second thing is Synology. For this open Control Panel, Application Portal, Reverse Proxy. Click “Create”. Fill in description. Then:
– Protocol: HTTPS
– hostname: say,
– port: 443
under “Destination”:
– protocol: https
– hostname: local IP of your DSM station (say,
– port: https port of your DSM station (default 5001).

I couldn’t manage to resolve meaning of two options “Enable HSTS” and “Enable HTTP/2” yet. i don’t see any difference between on and off…

Finally click “Custom Header”, click “Create”and “WebSocket. That’s it, click “OK.

Now we need to get a certificate for this address. For this go to “Security”, then “Certificate”. Click “Add” and select “Add new cerfiticate”. Click “Next” and select “Get certificate from Let’s Encrypt”. On next page enter domain name (from above example it’s “”), enter your email and click “Apply”.

Now open web browser and enter: “”. DSM web interface should now open. If it doesn’t, clear your browser cache and try again.

Ok, i assume that this is now working. Now we’d like to add some more subdomains. I’ll focus on my HA instance. Go into Application portal/Reverse Proxy again. Click “Create” and enter new description (HA in my case).

Fill up other data:
– Protocol: HTTPS
– hostname: say,
– port: 443
under “Destination”:
– protocol: http
– hostname: local IP of HA application (say,
– port: https port of HA application (default 8123).

Finally click “Custom Header”, click “Create”and “WebSocket (DON’T forget this part!!). Click “OK.

Again go to certificates and create a certificate for this new subdomain like above, only as domain enter “”. Now HA should also be accesible on this new address.

This way you can create as many subdomains as you like. Only difference is local IP and port. The good thing is that you don’t have to enter port forwarding for each local IP so you’re less exposed for attacks, and all pages have valid certificate.

Home Assistant entries

My friend from HA forums (thanks, Lindorm) warned me that i forgot to mention some entries in HA which must be made to have successfull connection to HA from outside world.

In HA’s configuration.yaml this is a must:

  ip_ban_enabled: true
  login_attempts_threshold: 10
  use_x_forwarded_for: true

Some explanation:

First… “ip_ban_enabled: true” and “login_attempts_threshold: 10” are not “a must”. They are just some additional precacution against possible attackers – in above case when someone tries to enter my HA 10 times without luck it’s banned out. Then admin must manually delete banned IP from HA.

But all other lines have to be in configuration.yaml.

IP entries: these are IP’s used in my virtual machine inside Synology, where my HA runs. Check Virtual machine –> select your HA instance and at the bottom in “General” tag there are, in my case, three IP’s stated. First one is IP of my HA, second and third are…well, i don’t know their’s official name, but i guess that they are proxy IP’s and they must be entered in HA. In my case they are and Note that last digit must be “0” (you define IP segment, not specific IP address, thus /24 at the end).

So, make these entries, restart HA and hope for the best…

Was this helpful?

10 / 6