Synology reverse proxy

Synology reverse proxy is quite nice tool when you manage to “get it”. I spent quite some time exploring this function and managed to “kind of” set it up. So, here are my observations (if there’s something not correct i’m open to suggestions):

First, you must set up two port forwardings in your router. First is port 443. Ok, port 443 is default port for https protocol, you’ll say, so there’s no need for this… but it IS need for it. Reason? Well, many routers (including my Asus RT-AX88U) manage this port itself if not told different. By entering this port forwarding you’re telling your router to “leave this port alone” and let it DSM handle it. So, enter internal and external port.

Second one is https port of your DSM station (default is 5001, i think). It’s interesting that if i don’t setup this port forwarding my DSM interface is not accessible from outside. Again enter internal and external port.

Second thing is Synology. For this open Control Panel, Application Portal, Reverse Proxy. Click “Create”. Fill in description. Then:
– Protocol: HTTPS
– hostname: say,
– port: 443
under “Destination”:
– protocol: https
– hostname: local IP of your DSM station (say,
– port: https port of your DSM station (default 5001).

I couldn’t manage to resolve meaning of two options “Enable HSTS” and “Enable HTTP/2” yet. i don’t see any difference between on and off…

Finally click “Custom Header”, click “Create”and “WebSocket. That’s it, click “OK.

Now we need to get a certificate for this address. For this go to “Security”, then “Certificate”. Click “Add” and select “Add new cerfiticate”. Click “Next” and select “Get certificate from Let’s Encrypt”. On next page enter domain name (from above example it’s “”), enter your email and click “Apply”.

Now open web browser and enter: “”. DSM web interface should now open. If it doesn’t, clear your browser cache and try again.

Ok, i assume that this is now working. Now we’d like to add some more subdomains. I’ll focus on my HA instance. Go into Application portal/Reverse Proxy again. Click “Create” and enter new description (HA in my case).

Fill up other data:
– Protocol: HTTPS
– hostname: say,
– port: 443
under “Destination”:
– protocol: http
– hostname: local IP of HA application (say,
– port: https port of HA application (default 8123).

Finally click “Custom Header”, click “Create”and “WebSocket (DON’T forget this part!!). Click “OK.

Again go to certificates and create a certificate for this new subdomain like above, only as domain enter “”. Now HA should also be accesible on this new address.

This way you can create as many subdomains as you like. Only difference is local IP and port. The good thing is that you don’t have to enter port forwarding for each local IP so you’re less exposed for attacks, and all pages have valid certificate.

Was this helpful?

1 / 0

Leave a Reply 0