Synology - Segmenting Services and Applications into individual Domains

I started out merely trying to make things easier for people to access different functions and data we had stored in the cloud via a Synology Disk Station.  It's an archive dataset and thus I thought having linked to "archive.domain.com" would do the trick for people to remember.  But then, people had trouble remember that it was called archive.  In their minds they were looking for Files, or pictures.  Thus I started a quest to find a simpler way for this to work.  

For those who have worked with Synology Disk Stations in the past for high quality, cheap storage arrays for archived, or second copies of data you will know that they are a double edge swords.  Great boxes, pretty versatile, but it is in achieving that versatility for the 90% occasionally you miss the one thing needed.  

In this case, it's 100% being able to separate the rolls of the device by host names.  For instance, if you use the file station, download station, or video station you are 100% able to use the "Application Portal" area to change those to be by a specific hostname.
 

In this section you can take each of those applications, and set a Custom Domain.

(Later I will cover using the Reverse Proxy, if you wanted to use a single domain, and\or preferred to customize the ports as well, see that section).

What you can't do however, is deal with the "Photo Station" application of the Synology. That, has it's own config for how the links are generated. By default it's the hostname set for the synology, and can be changed to another hostname in the configuration. That being said, you are still stuck with the /photo at the end of the links, and page. That lead me to 2 options; 1. Live with the /photo at the end and find a solution that would take the root domain, pictures.domain.com and redirect it to /photo, or 2. Edit the rewrites for the Photo Station app. At this juncture I decided for the former, to redirect pictures.domain.com to /photo and let that stand.

Here is where it gets a bit more complicated.  Synology recently switched from Apache to Nginx. I prefer this change, but those who have done this or similar in the past will note that you can no longer use your httpd.conf files, that you need to switch to nginx.conf in order to accomplish this.  That being said, there are several locations I have been able to find regarding the nginx configuration and it's important to know where what is in order to edit things.

  • The Default Configuration is located in /etc/nginx in the form of 2 files:
    • nginx.conf = the one you can play with, but we will avoid using.
    • nginx.conf.default= I believe is the foundation of the synology, I have left this one alone.
  • Photo Station and Docker Configuration are located in /etc/nginx/app.d
    • You will see files such as dsm.docker.conf, server.FIlestation.conf and www.PhotoStation.conf
  • Download and File Station, as well as the Reverse Proxy configurations are located in /etc/nginx/conf.d.
    • Any file prefixed with alias* is the alias configuration in the image above.
    • Any file prefixed with dsm* is the function that the DSM performs for each. I would suggest not touching these :)
    • Any file prefixed with server* is the "Server block" for Nginx which is something we will alter.
  • Any personalized nginx.conf you would like to do, should be done in the /etc/nginx/sites-enabled directory and be prefixed by www*.

My first step here was to make sure that I had all of the Synology Configuration completed for what I wanted prior to altering the nginx files.  This a) made things simpler to know what I was changing, b) had a lot of the files pre-created for me, and c) allowed me to test the basic functionality prior to playing with Nginx to isolate any potential configuration issues.

In order to get your Synology ready to go:

  • Install all the packages you prefer to use:
    • In this example we will be using Download, File, Photo, and Video Stations.  Along with the default DSM Admin Interface.
  • If you are going to use SSL, enable SSL, and make sure your certificate is installed.  I recommend and use a UCC or Wildcard certificate.  In this example I will assume that to be the case, not that there isn't configuration options if you want to use a single hostname and cert with redirection.
  • Decide on the hostnames you are going to use:
    • dsm.domain.com
    • files.domain.com
    • pictures.domain.com
    • videos.domain.com
  • Configure the hostname for the DSM Management Interface.
    • You set this by going to the Control Panel, External Access, Advanced Tab:
       
  • For Download, File, and Video Stations you set those in the Application Portal of the Control Panel.
  • For the Photo Station, you need to launch the Photo Station Interface, go to Settings, General and set the Hostname.  I also set the HTTP/HTTPS ports to confirm that the links no matter what would be generated on port 80/443. Second to that I prefer HTTPS so I also checked to automatically redirect.
  • Configure the DSM to act as a reverse proxy for DSM Services, and alter the firewall to deny any access to on ports 5000 and 5001.
    • To configure DSM as a reverse Proxy for itself you go back into the Application Portal, and Reverse Proxy Tab.
      • The Description: DSM HTTPS
      • Protocol: HTTPS
      • Hostname:  dsm.domain.com
      • Port 443
      • I checked both HSTS and HTTP/2
      • Destination Protocol: HTTPS
      • Destination Hostname: localhost
      • Destination Port: 5001
  • The final configuration step is to make sure that your Security\Firewall settings are configured to block ports 5000/5001.
    • Go to Security, Firewall and you can either create a New Firewall Profile, or edit the existing.

Go to Security, Firewall and you can either create a New Firewall Profile, or edit the existing.

  • Now depending on how many rules you currently have you need to make sure teh following is completed.
    • In all your current rules make sure you uncheck Management UI for both 5000 and 5001.  This effectively disables access.
    • Create a secondary rule in order to Deny Access.  You can do this by hitting Create, "Select from a list of built-in applications" and choosing Management UI 5000\5001, and then Deny. 
  • At this point the DSM should be locked down.  I would also suggest to make sure that on whichever firewall you use that will NAT your external traffic, you also make sure to close ports 5000\5001.  In theory the Synology should be okay, but it's always good to make sure it is accomplished in both locations.  

At this point the Synology is ready to go.  Its after setting these options that the configuration files mentioned above will now be present and ready to be altered.  I should mention there are several ways we can make these configuration changes.  I have chosen to make the changes in what I feel is the easiest, simplest, and safest way to do so.

I did that by creating a file in /etc/nginx/sites-enabled, I called it www.amb.conf.  In this case you can call it whatever you want as long as it matches this pattern; www.*.conf.  By using that pattern the default nginx.conf will automatically pick up the file as part of it's configuration.  My configuration file is below, explanation after the break.

server {
        listen <LAN_IP>:80;
        server_name dsm.domain.com;
        rewrite / https://dsm.domain.com;
}
server {
        listen 443 ssl;
        server_name <LAN_IP>;
        return 301 $scheme://dsm.domain.com$request_uri;
}
server {
        listen <LAN_IP>:80;
        server_name pictures.domain.com;
        rewrite / https://pictures2.domain.com/photo;
}
server {
        listen *:5001 ssl;
        server_name pictures.domain.com;
        return 301 $scheme://pictures.domain.com/photos$request_uri;
}
server {
        listen <LAN_IP>:80;
        server_name files.domain.com;
        rewrite / https://files.domain.com;
}
  • Server Block 1: this block takes anything written to the LAN IP address on port 80 of the Synology and rewrites it to the domain name via SSL.  Effectively disabling HTTP to the device.  This gives you two options;
    • The first if you don't want it accessible on the internet, you just don't publish the DNS record externally.  This insures that anyone that hits this device by IP will be rerouted to the domain name and thus not accessible.
    • Second it's used for any misc. domain names that may or may not be pointed at that IP Address.  The rest of the configuration is based off hostname.  This very line is what secures that.
  • Server Block 2:  This line insures that when accessed via SSL on Port 443 it's rewritten to https.  This is needed because the rest of the config being based off hostname, it's important that no "default" redirection occurs.  Given that Photo Station shares with DSM on the default listening criteria in the nginx.conf, we need to make sure that any connection isn't redirected incorrectly.
  • Server Block 3:  This insures that when hitting the synology via hostname "Pictures.Domain.com" that it will be rewritten to https://pictures.domain.com.  This is essentially redirecting HTTP traffic to HTTPS.
  • Server Block 4:  Another double edged sword.  We take care of this a different way later, however to insure on the hostname Pictures.Domain.com that if someone were to input https://pictures.domain.com:5001 that it wouldn't redirect to the login for DSM.  Again, later we will disable DSM and use reverse proxy to access it, but this is a safety measure.
  • Server Block 5:  This is the redirection of HTTP to HTTPs for Files.Domain.com.  This is just ensuring we are always using SSL.

Now you are done.  Either restart your synology or via SSH do an nginx -s reload and you should be operating under different hostnames all over SSL on port 443.  Keep in mind that if you use the mobile apps in any facet, you need to put the port number in after the url when connecting. For instance, in the Synology Photos app the url should be pictures.domain.com:443.