I’ve tired of browser errors from incorrect certificates while connecting to my synology, and since I only connect to it over VPN and it only has a local IP address, I just use http instead of https. Part of me thinks that the vpn makes it unnecessary and I’d only be protecting passwords etc from folks who were already on my network and snooping, part of my feels like I ought to learn how to do some basic cert stuff myself.
I’ve tried a number of tutorials for self-certification I’ve found online but haven’t managed to figure it out. I keep getting stuck at how to actually get the specific file types I need. Does anyone have a preferred step-by-step set of instructions that is fairly idiot-proof / oriented at the semi-competent? Or a shortcut? Or should I stop worrying since my access of DSM, etc is all only over a local network or VPN?
I’d be inclined to install Nginx and use this as a proxy for the insecure site. However, apart from the browser nagging for SSL, it’s not really necessary if the site is only accessible on the LAN.
I care enough about these issues to have gotten this working a long time ago. It takes some effort and upkeep.
Nginx is already there. The config UX is at Control Panel → Login Portal → Advanced → Reverse Proxy.
This is most definitely the right place to start. This will get you a free cert that you can use with multiple hostnames. I believe it’s good for 90 days. If you poke a hole in your firewall, it can autoupdate. I don’t do that so using this approach meant manual work every 90 days. I switched to a cert I pay for to reduce maintenance.
I use a custom domain from within my LAN to access Synology stuff. I use URLs like:
Source a cert from somewhere. Let’s Encrypt or the issuer of your choice. I use Namecheap for domain registration, custom DNS, certs. I like them. They’re reasonably priced, have great docs, and have engaged immediately with expert help when I’ve needed it.
Create A records for the hosts I listed above which point to the 192.168.x.x IP address of my NAS. These hostnames are served by public DNS but are obviously only meaningful on my LAN.
Get the cert installed and configure what services to use it with.
Set up Nginx (the reverse proxy) to map 443 and the individual service hostnames to the actual service ports on the NAS. I’m not sure if you know Nginx. It’s just doing the equivalent of loopback so if it sees an https request for, let’s say, homebridge.mydomain.com, it looks at the hostname (homebridge) and knows to route those to a configuration-specified port.
Even if you’re not going to get an HTTPs cert, using Nginx and custom hostnames is convenient if you’re running a number of things on your Synology like I do.
I use Safari as my default browser. It’s a terrible browser when you’re dealing with the kinds of issues that can exist on a local LAN accessing non-http services. It likes to prepend www on things. It caches aggressively. It doesn’t like custom ports. If nothing more, at least use Brave, Chrome, or Firefox for the local stuff. Those will create fewer headaches.
If you don’t care about having a custom domain and don’t need to proxy multiple sub-domains to multiple services (as gTunes describes above) you can just use Synology’s own DDNS service to get a mynas.synology.me address.
The main limitation to doing this, other than it using a Synology domain name, is that you can only associate one mynas.synology.me domain with your NAS. For example you can’t setup homessiant-mynas.synology.me to point to Home Assistant and surveillance.mynas.synology.me to point to Surveillance Station.
Anyway, I’d start there using the existing Synology interface / tools before deciding if you need anything more complex. Not least because a) it’s free b) it’s simple and c) when you come back to it in 18 months it will be more obvious what you did if it’s there in front of you in the Synology interface.
The built in Synology Let’s Encrypt feature also handles updating your Let’s Encrypt certificate automatically.
My recollection is that in order for automatic certificate renewal to work, your NAS needs to be reachable from the WAN at the address of the certificate. Thinking about it now, though, I realize that this must only be true if you are using a custom domain. You’re giving very good advice here!
