If you have a Synology NAS (a.k.a. Diskstation) and a domain (i.e. dsm.yourdomain.com) that points to your router WAN IP, when you enter “dsm.yourdomain.com” in the browser, have you noticed that the URL becomes “http://dsm.yourdomain.com:5000”? I mentioned briefly in the previous tutorial that when you enter a URL without specifying its protocol (i.e. http vs. https) or port (i.e. 80, 443, etc), “http” (default non-encrypted protocol) with port “80” is assumed. Your browser will replace the request as “http://dsm.youdomain.com”. Note that port 80 is the default port for “http” traffic, so unless you specify a different port, the browser will not show it. This is the same with port 443 for “https” traffic. Now, where did “:5000” come from?
URL Re-Write (without Web Station)
Let’s assume that Web Station (to enable website hosting) is not installed on the Diskstaion and that you’ve forwarded ports 80 (default http port) and 5000 (default port to reach DSM, DiskStation Manager, Synology NAS OS / web interface) to your Diskstation. When traffic is routed to your home router with either port 80 or 5000, the router will deliver the traffic to your Diskstation at its internal LAN IP according to the port forwarding rules set up. When Synology NAS (Diskstation) receives web traffic, by examining the packet, it is able to see the host name used to reach it (i.e. dsm.mydomain.com) and the port (i.e. 80). Diskstation by default uses a port-based redirect rule to route the traffic to the right service on Diskstation. The default port of DSM is 5000 for http (non-encrypted traffic), and 5001 (encrypted traffic). When internet traffic comes in with port 80, DSM will “re-write” the original URL to include port 5000 so that traffic is routed to its web interface. If traffic had come in via port 443, the re-write rule would add port 5001 to the original URL. If you had entered “https://dsm.yourdomain.com:5001” in the first place, you would be routed to the https version of DSM right away as no URL-re-write would be necessary.
URL Re-Write (with Web Station)
Now if you have Web Station installed, Diskstation will stop forwarding ports 80/443 to 5000/5001 automatically. With provision for web hosting, port 80 and 443 are meant to reach your website instead of DSM. As such, you will need to specify port 5000 in your URL if you intend to access DSM. When no port is specified, you will be directed to the root of your website (by default it’s the “web” shared folder) with http as its default protocol. To make things more complicated, “Photo Station”, the Synology’s own photo management package on Diskstation uses ports 80/443 by default and these cannot be changed. How to you differentiate the traffic that needs to be routed to “Photo Station” vs your website? This will be included in the next tutorial. For now we will focus on using custom alias and custom domain to access different services on Diskstation.
DSM: Customized Alias / Domain
The following assumes that you have NOT installed Web Station on Diskstation. First, head to Control Panel –> Application Portal. Under application, double click on any on this list you will be directed to the Application Access Rules.
Let’s take File Station as an example, Synology allows you to access it through many methods:
- Without configuring anything, you can always log in to DSM, and launch the File Station from within the web interface.
- By enabling customized alias, you can access it via an alias following the URL
- http://diskstation/file (using NetBios name when in the home network)
- http://192.168.1.5/file (using internal IP in the home network)
- http://dsm.yourdomain.com/file (using your domain name within or outside of the home network)
3. By enabling customized ports, you can access it via the specified port
- http://diskstation:7000 (7000 for http, or 7001 for https, or as specified)
4. By enabling customized domain, you can access it via the a domain name (or subdomain)
Access by Alias:
All of the above methods are made possible by the built-in NGINX [engine-X] web server. In terms of accessing your NAS outside of your home network, with customized alias option, you really only need your main domain name. You append the domain name with the required URI’s like /file, /calendar, /video, etc. to access the specific landing page of the respective services. The advantage is that once you’ve logged in to DSM, you can go to each of these landing pages without having to enter your credentials again.
Access by Port:
As explained previously, when you access your NAS, it will read the source URL and port and re-write the URL as specified. If the URL comes in with a specified port, Diskstation uses that information to decide where to send you. I personally don’t use the customized-port option since it’s less intuitive. Why would I need to remember the ports of specific services that I want to access? So unless you have a specific need to use port-based redirection, I would leave these unchecked.
Access by Domain:
Customized-domain option is my primary choice. You can use file.yourdomain.com, dsm.yourdomain.com, or calendar.yourdomain.com to access the various services on the Diskstation. By making use of subdomains like file., calendar., etc., you have a dedicated URL for each of the different services. You can for example have mail.yourdomain.com to take you to its MailPlus client (just like Gmail), which just makes sense. A related note, if you sign in to dsm.yourdomain.com, if you navigate to file.yourdomain.com, it’s treated as a separate connection to the NAS and you are required to submit a separate login.
Google Domains Configuration
Once you’ve turned on all the customized domains, next you want to head to your domain configuration page. The following is an example using Google Domains. The DNS section is where everything happens.
Name: This is your subdomain name. When you get a domain name (i.e. mydomain.com), this is called the root domain. You can have multiple subdomains like mail.mydomain.com, www.mydomain.com, or music.mydomain.com. Each of these can be directed to a seperate IP address (i.e. you have different physical servers that you want the different subdomains to point to), or the same, depending on your need. But ultimately, each entry will require you to define how to reach it, either by an IP address or URL. In this field, “www” or “mail” mentioned above are examples of a subdomain name. If you want to configure your root domain (i.e. mydomain.com), you want to keep this name field blank, or use “@” to indicate the entry is for the root domain.
Type: This tutorial focuses on the following two types of DNS records.
“A” record: This indicates the data for this entry is an IP address. If you have a subdoamin, www.mydomain.com, when you specify an IP address (i.e. 123.456.78.9) to the “A” record, that means when someone tries to query www.mydomain.com, the DNS will respond by saying it’s located at 123.456.78.9.
“CNAME”: Or, canonical name, is in the form of an URL, like dsm.anotherdomain.com. This is not to be confused with your domain name. Let’s say we assign a CNAME (i.e. dsm.anotherdomain.com) to your www.mydomain.com subdomain, it means when someone tries to query www.mydomain.com, the DNS will return the IP address of dsm.anotherdomain.com (which is really done through a separate DNS query not visible to you).
In the previous tutorial I talked about setting up DDNS using the “dsm” subdomain. This means that the DNS server will always know the IP address of dsm.mydomain.com, which is the WAN IP address of your home router. Because of this, we can set up the DNS records for all the services that you want to use by using the CNAME dsm.yourdomain.com for each subdomain. In my case, I’ve set up the following subdomains: calendar, contacts, download, drive, file, ftp, mail, moments, music (for Audio Station), note, photo, video, vmm, vpn, www, all pointing to the same CNAME.
You will note that on DSM Control Panel –> Application Portal, there’s no application listed here such as ftp, photo, vpn, and www. “ftp” is a special case. If “ftp” is set up as a subdomain, when accessing “ftp.yourdomain.com”, the browser will automatically assume to use the ftp protocol, which means you don’t need to explicitly declare the protocol like “ftp://ftp.yourdomain.com” by skipping the “ftp://” part. For “photo” and “www”, the next tutorial will be about the Diskstation reverse proxy where this will become clearer. The “vpn” subdomain name lets me use vpn.mydomain.com as the VPN connection URL, which I will discuss in a separate tutorial.
Once you’re done, assuming that you’ve set up port forwarding (most of these services use port 5000 for http, and 5001 for https), you can now use a specific subdomain to access a specific service on your Synology NAS. As a bonus step, you are encouraged to use the built-in Certificate section in DSM to request a Let’s Encrypt certificate so that when accessing the NAS via https you won’t get the nasty certificate warning. This will be covered in the future tutorial.
You save my day, bro !
Now i see your method with googled domain name and synology NAS, it ‘s very simple and better than ddns solution on nas. No more attention with the IP changing on my router.
Thaks very much for your sharing,really.
Best regords to you and your wonderfull pretty familly.
Wasn’t expecting a comment. Glad that this helped.
Love the tutorials Richard. They are super helpful. I did everything you said and it worked. I have a certificate from Synology and Google but when routing Google to Synology, it is returning my Synology certificate in the Google forward causing me to “get the nasty certificate warning” as you said in your post. Any idea how to fix this?
Thanks for any help!
You get a certificate warning when you don’t have one for the specific URL. For example, if you have a certificate for http://www.mydomain.com, that’s great, but if you go to your site via dsm.mydomain.com, it’s a different URL, so the certificate is not valid. Here’s how to resolve, when you request the Let’s Encrypt certificate, Domain Name would be your “mydomain.com”. Under Subject Alternative Name, put in all the variants of subdomains separated by semi-colin. For example: “www.mydomain.com; dsm.mydomain.com; file.mydomain.com”. Put more if you need more. Then the certificate is going to contain information on the specific URL a user may use to get into your site.
Well I currently have a certificate for file.mydomain.com, drive, dsm, etc. However I am using a certificate from Synology and not one from Google. I am also using DDNS from Synology as I do not have a personal IP from my ISP. I have a connection of 10.0.0.# which is my computer IP and cannot use my public IP, which is my internet hosting companies personal IP.
I am unsure of how to make it not always have a bad certificate.
My domains on google are all setup correctly however upon visiting them it says:
“This server could not prove that it is dsm.myGoogleDomain.com; its security certificate is from synologyDomain.synology.me. This may be caused by a misconfiguration or an attacker intercepting your connection.”
How would I go about fixing this? I am unable to use Google DDNS due to the provided reason that I only have access to control and use LAN IP’s of 10.#.#.#!
Any idea of a way to fix my certificate problem with this information?
I actually just solved it with your solution. I added both the domains for my synologyDomain and googleDomain to my Subject Alternative domains like file.synologyDomain.me, *.synologyDomain.me, (Not actually * just any prefix you want), and all the same for Google Domains like file.googleDomain.com, *.googleDomain.com, etc.
All the links then work fabulous with 0 certification problems.
Thanks so much Richard. Keep up the fabulous tutorials.
P.S. I like your About Me section & your family photo is very beautiful and heartwarming!
There we go. While you’re at it, don’t forget to check out the music section. I was going to do blogging on tech stuff, but ended up with my piano music being the main content. Final Fantasy Piano Opera is the most impressive stuff. Enjoy.
Thank you Richard, your tutorial is spot on! It helped me a lot to understand and configure it myself.
No problem. Rarely get comments on my site. For that, thank you.