A proxy server is one that acts as an intermediary between you and the resource that you want to access. Instead of you connecting to the destination server (a website for instance) directly, the proxy server fetches the content of the website and delivers it to you. A reverse proxy server, on the other hand, is one that retrieves resources from within the private network and delivers the content to the requester as if it comes from the reverse proxy server itself. In other words, when you connect to the reverse proxy server, the resource may come from anywhere within the private network where the server resides and the destination detail is not directly visible to you.
What’s the practical use for such a server? Let’s say you have a home router with a web interface (i.e. http://192.168.1.1). Unless you set it up to be accessible from the internet, if you’re not in your home network, you cannot access it. You can, however, connect to the reverse proxy server that’s accessible from the internet, and have it retrieve the content from 192.168.1.1 on your behalf. Another scenario is that the resource you want to access (http://192.168.1.1) is not available in https (secure encrypted traffic), you can still connect to your reverse proxy server using https so that the connection is secured and encrypted. Behind the scene, the reverse proxy server will connect to 192.168.1.1 using http on your behalf, which is okay since both devices are located within the same home network.
Synology Diskstation has a powerful reverse proxy server built into its NGINX [Engine-X] web server. As pointed out in a previous tutorial, when an internet packet reaches the Synology Diskstation, it is able to see the URL requested (i.e. dsm.yourdomain.com) and the port number (i.e. 80 for http, or 443 for https, etc.). To set up reverse proxy on the Diskstation, you set up a rule that would match the source information (what’s requested), and you specify the destination where the information will actually be retrieved (i.e. 192.168.1.xx within the home network).
Prerequisite
This tutorial assumes that you’ve set up a DNS resource record for the subdomain name that you want to use to connect to a certain resource inside your home network. You can find instructions here. Also, you want to make sure the incoming port (443 in the example below) is set up for port forwarding to point to your Synology Diskstation. In the example below, I’ve used the subdomain name “router”. The screenshot here is my actual setup at home. Let’s look into Router-http and Router-https. I used these two entries to differentiate a request coming from http vs one that comes from https.
HTTPS Example
This example shows how to use “https://router.theyangfamily.ca” to connect to my home router located in my network as https://192.168.1.1:8443. Note that the default port for https traffic is 443, but you still need to type that in here. Naturally, you can also specify a custom incoming port but I don’t find it necessary. Do remember if you intend to use custom port, set up port forwarding to point it to your Diskstation. The destination port 8443 is here because my router is set up to accept https connection via port 8443 only. If your resource does not require any custom port, default https port is 443. When you connect to “https://router.theyangfamily.ca”, you will be taken to the landing page of your router, and your browser only knows that you’re visiting “https://router.theyangfamily.ca” instead of the home router’s internal IP address.
HTTP Example
The next example shows that if the connection is made via unencrypted http protocol http://router.theyangfamily.ca, I specify this to be routed to the home network’s broadcast address 192.168.1.255, which returns nothing. The purpose is simply to disallow connection to my home router via unencrypted http protocol. When you visit http://router.thayangfamily.ca, it will display that the page is not found, which is the desired behavior.
Other Examples
On the previous screenshot, you see two entries related to “vpn.theyangfamily.ca”. I did set up a DNS resource record to have this subdomain point to my WAN IP. I am using this subdomain for the purpose of establishing a VPN connection. I do not want vpn.theyangfamily.ca to take me to any web interface landing page. As such, just like the http example above, I set up the reverse proxy to take any “web” traffic to 192.168.1.255, which leads to “nowhere”. The other instance here related to “dsm.theyangfamily.ca” is used to redirect all http traffic to https, which will be covered under a separate tutorial.
Summary
You learned how to set up the Synology reverse proxy to use a custom subdomain name to access resources internal to your home network. You may also apply this knowledge to set up an encrypted https connection to these resources even if they do not provide https themselves.
