เราจำเป็นต้องใช้คุกกี้ในการใช้งานเว็บเพจ โปรดอ่านนโยบายคุกกี้เพิ่มเติม

NAS 325

Introducing Reverse Proxies

Making your NAS and apps secure

2023-12-08

COURSE OBJECTIVES

Upon completion of this course you should be able to:

  1. Use a reverse proxy domain to protect the secure connection of multiple NAS.
  2. Use a reverse proxy domain to improve the security of Apps' HTTPS connection.

PREREQUISITES

Course Prerequisites:

NAS 324: Using HTTPS to Secure NAS Communication

Students are expected to have a working knowledge of:

HTTP/HTTPS


OUTLINE

1. Introducing Reverse Proxies

2. Protecting the Connections of Multiple NAS Devices

2.1 Adding Proxy Domains

2.2 Add Rules to Existing Proxy Domains

3. Upgrading NAS App Security

3.1 Setting Reverse Proxies to work with Jellyfin

3.2 Setting ownCloud to work with Reverse Proxies

3.3 Set up the HTTPS connection of Syncthing

3.4 Setting Nextcloud to work with Reverse Proxies

3.5 Set up the HTTPS connection of Plex Web

4. Editing Proxy Domains and Rules

4.1 Editing or Removing Proxy Domain

4.2 Edit or Remove Proxy Domain Rules





1. Introducing Reverse Proxies

Web browsing is becoming more and more secure. Most apps on an ASUSTOR NAS use a web browser for functionality but don’t necessarily support HTTP Secure.
Reverse proxy servers help clients provide web information while protecting the security of transmitted data. Reverse proxy servers on an ASUSTOR NAS that has a valid HTTPS certificate protects data transmitted by an external HTTPS connection.
ADM 3.5.2 adds reverse proxies as a new feature. Reverse proxy servers are used to implement HTTPS connections on content or web apps that would not otherwise be protected. Set the domain name on the NAS where the reverse proxy server is to be enabled. And apply for a legal certificate, please refer to the setting method:
NAS 324: Using HTTPS to Secure NAS Communication



2. Protecting the Connections of Multiple NAS Devices

When you set up multiple NAS in the same local network and want to connect to the NAS using https securely from the outside, turn on ADM and use the reverse proxy server of one of the NAS to protect the secure connection of multiple NAS, It is not necessary to open all NAS to external network and apply for different domain names.



2.1 Adding Proxy Domains

To use the legal domain of this NAS to log in to the ADM of other NAS with HTTPS, proxy domains will need to be added first.


Step 1

  • Click Reverse Proxy in ADM Preferences.


Step 2

  • Click Add on the reverse proxy page.
  • Create a new proxy domain and click Next.



Step 3

  • Enter a name for easy identification of this proxy domain. Example: ASUSTOR NAS ADM
  • Select HTTPS and the server name.
  • Enter an unused communication port. Example: 8880
  • Select a network interface for use.
  • Enter the path of this proxy domain rule. Example: /as6602t
  • Enable port forwarding and press Next.

Note: If there is only one service in this proxy domain, the path can only keep "/". If you need to add other rules, you can use Edit to add a path for the first rule.


Step 4

  • Enter a name to easily identify domain rules.
  • Select HTTP and enter the LAN IP of the proxy domain. Example: [192.168.xxx.xxx].
  • Enter the port of the proxy domain. Example: 8000 (ADM HTTP login port).
  • Enter the path if the proxy domain has a specific path. ADM login does not require a specific path, a slash (/) is enough.
  • Click Test Connection to verify that the above information of the proxy domain is correct and if the URL needs a redirect path. Click Next.


Step 5

  • Confirm whether the information set is correct and click Finish.


  • Upon completion, you’ll be able to see the information of the proxy domain on the reverse proxy page.


Step 6

  • Enter your proxy domain into a web browser. The reverse proxy server will lead the connection to http://192.168.xxx.xxx:8000/.
  • Use the HTTPS URL of this proxy domain from outside to connect to another NAS and log in to ADM. Use the same MyASUSTOR domain name to log in to the original NAS or add the configured port and path to log in to another NAS to make this connection secure under HTTPS with a valid HTTPS certificate.
    Reverse proxy servers can be used to open ADM and log in to another NAS with HTTPS. After logging in, other services and apps will need to set their own reverse proxy ports in order to use needed services and apps correctly in a secure connection.

On Chrome:


On Firefox:



2.2 Add Rules to Existing Proxy Domains

Additional rules may be added to the existing proxy domain in order to use a different path to open another service. These instructions show how to add a reverse proxy rule to log in to the ADM of another NAS in the domain added in the previous chapter.


Step 1

  • Click Add on the Reverse Proxy page.
  • Click Add to add a rule to an existing proxy domain. Click Next.



Step 2

  • Select the proxy domain where you want to add a rule, for example: [https://yourddns.myasustor.com:8880].
  • Enter the path of this new rule, for example: /as5304t, click Next.

Note: Because this function is to add rules to the existing proxy domain, the domain name and port of the proxy domain cannot be changed during this process, but a different path must be entered.


Step 3

  • Enter a name to easily identify the domain rule for the reverse proxy. Example: AS5304T.
  • Select HTTP and enter the LAN IP of the proxy domain. Example: [192.168.xx.xx].
  • Enter the port of the proxy domain. Example: 8000 (ADM HTTP login port).
  • Enter the path if the proxy domain has a specific path. ADM login does not require a specific path, a slash (/) is enough.
  • Click Test Connection to test whether the above information of the proxy domain is successfully connected and whether its URL needs a redirect path. Click Next.


Step 4

  • Confirm whether the information set is correct and click Finish.


  • Upon completion, information of the proxy domain will be visible on the reverse proxy page.


Step 5

  • For example, inputting this proxy domain according to the image below will cause the reverse proxy [https://yourddns.myasustor.com:8880/as5304t/] to redirect the connection to [http:// 192.168.xx.xx:8000/].
  • Use the HTTPS URL of this proxy domain from outside to connect to another newly added NAS and log in to ADM.

On Chrome:


On Firefox:




3. Upgrading NAS App Security

Apps that are unable to use HTTPS in a NAS can use a reverse proxy server to enable remote HTTPS connections. This chapter will introduce several apps that require specific communication ports and cannot directly use the HTTPS certificate installed on the NAS.


3.1 Setting Reverse Proxies to work with Jellyfin

The Docker version of Jellyfin does not use the default web server of the NAS. A reverse proxy server needs to be configured in order support HTTPS remote connections. After the NAS has applied for a valid HTTPS certificate, you can now use the reverse proxy server to configure Jellyfin HTTPS connection.


Step 1

  • Click Add on the reverse proxy page.
  • Create a new proxy domain and click Next.



Step 2

  • Enter a name for easy identification of this proxy domain. Example: Jellyfin HTTPS
  • Select HTTPS and the server name. Example: [yourddns.myasustor.com].
  • Enter an unused port number. It must also be different from the original Jellyfin communication port. Example: 8196
  • Select a network interface. Select an asterisk for default.
  • Enter the path of this proxy domain rule, or leave a slash (/). Turn on port forwarding and click Next.


Step 3

  • Optional: Enter a name to easily identify the domain rule for the reverse proxy.
  • Select HTTP and enter the LAN IP of the NAS. Example: [192.168.xx.xx].
  • Enter the port of the proxy domain. Example: 8096 (Jellyfin HTTP port).
  • If an app of the proxy domain has a specific path, please enter it otherwise enter a slash (/).
  • Click Test Connection to test whether the above information of the proxy domain is successfully connected and whether its URL needs a redirect path. Click Next.


Step 4

  • Confirm whether the information set is correct and click Finish.


  • Upon completion, information of the proxy domain will be visible on the reverse proxy page.


Step 5

  • Take this proxy domain as an example, enter [https://yourddns.myasustor.com:8196/] in the web browser, and the reverse proxy server will direct the connection to [http://192.168.xx.xxx:8096/] which is the Jellyfin local URL.
  • Use the HTTPS URL of this proxy domain from the outside to connect to Jellyfin installed on this NAS and log in.

On Chrome:


On Firefox:



3.2 Setting ownCloud to work with Reverse Proxies

The Docker version of ownCloud does not use the default web server of the NAS. A reverse proxy server needs to be configured in order support HTTPS remote connections. After the NAS has applied for a valid HTTPS certificate, you can now use the reverse proxy server to configure ownCloud HTTPS connection.


Step 1

  • Click Add on the reverse proxy page.
  • Create a new proxy domain and click Next.



Step 2

  • Enter a name for easy identification of this proxy domain. Example: ownCloud HTTPS
  • Select HTTPS and the server name. Example: [yourddns.myasustor.com].
  • Enter an unused port number. It must also be different from the original ownCloud communication port. Example: 32882
  • Select a network interface. Select an asterisk for default.
  • Enter the path of this proxy domain rule, or leave a slash (/). Turn on port forwarding and click Next.


Step 3

  • Optional: Enter a name to easily identify the domain rule for the reverse proxy.
  • Select HTTP and enter the LAN IP of the NAS. Example: [192.168.xx.xx].
  • Enter the port of the proxy domain. Example: 32880 (ownCloud HTTP port).
  • If an app of the proxy domain has a specific path, please enter it otherwise enter a slash (/).
  • Click Test Connection to test whether the above information of the proxy domain is successfully connected and whether its URL needs a redirect path. Click Next.


Step 4

  • Confirm whether the information set is correct and click Finish.


  • Upon completion, information of the proxy domain will be visible on the reverse proxy page.


Step 5

ownCloud has strict restrictions on the domains it can access. When setting up a reverse proxy server for ownCloud, you need to add this domain to ownCloud's "trusted_domains" configuration for normal use.

  • Download /share/Docker/ownCloud/data/config/config.php to your computer, rename the file to "zz-user.config.php" and then open a text editor to edit it.
  • Only retain the 'trusted_domains' setting in the zz-user.config.php file, and add the NAS's reverse proxy server domain, [ 1 => 'yourddns.myasustor.com', ] to the content and then archive.

  • Upload the edited zz-user.config.php to the NAS folder [/share/Docker/ownCloud/data/config/].


Step 6

  • Take this proxy domain as an example, enter [https://yourddns.myasustor.com:32882/] in the web browser, and the reverse proxy server will direct the connection to [http://192.168.xx.xxx:32880/] which is the ownCloud local URL.
  • Use the HTTPS URL of this proxy domain from the outside to connect to ownCloud installed on this NAS and log in.

On Chrome:


On Firefox:



3.3 Set up the HTTPS connection of Syncthing

The Docker version of Syncthing does not use the default web server of the NAS. A reverse proxy server needs to be configured in order support HTTPS remote connections. After the NAS has applied for a valid HTTPS certificate, you can now use the reverse proxy server to configure Syncthing HTTPS connection.

Note: In this example, an existing proxy domain is used to add rules, and there is no need to set an additional port. Users can also use "Create new proxy domain" and add another port to set up a reverse proxy for Syncthing.


Step 1

  • Click Add on the Reverse Proxy page.
  • Click Add to add a rule to an existing proxy domain. Click Next.



Step 2

  • Select the proxy domain where you want to add a rule, for example: [https://yourddns.myasustor.com:18862].
  • Enter the path of this new rule, for example: /syncthing, click Next.

Note: Because this function is to add rules to the existing proxy domain, the domain name and port of the proxy domain cannot be changed during this process, but a different path must be entered.


Step 3

  • Enter a name for easy identification of this proxy domain. Example: Syncthing
  • Select HTTP and enter the LAN IP of the NAS. Example: [192.168.xx.xxx].
  • Enter the port of the proxy domain. Example: 28384 (Syncthing HTTP port).
  • If an app of the proxy domain has a specific path, please enter it otherwise enter a slash (/).
  • Click Test Connection to test whether the above information of the proxy domain is successfully connected and whether its URL needs a redirect path. Click Next.


Step 4

  • Confirm whether the information set is correct and click Finish.


  • Upon completion, information of the proxy domain will be visible on the reverse proxy page.


Step 5

  • Take this proxy domain as an example, enter [https://yourddns.myasustor.com:18862/syncthing/] in the web browser, and the reverse proxy server will lead the connection to [http://192.168.xx.xxx:28384/] which is the Syncthing local URL.
  • Use the HTTPS URL of this proxy domain from the outside to connect to Syncthing installed on this NAS and log in.

On Chrome:


On Firefox:



3.4 Setting Nextcloud to work with Reverse Proxies

A default reverse proxy for Nextcloud has been added on ADM 4.1, users no longer need to configure it themselves if the NAS is updated to ADM 4.1.0 or above.
Currently, the default reverse proxy cannot be allowed for users to add a new rule.


  • Take this proxy domain as an example, enter [https://yourddns.myasustor.com:8622/nextcloud-docker/] in the web browser, and the reverse proxy server will direct the connection to [http://192.168.xx.xxx:32680/] which is the Nextcloud local URL.
  • Use the HTTPS URL of this proxy domain from the outside to connect to Nextcloud installed on this NAS and log in.

On Chrome:


On Firefox:




The Docker version of Nextcloud does not use the default web server of the NAS. A reverse proxy server needs to be configured in order support HTTPS remote connections. After the NAS has applied for a valid HTTPS certificate, you can now use the reverse proxy server to configure Nextcloud HTTPS connection.


Step 1

  • Click Add on the reverse proxy page.
  • Create a new proxy domain and click Next.



Step 2

  • Enter a name for easy identification of this proxy domain. Example: Nextcloud HTTPS
  • Select HTTPS and the server name. Example: [yourddns.myasustor.com].
  • Enter an unused port number. It must also be different from the original Nextcloud communication port. Example: 32681
  • Select a network interface. Select an asterisk for default.
  • Enter the path of this proxy domain rule, or leave a slash (/). Turn on port forwarding and click Next.


Step 3

  • Optional: Enter a name to easily identify the domain rule for the reverse proxy.
  • Select HTTP and enter the LAN IP of the NAS. Example: [192.168.xx.xx].
  • Enter the port of the proxy domain. Example: 32680 (Nextcloud HTTP port).
  • If an app of the proxy domain has a specific path, please enter it otherwise enter a slash (/).
  • Click Test Connection to test whether the above information of the proxy domain is successfully connected and whether its URL needs a redirect path. Click Next.


Step 4

  • Confirm whether the information set is correct and click Finish.


  • Upon completion, information of the proxy domain will be visible on the reverse proxy page.


Step 5

Nextcloud has strict restrictions on the domains it can access. The Nextcloud document explains that when setting up a reverse proxy server, you’ll need to add other settings to Nextcloud's config.php for normal use. For details, please refer to Nextcloud documentation.

  • Download /volume1/Docker/Nextcloud/config/config.php to your computer and open a text editor to edit it.
  • Add ['overwritehost' =>'yourddns.myasustor.com:32681',] and ['overwriteprotocol' =>'https',] below the content of the config.php file and archive.
  • Upload the edited config.php to the NAS folder [/volume1/Docker/Nextcloud/config] to overwrite the original file.


Step 6

  • Take this proxy domain as an example, enter [https://yourddns.myasustor.com:32681/] in the web browser, and the reverse proxy server will direct the connection to [http://192.168.xx.xxx:32680/] which is the Nextcloud local URL.
  • Use the HTTPS URL of this proxy domain from the outside to connect to Nextcloud installed on this NAS and log in.

On Chrome:


On Firefox:



3.5 Set up the HTTPS connection of Plex Web

A default reverse proxy for Plex Media Server has been added on ADM 4.1, users no longer need to configure it themselves if the NAS is updated to ADM 4.1.0 or above.
Currently, the default reverse proxy cannot be allowed for users to add a new rule.


  • Take this proxy domain as an example, enter [https://yourddns.myasustor.com:8622/plexmediaserver/] in the web browser, and the reverse proxy server will direct the connection to [https://192.168.xx.xxx:32400/] which is the Plex Media Server local URL.
  • Use the HTTPS URL of this proxy domain from the outside to connect to Plex Media Server installed on this NAS and log in.

On Chrome:


On Firefox:




With Plex Media Server installed on a NAS, directly use a web browser to open Plex to manage media libraries as well as play audio and video files. The HTTPS certificate bound to the NAS is for the NAS IP. The Dynamic DNS in an ASUSTOR NAS cannot be used to open Plex securely. Use reverse proxy server to open Plex using the DDNS with an HTTPS connection.

Before setting a reverse proxy domain, you’ll need to open Plex with HTTPS and log in to your Plex account. For Plex Media Server installation and media library settings, please refer to:
NAS 235: Introducing Plex Media Server


Step 1

  • On the ADM desktop, click Plex Media Server.
  • In the address bar of the browser, change the web page protocol of Plex Web to HTTPS. Example: https://192.168.xx.xxx:32400
  • Log in to your registered Plex account, and allow HTTPS connections from this IP.
  • Confirm that Plex can display media libraries and play content.


Step 2

  • Click Add on the reverse proxy page.
  • Create a new proxy domain and click Next.



Step 3

  • Enter a name for easy identification of this proxy domain. Example: Plex HTTPS
  • Select HTTPS and the server name. Example: [yourddns.myasustor.com].
  • Enter an unused port number. It must also be different from the original Plex communication port. Example: 32411
  • Select a network interface. Select an asterisk for default.
  • Enter the path of this proxy domain rule, or leave a slash (/). Turn on port forwarding and click Next.


Step 4

  • Optional: Enter a name to easily identify the domain rule for the reverse proxy.
  • Select HTTPS and enter the LAN IP of the NAS. Example: [192.168.xx.xx].
  • Enter the port of the proxy domain. Example: 32400 (Plex HTTP/HTTPS port).
  • If an app of the proxy domain has a specific path, please enter it, otherwise enter a slash (/).
  • Click Test Connection to test whether the above information of the proxy domain is successfully connected and whether its URL needs a redirect path. Click Next.


Step 5

  • Confirm whether the information set is correct and click Finish.


  • Upon completion, information of the proxy domain will be visible on the reverse proxy page.


Step 6

  • Take this proxy domain as an example, enter [https://yourddns.myasustor.com:32411/] in the web browser, and the reverse proxy server will direct the connection to [https://192.168.xx.xxx:32400/] which is the Plex Media Server local URL.
  • Use the HTTPS URL of this proxy domain from the outside to connect to Plex Media Server installed on this NAS and log in.

On Chrome:


On Firefox:




4. Editing Proxy Domains and Rules


4.1 Editing or Removing Proxy Domains

  • After selecting a proxy domain, click Edit to edit the name, network protocol, server name and/or port of the reverse proxy domain. After editing a proxy domain, all the rules in that proxy domain will be revised accordingly.
  • Click Remove to delete a proxy domain and the rules below.




4.2 Edit or Remove Proxy Domain Rules

  • On the Reverse Proxy page, click on a proxy domain to expand the rules of the proxy domain. After selecting a rule, click Edit to edit the network protocol of the reverse proxy domain on the proxy domain page. You can edit the name, network protocol, host name, port and path of the rule as well as enable or disable the proxy domain rules on this page.
  • Click Remove to delete this proxy domain rule, and deleting the last rule will remove its proxy domain.


  • If you need to temporarily disable a reverse proxy connection, you can disable the reverse proxy domain rule on the edit rules page instead of removing the temporarily disabled rule.


Was this article helpful? Yes / No