Guide: Setup authentication for the default Synology reverse proxy
Hey everyone,
My personal server of choice is a DiskStation right now, and I'm using the default reverse proxy for all my subdomains. I went through a few stages to secure them, and now that I'm finally finished (famous last words heh?!) I thought I'd document my approach and provide some configs and code. I've seen a few unanswered questions here and there about how to do this on Synology, so hopefully this helps a few people.
The guide covers limiting access to local IPs, as well as adding Basic or SSO authentication. The main goal is to integrate well with the GUI and access control profiles, and to leave all existing and autogenerated files untouched, so updates and changes via the GUI still work as expected.
Here is the basic idea:
The nginx server config is located in
/etc/nginx/, and the reverse proxies are defined in thesites-available/server.ReverseProxy.conffile inside that folder. There's oneserverdirective for every proxied site, and the DSM config adds ainclude .acl.<random string>.conf*directive if you set up an access control profile for a site. That*at the end there is crucial, because it means we can manually add more configuration files with the same prefix, and they will automatically be included and applied to all sites using this access control profile.There are also
includedirectives for themainandhttpscopes, as well as for the default DSMserverdirectives. This means we can inject configurations in these places, just by adding correctly named files to theconf.dfolder.For Single Sign-On (SSO) authentication we run a Vouch-Proxy instance to handle the communication between nginx and the OIDC server. We also need to spin up another
nginx reverse proxy and forward requests to it, because the built-in one doesn't support the requiredauth_requestdirective. Its container script just copies the default reverse proxy configuration with some modifications, and it is set up to reload whenenver the original file changes.
