Recommendations on Using Cosmos Cloud with Synology Reverse Proxy

[Seventy-9DegreesNorth]

TL;DR: Help on reverse proxy with Synology on network

I'm hoping Yann or one of the contributors can help around the topic of using Cosmos Server with another reverse proxy. Now, I KNOW that's not the recommended architecture. The challenge I have -- - and probably a lot of people like me have -- is that we already HAVE a Synology NAS server on their network. Now that's awesome because Synology is great, but, Synology requires at least port 443 to be forwarded to it as at least four of its primary systems require port 443.

So, the Synology NAS has a reverse proxy function built in -- based on NGINX -- that I've used successfully to push docker services on the NAS to an SSL hostname with the certificate created by LetsEncrypt and saved on the Synology server. It works reasonably well. But, the Synology server only has so much RAM and is not really designed to be a docker server like Cosmos Server and have dozens of containers with different functions. BUT -- it's great as a LARGE STORAGE platform for videos, documents, photos, music, etc. And it's designed for multi-terabyte storage. Info on Synology reverse proxy is here:
https://www.wundertech.net/synology-reverse-proxy-setup-config

My objective is to use Cosmos Cloud as a multi-container operating environment but I don't think it's feasible to use the Cosmos Cloud reverse proxy to forward to the Synology, so other than NOT having it accessible from the web (which I want to do), that leaves using the Synology Reverse proxy as primary, and using Cosmos Server to manage everything else.

I've setup a new, fresh install Linux Ubuntu Server 24 with Docker installed from the CLI and Cosmos Server installed and working. BTW, GREAT instructions. I have already worked with the system, installed and deleted containers, tweaked docker compose(s) and it's a great platform. I was ABLE to setup a reverse proxy from Synology TO Cosmos Server at the server IP using a hostname xxxserver.tld with a valid LetsEncrypt certificate. In short, it worked great, and now I can access Cosmos Server from xxxserver.tld But, here's where things got weird.

When I installed a couple of apps, the individual apps don't open in http -- it forces them to open in https. So, the apps don't work for some reason, and I'm not sure what is causing it. I tried different settings but nothing worked. So, question one: iIs there any way to have just the server work on the reverse proxy and have the apps open in http with authentication by the apps themselves? I would think this is possible through a setting in the URL but I tried a bunch of things and it didn't work.

Next, as a test, I figured I'd try to install a small app (I chose Memos), setup a reverse proxy in Synology with a subdomain hostname and LetsEncrypt certificate to the container (exposed port 5230) and lo and behold, it worked. So, I figured, if I use a reverse proxy to each container it will work.

Except, when I tried it with UptimeKuma and Duplicati, it didn't work. I thought I had the exact same setup as Memos -- I tried to look at anything I could think of, but I couldn't figure it out. So, I have two apps that don't work with having the Synology reverse proxy and one that does. BTW, with the reverse proxy, I can access Memos (the one that works) directly by going to: memos.xxxserver.tld So, I think when it works directly, it will open with Cosmos Cloud.

Do you know how to make this work with all containers? I love the system, and it will be great to manage this separate server, but I can't get rid of the Synology. Any help would be appreciated! TIA.

[Seventy-9DegreesNorth]

In the event this might help someone else, I have further information on both using CosmosServer with Synology – and – CosmosServer bugs/quirks as it currently exists.

With respect to usage with Synology, I was able to create a workaround for most peoples situations – although it’s still a bit annoying. Initially, you cannot use custom domains (yourdomain.tld) wildcard certificates with Synology. So, you cannot use say yourdomain.tld as a wildcard certificate and then use the reverse proxy to setup, say, nextcloud.yourdomain.tld, or anything else. BUT, you can do that with the Synology DDNS names that are available – see this article: How do I reserve my Synology DDNS hostname? - Synology Knowledge Center So, if you are okay with having your shiny new server with CosmosServer use one of the Synology DDNS as the main hostname, you’re fine. But, it’s annoying since most of the hostnames setup suck, and you should be able to use your own domain. But, ces’t la vie. So, you can choose a Synology DDNS domain name as your top-level hostname for your CosmosServer.

After you do this, then, in Synology, you need get a wildcard certificate for that domain and install it in the Synology server. Then, use that domain name to setup your FIRST Synology reverse proxy entry for CosmosServer directly, using port 443 on inbound, and using the server IP and port 80 as the destination ports. Then you can use the domain name as the hostname in CosmosServer and it should work. You may have to restart the server a few times and I would recommend setting up the Synology side BEFORE you enter the hostname in CosmosServer or you will likely break it. If you break it, follow the instructions in the CosmosServer docs and either reinstall it, or, edit the .conf file.

Once you do the above, it still doesn’t completely solve your problem, since, when you install apps – containers – underneath, they will not work even though CosmosServer does. It would be REALLY great to NOT have to setup a separate reverse proxy for each app in Cosmos, but unfortunately, it seems like that’s what you need to do.

So, to get each app working, what you need to do is search to find out what default exposed docker port the app that you want will use – and then setup a reverse proxy entry in the Synology for EACH app you want to install. So, say for Duplicati, you setup a reverse proxy entry for duplicati.yoursynologyddnsdomain.tld and use https and port 443 on the inbound side, and use http, the server IP and the default port as the target port.

Then, you can go into CosmosServer and install the app. Now, it often doesn’t work the first time. Sometimes you have to adjust the port (and if you do, you need to adjust and keep synced the reverse proxy port and the port that ultimately works), but ALSO, you sometimes have to go into the docker compose and manually adjust the “hostname” entry which often gets overwritten with a random number. Finally, sometimes the Network section of the app settings for the docker container configuration don’t have the host port set! It’s blank. So, sometimes you have to enter the host port. I think it’s a bug.

I also recommend restarting the Cosmos Server after changes, as a couple of times it solved the problem.

I’d love to figure out a way to NOT have to use the Synology reverse proxy, and there may be, but it’s beyond my knowledge.

There is good news I think, and is that this workaround for Synology co-existence creates an extra layer of security (I think anyway) and allows you to setup a firewall at the Synology NAS level (in addition to your router level) that can provide limited access to the reverse proxy.

Comments welcome, I don’t know what I don’t know.