Blog

Use Synology Nginx to Proxy HTTPS Request to Your Unifi Controller

Since Chrome has begun to warn against sites not using HTTPS, including self-signed which are prominent in DIY solutions, I’ve turned to use my NAS box to perform reverse proxy functions and to host my SNI based SSL certificate from LetsEncrypt. An SNI certificate has up to 100 alternate names rolled into one certificate, which is almost like a wildcard certificate. I install that certificate on my NAS and then reverse proxy all HTTPS request via the built in nginx proxy to the individual services.

For the Unifi controller however, more tinkering is neccessary and the reverse proxy cannot be setup using the UI. Instead we need to configure the nginx proxy directly.

7cff8971-7ff7-4e08-8623-4cf98528fa83.jpg

Setup Reverse Proxy via Control Panel/Application Portal

The common way of using the Synology NAS as a reverse proxy. I’ve setup my internal DNS to point to the NAS ip, which then looks at the requested hostname and performs a simple proxy.

setup-reverse-proxy-via-control-panel-application-portal.png

WebSocket connection error

The WS and WSS protocols are however not handled out of the box by Synology. The WSS protocol is equivalent with HTTPS, but for websockets.

The errors will show up in the UI and the browser console.

websocket-connection-error.png

Find a safe place to persist configuration

Log into the NAS and navigate to the proxy settings directory.

1
cd /usr/local/etc/nginx/sites/sites-enabled

Synology autogenerates the nginx configuration whenever you change parameters via the UI, so this is a safe place to have changes persist. The main configuration file is directed to load all settings from this directory.

find-a-safe-place-to-persist-configuration.png

Create config file

1
sudo vi unifi.rylander.io.conf

Note the separate configuration to handle WSS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name unifi.rylander.io;
location /wss {
proxy_pass [https://localhost:8443/wss;](https://localhost:8443/wss;)
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_ssl_verify off;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_intercept_errors on;
proxy_http_version 1.1;
proxy_ssl_verify off;
proxy_pass [https://localhost:8443;](https://localhost:8443;)
}
}
create-config-file.png

Restart nginx

sudo synoservicecfg –restart nginx

Verify if it works!

verify-if-it-works-.png