Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
Reverse Proxy in front of Synology makes its firewall ineffective?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Reverse Proxy in front of Synology makes its firewall ineffective? (Read 2156 times)
guest36292
Guest
Reverse Proxy in front of Synology makes its firewall ineffective?
«
on:
December 30, 2022, 07:14:45 am »
Hi all,
Recently I have successfully set up HAProxy as a reverse proxy service on a network based on this tutorial:
https://forum.opnsense.org/index.php?topic=23339.msg110962#msg110962
After a little testing it turned out the Synology NAS running on the network as a server thinks that every incoming connection through the proxy is coming from the proxy itself. The DSM UI has a Connections widget that allows the admin to keep an eye on the currently active connections and their corresponding client IPs. By default this shows that every connection is coming from the proxy, however by adding the HAProxy's IP address to the
"Trusted Proxies" in the Control Panel > Security window
in DSM these connections will be displaying the actual client IP addresses.
This on its own is fantastic, but apparently does not serve as a solution to the core of the problem. In order to establish a connection between the client and the Synology, the proxy must be allowed in the Synology's firewall. As it appears even though the client IP is passed on properly, the connection itself is made through the proxy's IP address. Even if the original client's IP is specifically blocked inside Synology, through the the proxy it is allowed to connect to every service the proxy is allowed to. As soon as the proxy is denied, nothing else is able to connect via the proxy.
This makes sense to me from what I understand about the basic principles of using a proxy, however I'm hoping people have found a solution to this. Please let me know if there is hope here as it's important for my use case to be using the Synology's Firewall to restrict connections.
Thank you
Logged
bartjsmit
Hero Member
Posts: 2018
Karma: 194
Re: Reverse Proxy in front of Synology makes its firewall ineffective?
«
Reply #1 on:
December 30, 2022, 10:54:05 am »
A solution for web traffic is X-Forwarded-For
https://en.wikipedia.org/wiki/X-Forwarded-For
HA Proxy supports it:
https://www.haproxy.com/documentation/hapee/latest/load-balancing/client-ip-preservation/add-x-forward-for-header/
No such luck with Synology apparently:
https://community.synology.com/enu/forum/68/post/150860
but an interesting angle on using cloudflared tunnels:
https://github.com/cloudflare/cloudflared/
Any mileage in a VPN to restrict access to your NAS?
Bart...
Logged
guest36292
Guest
Re: Reverse Proxy in front of Synology makes its firewall ineffective?
«
Reply #2 on:
December 31, 2022, 10:15:09 am »
Thank you for looking into this.
HAProxy does have the X-Forwarded-For header turned on as "option forwardfor" in my setup and if the NAS has the appropriate settings configured for the trusted proxies, the correct client IPs will appear in the logs of the Synology, but the firewall ignores that. As it seems this is due to the firewall not minding what is coming in but where it is coming from. It is by design as far as my freshly gained understanding of the principles networking is correct.
I do have Wireguard running on OPNSense which is my current solution to allow external access, but it's very clunky to set up and I don't find it the perfect solution for my use case. I did test the Cloudflare tunnel before on the Synology Docker but didn't like the fact that all my traffic to the host would go through the tunnel. Though, I might end up resorting to it to enable external access for 3rd parties. Could work in collaboration with Wireguard.
Logged
RamSense
Hero Member
Posts: 595
Karma: 10
Re: Reverse Proxy in front of Synology makes its firewall ineffective?
«
Reply #3 on:
December 31, 2022, 05:28:50 pm »
Have you tried to use Nginx reverse proxy instead of HAProxy to see if it makes a difference?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
Reverse Proxy in front of Synology makes its firewall ineffective?