English Forums > Web Proxy Filtering and Caching

Reverse Proxy in front of Synology makes its firewall ineffective?

(1/1)

guest36292:
Hi all,

Recently I have successfully set up HAProxy as a reverse proxy service on a network based on this tutorial:
https://forum.opnsense.org/index.php?topic=23339.msg110962#msg110962

After a little testing it turned out the Synology NAS running on the network as a server thinks that every incoming connection through the proxy is coming from the proxy itself. The DSM UI has a Connections widget that allows the admin to keep an eye on the currently active connections and their corresponding client IPs. By default this shows that every connection is coming from the proxy, however by adding the HAProxy's IP address to the "Trusted Proxies" in the Control Panel > Security window in DSM these connections will be displaying the actual client IP addresses.

This on its own is fantastic, but apparently does not serve as a solution to the core of the problem. In order to establish a connection between the client and the Synology, the proxy must be allowed in the Synology's firewall. As it appears even though the client IP is passed on properly, the connection itself is made through the proxy's IP address. Even if the original client's IP is specifically blocked inside Synology, through the the proxy it is allowed to connect to every service the proxy is allowed to. As soon as the proxy is denied, nothing else is able to connect via the proxy.

This makes sense to me from what I understand about the basic principles of using a proxy, however I'm hoping people have found a solution to this. Please let me know if there is hope here as it's important for my use case to be using the Synology's Firewall to restrict connections.

Thank you

bartjsmit:
A solution for web traffic is X-Forwarded-For https://en.wikipedia.org/wiki/X-Forwarded-For

HA Proxy supports it: https://www.haproxy.com/documentation/hapee/latest/load-balancing/client-ip-preservation/add-x-forward-for-header/

No such luck with Synology apparently: https://community.synology.com/enu/forum/68/post/150860 but an interesting angle on using cloudflared tunnels: https://github.com/cloudflare/cloudflared/

Any mileage in a VPN to restrict access to your NAS?

Bart...

guest36292:
Thank you for looking into this.

HAProxy does have the X-Forwarded-For header turned on as "option forwardfor" in my setup and if the NAS has the appropriate settings configured for the trusted proxies, the correct client IPs will appear in the logs of the Synology, but the firewall ignores that. As it seems this is due to the firewall not minding what is coming in but where it is coming from. It is by design as far as my freshly gained understanding of the principles networking is correct.

I do have Wireguard running on OPNSense which is my current solution to allow external access, but it's very clunky to set up and I don't find it the perfect solution for my use case. I did test the Cloudflare tunnel before on the Synology Docker but didn't like the fact that all my traffic to the host would go through the tunnel. Though, I might end up resorting to it to enable external access for 3rd parties. Could work in collaboration with Wireguard.

RamSense:
Have you tried to use Nginx reverse proxy instead of HAProxy to see if it makes a difference?

Navigation

[0] Message Index