Synology mobile apps with LetsEncrypt reverse proxy

Quick intro

I use nginx and LetsEncrypt (via nginx-proxy and Docker) to reverse proxy my home services. This allows me to use domain names for each service. In particular, I wanted synology.lolnope.us to take me to the Disk Station Manager (DSM) web UI.

The problem here is that DSM ships with nginx which binds to ports 80 and 443. There are at least two reasons I've discovered as to why this is so:

  1. Incoming 80/443 requests are redirected to 5000/5001 respectively, and
  2. Incoming 80/443 requests which have a path that map to a specific DSM app, like PhotoStation, will have it redirect to the appropriate path URL.
    • (I'll have to make a separate post more about this.)

The problem

Synology has a large mobile app landscape which I wanted to see if they would benefit any of my day-to-day workflows. One app I wanted to try was DS File, allowing me to have mobile access to my Synology home directory as if I had logged in via the web interface.

However, despite my DSM's interface being publicly accessible, I wasn't able to log in -- instead the app would hang at logging in and eventually time out. I wasn't exactly sure why this was, until I had a hunch...

The apps are hard-coded to use port 5000/5001!

DS File app configuration, supplying only domain name.

Wireshark capture of WiFi traffic showing DS File defaults to port 5001, which is not publicly exposed.

The solution

It's an easy one. I manually specified which port to use when connecting:

TCP 3-way handshake, TLS 4-way handshake, and encrypted data afterwards.

Success!

But if I had actually read the webpage for DS File to begin with, I wouldn't have had to think about it since they plainly say what to do:

Check if File Station is using a customized port. For example, if the port is 9920, you may need to add the port to the IP address/DDNS hostname as in “fun.syno.com:9920”.

Seems like this is going to be a common setting I need to manually configure for any Synology mobile app.