Filesharing behind Traefik
One advantage of the Synology Diskstation is the ability to easily share files (via FileStation) with external people.
All they need is a link (and a password) to access your files via their browser.
Example: https://yourhost:port/yourfileshare
Unfortunately this feature comes with a major disadvantage. Once the user removes the trailing part of the URL and just browses to https://yourhost:port
he will be able to access your Diskstation's admin login screen. Nothing someone would like to present to the world wide web.
This tutorial describes how to hide the admin login page but still reveal the file sharing options behind a reverse proxy, Traefik.
Prerequisites / Traefik configuration
These files will make
- the Traefik dashboard listening on port 6001
- accept file sharing requests via port 8443
## /etc/traefik/traefik.yml
providers:
file:
filename: /etc/dynamic_conf.yml
# Enable Dashboard
api:
dashboard: true
entryPoints:
epDashboard:
address: "192.168.X.X:6001"
epFileshare:
address: "192.168.X.X:8443"
- In my case I Traefik was installed on the Synology Diskstation, thus it was forwarding to localhost:5000 to reach the admin login page.
- At the bottom you can see that I hide the dashboard behind BasicAuth. You need to use the famous htpasswd to create the required string
- The required certificate files where generates via Synology DSM
- First create a Synology dyndns account via Control Panel - External Access: DDNS - Add --> and select Synology as Service Provider
- Then a certificate will be created automatically. Export your certificate files via Control Panel - Security - Certificate --> Action: Export Certificate
## /etc/dynamic_conf.yml
http:
services:
svFileshare:
loadBalancer:
servers:
- url: "http://localhost:5000/"
routers:
rtDashboard:
entryPoints:
- "epDashboard"
rule: Method(`GET`)
service: api@internal
middlewares:
- auth
rtFileshare:
entryPoints:
- "epFileshare"
rule: PathPrefix(`/sharing`) || PathPrefix(`/webman`) || PathPrefix(`/webapi`) || PathPrefix(`/scripts`) || PathPrefix(`/fsdownload`) || PathPrefix(`/synoSDSjslib`) || Path(`/wfmlogindialog.js`)
service: svFileshare
middlewares:
auth:
basicAuth:
users:
- "myuser:xxx_mypassword_xxx"
tls:
certificates:
- certFile: /etc/certs/RSA-cert.pem
keyFile: /etc/certs/RSA-privkey.pem
Optional: Docker Setup
At the time of writing I had set up Traefik v2.5 to run as a docker container. In case you are familiar with docker, here is the quick and dirty guide:
- pull the image traefik:v2.5
- I configured the network as host network (make sure ports 6001 and 8443 are unused!)
- map the following volumes:
- container: /etc/traefik/traefik.yml | host: /anywhere/traefik.yml
- container: /etc/dynamic_conf.yml | host: /anywhere/dynamic_conf.yml
- container: /etc/certs/RSA-cert.pem | /anywhere/RSA-cert.pem
- container: /etc/certs/RSA-privkey.pem | /anywhere/RSA-privkey.pem
Firewall / Port Forwarding config
You definitely want to block all traffic to the Synology Diskstation from the Internet, but enable file sharing.
In my case I used Port Forwarding in my internet router and opened port 8443, while port 6001 remained closed (thus only reachable from the LAN).