Filesharing behind Traefik

One advantage of the Synology Diskstation is the ability to easily share files (via FileStation) with external people.
All they need is a link (and a password) to access your files via their browser.
Example: https://yourhost:port/yourfileshare
 
Unfortunately this feature comes with a major disadvantage. Once the user removes the trailing part of the URL and just browses to https://yourhost:port
he will be able to access your Diskstation's admin login screen. Nothing someone would like to present to the world wide web.
 
This tutorial describes how to hide the admin login page but still reveal the file sharing options behind a reverse proxy, Traefik.

 

Prerequisites / Traefik configuration

These files will make

  • the Traefik dashboard listening on port 6001
  • accept file sharing requests via port 8443
## /etc/traefik/traefik.yml

providers:
  file:
    filename: /etc/dynamic_conf.yml

# Enable Dashboard
api:
  dashboard: true

entryPoints:
  epDashboard:
    address: "192.168.X.X:6001"
  epFileshare:
    address: "192.168.X.X:8443"
  • In my case I Traefik was installed on the Synology Diskstation, thus it was forwarding to localhost:5000 to reach the admin login page.
  • At the bottom you can see that I hide the dashboard behind BasicAuth. You need to use the famous htpasswd to create the required string
  • The required certificate files where generates via Synology DSM 
    • First create a Synology dyndns account via Control Panel - External Access: DDNS - Add --> and select Synology as Service Provider
    • Then a certificate will be created automatically. Export your certificate files via Control Panel - Security - Certificate --> Action: Export Certificate
## /etc/dynamic_conf.yml

http:
  services:
    svFileshare:
      loadBalancer:
        servers:
          - url: "http://localhost:5000/"
  routers:
    rtDashboard:
      entryPoints:
        - "epDashboard"
      rule: Method(`GET`)
      service: api@internal
      middlewares:
        - auth
    rtFileshare:
      entryPoints:
        - "epFileshare"
      rule: PathPrefix(`/sharing`) || PathPrefix(`/webman`) || PathPrefix(`/webapi`) || PathPrefix(`/scripts`) || PathPrefix(`/fsdownload`) || PathPrefix(`/synoSDSjslib`) || Path(`/wfmlogindialog.js`)
      service: svFileshare
  middlewares:
    auth:
      basicAuth:
        users:
          - "myuser:xxx_mypassword_xxx"
tls:
  certificates:
    - certFile: /etc/certs/RSA-cert.pem
      keyFile: /etc/certs/RSA-privkey.pem

 

Optional: Docker Setup

At the time of writing I had set up Traefik v2.5 to run as a docker container.  In case you are familiar with docker, here is the quick and dirty guide:

  • pull the image traefik:v2.5 
  • I configured the network as host network (make sure ports 6001 and 8443 are unused!)
  • map the following volumes:
    • container: /etc/traefik/traefik.yml | host: /anywhere/traefik.yml
    • container: /etc/dynamic_conf.yml | host: /anywhere/dynamic_conf.yml
    • container: /etc/certs/RSA-cert.pem | /anywhere/RSA-cert.pem
    • container: /etc/certs/RSA-privkey.pem | /anywhere/RSA-privkey.pem

Firewall / Port Forwarding config

You definitely want to block all traffic to the Synology Diskstation from the Internet, but enable file sharing.
In my case I used Port Forwarding in my internet router and opened port 8443, while port 6001 remained closed (thus only reachable from the LAN).