Private Cloud

Using Synology DSM Reverse Proxy to Access Your Self-Hosted Services from the Internet

I run quite a few self-hosted services on my DS220+, including Synology Photos and Drive, and several Docker-based apps like Vaultwarden and AFFiNE.

All these apps run on my home network. To make them accessible when I’m outside, I use DSM’s built-in Reverse Proxy feature to expose the services to the internet in a secure way.

Here’s the complete setup process I use:

Prepare a Domain Name & Apply for a Free SSL Certificate

My domain is registered with Namecheap. Their DNS supports DDNS, which makes it ideal for home broadband environments where the public IP changes frequently. (If you’re not sure how to enable DDNS in DSM, you can check my earlier article.)

There are many options for free SSL certificates. I use ohttps.com — the only provider I found that offers wildcard certificates for free. With a wildcard certificate, renewing every 3 months (which all free certificates require) becomes much easier.

If you register through my referral link, you’ll receive a bonus balance of 1000 credits, enough for about 20 renewals — essentially 5 years for free.

OHTTPS Referral Link 👉 https://ohttps.com?invitationCode=xlpm40gvngl05n9g

After registration, create a new free wildcard certificate, for example: *.mydomain.com

Once the certificate is issued, download the three required files:
cert.key, cert.cer, and chain.cer.

Install the Certificate on DSM

Log into DSM and go to Control Panel → Security → Certificate → Add.

Click through until you see the import page:

Upload the three certificate files you downloaded earlier and confirm.
That completes the SSL certificate installation.

Configure Reverse Proxy Rules

Let’s say you want to use affine.mydomain.com for your AFFiNE instance.
First, add a DNS A-record for this subdomain.

Then log into DSM and go to:
Control Panel → Login Portal → Advanced → Reverse Proxy

When I deployed AFFiNE, I mapped it to local port 3010, so the reverse proxy rule looks like this:

A few important notes about source port:

  • If port 443 is available, use it directly.
  • If 443 is occupied, use any other available port.
  • In all cases, make sure your router forwards the chosen port to your NAS’s LAN IP.

Finally, go to Control Panel → Security → Certificate → Configure, and assign the installed SSL certificate to affine.mydomain.com.

Accessing Your Service via Subdomain

Now open the AFFiNE app, add the server:
https://affine.mydomain.com

You can now securely access your self-hosted AFFiNE instance from anywhere.

There are also alternative solutions for exposing internal services to the internet — for example, using Caddy as a reverse proxy with automatic SSL certificate handling. This avoids manual renewals completely. I’m still experimenting, and I’ll share an update once I finish testing.