Monday, August 11, 2014

Synology : Publish through HAProxy

This is the second article in a series to secure your Synology NAS.

HAProxy enables users to access programs on their NAS without opening additional ports in the firewall. Also because the applications are not accessible on the ports which they normally run on, and you need to know the exact url to use, it is hard to exploit the application if there is an bug in the software. (For instance SYNOLOCKER)
If you use the DDNS service of Synology you can use names in front of the DDNS name to connect to the services.
f.i. https://dsm.mydemonas.synology.me would redirect me to the admin interface of my NAS.

To achieve this we need to install an additional program HA-Proxy. This is available through the repository from Syno Community. The address for the repository is: http://packages.synocommunity.com

What this tutorial will assist you in is the following:
1. Add the repository
2. Prepare the NAS for the application
2.a Install a certificate
2.b enable SSH
3. Install the application and pre-requisite
3.a some problem fixing
4. conclusion.

I hope this will help you ;)



Add the repository
First open the package center:

















When in Package center select Installed and click the button Settings












Click on Add, and fill in the following information:
Name: Syno Community
Location: http://packages.synocommunity.com


On the left hand side click on community and then refresh.



A lot of packages will appear here.



Create a Certificate
Before we install HAProxy we first need to update the certificate and enable SSH.

Go to Control Panel


 Open Security


Click on the TAB Certificate


Click on Create Certificate

In this tutorial we create a self-signed certificate, if you have a valid certificate you can import it here,  or you can create a certificate request which you can send to a certificate authority.

Fill-in your information

At common name fill in the DNS name you want to use. The DDNS service from synology can provide you with a DNS name, you can add the local ip adres in de Subject Alternative Name field. Click Apply



Enable SSH
Since the custom configuration of HAProxy is only available through the command line we must enable SSH to connect to the NAS.

Open Control panel

Open Terminal en SNMP
 Select Enable SSH Service and click Apply

Installation of the Package

Now we can install haproxy. Since a requirement is Python 2.7 or higher we first install Python.
Open Package Center

 Select Community

Look for the package python and click install

Wait until the installation is finished

Look for the application HAProxy and click install

HAProxy uses an username and password to protect the status page. Enter those here.
Default is admin admin
Click Next

Make sure the checkbox is ticked to run the application, and click apply

With version 1.5-dev25-12 there is an problem in the configuration which doesn't allow the application to run. We can however fix it ourselves.

Download putty

Open the downloaded program file and connect to the IPAdres of your NAS over SSH
The username is always root
The password is your admin password

Change the current folder to "/volume1/@appstore/haproxy/var and open the file haproxy.cfg

Commands:
  cd /volume1/@appstore/haproxy/var/
  vi haproxy.cfg

When the file opens scroll down to the part backend gateone.
Add verify none to the server line. For this press the i
add the words to the line. press ESC
type :wq [ENTER]

Now the package will run when we start it.

Conclusion
HAProxy will natively run on the ports 5080 and 5443
We can change these ports in the configuration file or you can modify your firewall (router) to forward the request incoming on port 80 or 443 to the ports of haproxy. By default the applications are only available over the https (5443) port but you can copy those lines to the http (5080) port option. This makes it less secure!!





5 comments:

  1. After changing the haproxy.cfg the error: "Invalid file format" shows up.

    ReplyDelete
    Replies
    1. how did you change the file? With the vi as I did?

      There might be an enter missing or a space missing.

      Delete
  2. Bas,
    I have followed your instructions, bu the startup keeps failing.

    What i notice is during the current setup, the 'none' is already added to the GateOne line. I have completely removed GateOne, but that did not do the job. Also. no log file is written.

    Can you point me in the right direction?

    Many Thanks!

    ReplyDelete
  3. Ik weet intussen iets meer:

    Starting HAProxy ...
    [ALERT] 010/223153 (27500) : Starting frontend https: cannot bind socket [0.0.0.0:5443]

    Overigens draai ik met een eigen SSL cert, aangemaakt via StartSSL (dat kan daar gratis overigens)

    Arno

    ReplyDelete
  4. Hallo Arno,

    Het lijkt erop dat je al een applicatie actief hebt op de poort van HAProxy (5443)

    Met het commando
    netstat -anp | grep 5443

    kun je zien wat er actief is op die poort.
    bij zie het er als volgt uit:

    MyNAS> netstat -anp | grep 5443
    tcp 0 0 0.0.0.0:5443 0.0.0.0:* LISTEN 15552/haproxy

    Je kunt het configureren naar een andere poort, bijvoorbeeld 8443

    Ik hoop dat je er iets aan hebt.

    Grtz,

    Bas

    ReplyDelete