Setup home network with multiple SSL devices on one IP

Is it possible in some way to use multiple SSL devices (Raspberry PI and Synology) behind a router with only one incoming IP? My wish is to use it with subdomains. I can point both subdomains to the incoming IP, but how do I split them behind the router? Could it help with a local DNS server? I know that the Synology can act as a DNS server but would that help me?

The devices both uses SSL certificates from Let's Encrypt.

Big thanks in advance!

mike

Posted 2018-06-30T21:39:56.230

Reputation: 23

I think you need to read up on reverse proxies

– garethTheRed – 2018-07-01T05:45:20.150

Answers

Is it possible in some way to use multiple SSL devices (Raspberry PI and Synology) behind a router with only one incoming IP?

Yes. What you are talking about requires setting up a reverse proxy. Basically, you need to make e.g. subdomain s1.abc.com and subdomain s2.abc.com point to a web server (reverse proxy) such as Apache or Nginx on your network and then have that web server forward incoming requests to the appropriate devices:

I can point both subdomains to the incoming IP but how do I split them behind the router?

The reverse proxy will need virtual hosts (for Apache) or server blocks (Nginx) for both subdomains. Any appropriate HTTPS or proxy directives will generally live under these entries.

I know that the Synology can act as a DNS server but would that help me?

DNS is not a solution in this case, so no, not for "splitting" incoming requests (though having a DNS server could be helpful generally outside of this).

Both devices uses SSL certificates from Let's Encrypt.

The easiest thing to do would be to transfer these certificates to the reverse proxy and use HTTP on your internal network. HTTPS forwarding internally is possible but potentially more of a headache and less necessary for simple home use.

Notes

I would suggest initially setting up your reverse proxy as HTTP-only for testing, then add the certificates afterwards.
Let's Encrypt now offers wildcard domain certificates (since approximately January 2018). This could be useful if you have a number of subdomains and wish to minimize the number of certificates you need to keep track of. Note that wildcard domains require verification through DNS TXT records (this might be where the Synology could come in handy, at least under certain circumstances).

Anaksunaman

Posted 2018-06-30T21:39:56.230

Reputation: 9 278

Big big thanks for the very informative answer :) I will definitly read up on reverse proxy. But a quick question before i go to deep into this....my plan is to run the reverse proxy on the Synology in a container(Docker), is that possible, to still connect to the Synology itself from the inside proxy? – mike – 2018-07-01T22:56:50.510

It likely depends on how flexible the Synology is security and configuration-wise and how you set up the container. In theory, it is certainly possible to have this kind of a setup on a regular PC/server. Similar to the certificates, I would take it easy to begin with. I would set up a simple working web server in the container first and then make it accessible from your public IP. Assuming you can do that, then there is likely little reason you couldn't alter it to serve as a reverse proxy (even for the Synology itself). – Anaksunaman – 2018-07-01T23:59:53.197

Appreciate the checkmark and the praise. Thank you. Glad to hear that you got things working. =) – Anaksunaman – 2018-07-02T17:32:58.093

So, finally. After hours of struggling with setting up nginx in a docker i stumbled over some information about that the Synology is running its own Nginx :) So just a "little" configuring and everything(including Let´s Encrypt) was up and running, no installation at all, and mostly configurable by the UI itself (DSM). Synology Nas is a really great product with lots of functionality. Thanks Synology and most of all to Anaksunaman for the great answer and pointing me in the right direction!

mike

Posted 2018-06-30T21:39:56.230

Reputation: 23

2Great to hear Anaksunaman's answer worked. Don't mean to be harsh, but this is a Q&A site, not a forum, so using answers for anything other than actual answers is bad. Accepting the answer is good thanks as it gives the answerer an increase in rep. When you gain enough rep yourself you can comment or use chat. You should remove this answer. – LawrenceC – 2018-07-02T16:18:20.187