Reverse Proxy/Synology - External Access Error 521

Hi All,

I have a Synology server I set up on my lan and am attempting to permit access to a specific application I’m running on the server through a subdomain on a custom domain. I did the following set up.

  1. Implemented DDNS through my Synology Drive, so my public IP is always up-to-date.

  2. Setup a CNAME record at Cloudflare with the hostname being the name of the subdomain and the value being the DDNS address.

  3. I turned on the proxy setting for the aforementioned CNAME and set SSL/TLS encryption to STRICT MODE.

  4. I set up port forwarding rules on my router to forward incoming traffic on port 443 to the internal ip and port of the Synology Drive (I changed the standard Synology port to a different one for extra security purposes). Let’s say I did port 5500.

  5. I obtained an SSL certificate for my subdomain using Let’s Encrypt. At first, I wasn’t able to get the certificate, but then I changed the port forward port for the internal Synology IP in my router to 443 as well and it worked. Ultimately, I changed the port forward port for the Synology back to port 5500 after I got the ssl cert.

  6. I assigned the SSL cert to the specific service I’m accessing.

  7. I setup a reverse proxy in my Synology Drive that takes incoming traffic from my subdomain and reroutes it to the specific port for the Synology service being accessed.

The internal reverse proxy is set up as follows:

Protocol: HTTPS
Port: 443

Protocol: HTTPS
Hostname: internal IP address of service being accessed
Port: 5055 - the custom port of the Synology service being accessed.

Everything seems to work both in and out of the LAN/I am able to access my Synology service from outside the LAN by going to the subdomain using the aforementioned setup.

My issue is that I don’t want to port forward all of the traffic from port 443 on my external IP to the Synology device. For security purposes (and so I don’t tie up port 443 with this one service), I think it would be best to forward traffic from another port on my router to the Synology device. As a result, instead of using port 443, I changed the port being forwarded from my router (to the Synology) to port 2053 (as it’s my understanding that port will work). Unfortunately, since changing that port (and updating the internal reverse proxy to SOURCE PORT TO 2053), I keep getting the “Error 521 - web server is down” message when trying to access the subdomain

I am new to setting up all of this, but what am I doing wrong? I don’t understand why I can’t seem to forward any port other than port 443 to my Synology device. As a side note, I am able to access the Synology service outside my lan by typing in my IP address:2053…and the dnschecker shows the Cloudflare IPs for the A record of my subdomain

Can anyone tell me how to make this work/what I’m doing wrong? Do I need to change something in Cloudflare in order to allow port 2053 forward all the traffic?

Thanks so much in advance

Nevermind. I was able to figure out what I needed. Using Origin rules solved my issue!


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.