Subbdomain for Synology with proxy enabled

Hi There,

I’m new to Cloudflare DNS.

I have transfered my records from my registrar to Cloudflare.

My domain is: itbuck.nl

and i’ve created a subdomain thebatstorage.itbuck.nl

that points to my WAN IP. On my router i have a port forward from 443 to internal port 5501 from my NAS.

Works perfect, but when i turn on ‘proxied’ i can’t reach my NAS anymore on https://thebatstorage.itbuck.nl

Is there some setting i missed?

The records for my main website: https://itbuck.nl

also proxied and working fine.

With kind regards,

Buck Baggen

1 Like

In Cloudflare under ‘SSL/TLS’ → ‘Overview’ is changed the ‘Your SSL/TLS encryption mode’ from ‘Flexible’ to ‘Full (strict)’.

Now i can acces my nas on my subdomain with the record set to ‘proxied’.

But now another problem, when i share a file from my nas, is het a downloadlink from my subdomain, so that’s good.

But when i try to login i get an red error bar (with no text in it), when i try several times i get in. And then when i want to start te download i get also errors, but soms it works.

When i turn ‘proxied’ off on the record, it works fine…

Somebody know a solution for this? I’m allready halfway there…

Maybe you must have to create a rule for bypass the cloudflare’s cache.

Late reply, but in case anyone is looking for a solution, here’s my solution:

  • Create an A record pointing example.comIP address. You can turn on the proxy, orange icon.
  • Create a CNAME record subdomain.example.comexample.com You can turn on the proxy, orange icon.
  • Set the SSL / TLS option (like Buck’s screenshot above) to be `“Full”``
  • Go back to your Synology NAS, and make sure you have certificates for that subdomain, which are valid, from Let’s Encrypt
  • Double check your firewall rules are open for port 80/443
  • Open an incognito tab (just to be safe, or even clear your browser cache) and try hitting that subdomain again
1 Like

Also, I should mention that I was NOT able to get Cloudflare’s proxy (orange cloud icon) to work for a wildcard * subdomain e.g., *.example.com.

Apparently (I might be wrong), it has to do with the fact that when a request comes in to subdomain.example.com, and you have a CNAME record of *.example.comexample.com, I think Cloudflare requires you to have a wildcard cert. But because Synology does NOT allow you to create a wildcard cert (at least on DSM 7 for me), the DNS resolves to your IP but the call ultimately fails, because there’s no proper wildcard cert available on your machine.

For that reason, that’s why I could not use a wildcard cert and had to break out my CNAME records to point to each and every single, specific subdomain to match the subdomain-level certs I had on my Synology NAS.

Source: https://community.synology.com/enu/forum/1/post/162963