Login/Register
Prevent default redirection from port 80 to 5000 on Synology NAS (DSM 5)
Asked Answered
portnassynology
L

3

9

I would like to use a nginx front server on my Synology NAS for reverse-proxying pruposes. The goal is to provide a facade for the non-standard port numbers used by diverse webservers hosted the NAS. nginx should be listening on port 80, otherwise all this wouldn't make any sense.

However DSM comes out of the box with an Apache server that is already listening on port 80. What it does is really silly : it simply redirects to port 5000, which is the entry point to the NAS web manager (DSM).

What I would like to do is disable this functionality, making the port 80 available for my nginx server. How can I do this ?

Lubet answered 22/5, 2015 at 22:6 Comment(0)
R
7

Since Google redirects to here also for recent Synology DSM, I answer for DSM6 (based on http://tonylawrence.com/posts/unix/synology/freeing-port-80/)

From DSM6, nginx is used as HTTP server and redirection place. The following commands will leave ngingx in place, put run it at port 8880 instead of 80.

  1. ssh into your Synology
  2. sudo -s
  3. cd /usr/syno/share/nginx
  4. Make a backup of server.mustache, DSM.mustache, WWWService.mustache
    • cp server.mustache server.mustache.bak
    • cp DSM.mustache DSM.mustache.bak
    • cp WWWService.mustache WWWService.mustache.bak
  5. sed -i "s/80/8880/g" server.mustache
  6. sed -i "s/80/8880/g" DSM.mustache
  7. sed -i "s/80/8880/g" WWWService.mustache
  8. Optionally, you can also move 443 to 8881:
    • sed -i "s/443/8881/g" server.mustache
    • sed -i "s/443/8881/g" DSM.mustache
    • sed -i "s/443/8881/g" WWWService.mustache
  9. Quit the shell (e.g., via Ctrl+D)
  10. Go to the Control Panel and change any setting (e.g. the Application portal -> Reverse Proxy to forward http://YOURSYNOLOGYHOSTNAME:80 to http://localhost:8181 - 8181 is the port suggested by the pi-hole on DSM tutorial).
Riana answered 7/4, 2019 at 16:41 Comment(0)
M
5

tl;dr Edit /usr/syno/etc/synoservice.d/httpd-user.cfg to look like: 

   {
        "init_job_map":{"upstart":["httpd-user"]},
        "user_controllable":"no",
        "mtu_sensitive":"yes",
        "auto_start":"no"
    }

Then edit the stop on runlevel to be [0123456] in /etc/init/httpd-user.conf:

Syno-Server> cat /etc/init/httpd-user.conf 
description "start httpd-user daemon"
author "Development Infrastructure Team"
console log
reload signal SIGUSR1

start on syno.share.ready and syno.network.ready
stop on runlevel [0123456]
...

... then reboot.

Background infrormation

The answer given by Backslash36 is not the easiest solution and it may also be more difficult to maintain. Here, I give a solution that also doesn't involve starting webstation, which most other solutions demand. Note, for updated documentation see here, which gives a lot of info in general about the synology systems.

It is important to note that the new DSM (> 5.x) use upstart now, so much of the previous documentation is not correct. There are two httpd jobs which run by default on the synology machines:

  1. httpd-sys : serves the administration page(s) and is located on 5000/5001 by default.
  2. httpd-user : this, somewhat confusingly, always runs even if the webstation program is not enabled.

If webstation:

  1. is enabled: then this program serves the user webpages.
  2. is not enabled: then this program sets /usr/syno/synoman/phpsrc/web as its DocumentRoot (/usr/syno/synoman/phpsrc/web/index.cgi -> /usr/syno/synoman/webman/index.cgi), meaning that a call to http://address.of.my.dsm will call the index.cgi file. This cgi file is what drives the redirect to 5000 (or whatever you have set the admin_port to be).

From the command line, you can check what the [secure_]admin_port is set to:

Syno-Server> get_key_value /etc/synoinfo.conf admin_port
5184
Syno-Server> get_key_value /etc/synoinfo.conf secure_admin_port
5185

where I have set mine differently.

Ok, now to the solution. The best solution is simply to stop the httpd-user daemon from starting. This is presumably what you want anyways (e.g. to start another server like `nginx' in a docker). To do this, edit the relevant upstart configuration file:

Syno-Server> cat /usr/syno/etc/synoservice.d/httpd-user.cfg 
{
        "init_job_map":{"upstart":["httpd-user"]},
        "user_controllable":"no",
        "mtu_sensitive":"yes",
        "auto_start":"no"
}

so that the "auto_start" entry is "no" (as it is above). It will presumably be "yes" on your machine and by default. Then edit the stop on runlevel to be [0123456] in /etc/init/httpd-user.conf:

Syno-Server> cat /etc/init/httpd-user.conf 
description "start httpd-user daemon"
author "Development Infrastructure Team"
console log
reload signal SIGUSR1

start on syno.share.ready and syno.network.ready
stop on runlevel [0123456]
...

This last step is to ensure that the httpd-user service does actually start, but then automatically stops. This is because there are otherwise a number of services that depend upon it actually starting. Reboot your machine and you will now see that nothing is listening (or forwarding) on Port 80.

Melbourne answered 22/6, 2015 at 16:38 Comment(11)
Thanks for your input. Wouldn't it be a problem however, that the httpd-user service stops right after starting ? Services that depend on it may actually need it to be up to do business on their ownLubet
No, I don't believe so. The only services that actually depend on it are webstation. It is also possible that one could find a solution that doesn't require it to actually start up, but I would need some more time to dig. With this setup, we run an nginx docker container proxying several connections to backends and serving on port 80.Melbourne
Alright. By the way, nginx came out of the box with my NAS, so I didn't need to put it inside a docker container.Lubet
Indeed, but it's easier for me to use a version we control and we are deploying to other, non-synology servers as well.Melbourne
@Melbourne - Thanks for a very detailed answer. What version DSM did you run this on and do you know if this still works with current (DSM 5.2.5644)? What about DSM 6 betas (I have one I plan to update to beta in a few weeks possibly)? Also, does this persist through DSM updates or do you have to redo every time? Thanks much.Papyrus
@JoelAZ, we are not quite running the newest version (we don't automatically update because we need the system up almost all the time), but if I remember correctly it did persist between updates. I'm not sure about DSM 6, I haven't looked at the betas. hth.Melbourne
Thank you @MikeGM, yes it's helpful. I did this on my 5.2 and it did stop port 80 redirect but my app couldn't seem to grab port 80. Could be a problem with the docker container though so can't point any fingers yet. Either way helpful and put me on the right track. Thanks again.Papyrus
@JoelAZ, so docker is somewhat off topic (:-) ), but did you try starting this from the terminal (i.e. ssh in as root and start using the command line with appropriate flags)? I think if the docker container requests ports < 1024, then the container can't be started using the GUI since it doesn't run directly as root. This is probably a bug (purposeful limitation?) in the docker implementation on DSM. Using the command line, however, will work and the running containers will show up in the GUI.Melbourne
Thx@Melbourne I did. The docker container neede switches not supported from the wizard so only could start from shell. I didn't see errors grabbing port 80 after your changes but I still couldn't reach it on port 80 either. Not my image so I can't rule out a problem there or Syn side. Either way I'll have more time for is after new year so we shall see.Papyrus
please do file a bug / feature request with synology. They are willing to make the standard ports configurable and the more users that want this feature, the sooner we will get it.Wraparound
DSM 6.2 does not have /etc/init/httpd-user.conf or /usr/syno/etc/synoservice.d/httpd-user.cfgDunnock
L
1

Done ! It was tricky, but now I have it working just fine. Here is how I did it.

What follows requires to connect to the NAS with ssh, and may not be recommended if you want to keep warranty on your product (even though it's completely safe IMHO)

TL;DR : In the following files, replace all occurences of port 80 by a non standard port (for example, 8080). This will release the port 80 and make it available to use by whatever you want.

  • /etc/httpd/conf/httpd.conf
  • /etc/httpd/conf/httpd.conf-user
  • /etc/httpd/conf/httpd.conf-sys
  • /etc.defaults/httpd/conf/httpd.conf-user
  • /etc.defaults/httpd/conf/httpd.conf-sys

Note that modifying a subset of these files is probably sufficient (I could observe that the first one is actually computed from several others). I guess modifying the files in /etc.defaults/ would be enough, but if not, worst-case scenario is to modify all those files and you will be just fine.

Once this is done, don't forget to restart your NAS !

For those interested in how I found out

I'm not that familiar with the Linux filesystem, and even less with Apache configuration. But I knew that scripts dealing with startup processes are located in /etc/init. The Apache server that was performing the redirection would be certainly launched from there.

  • This is where I had to get my hands dirty. I performed some cat <filename> | grep 80 for the files in that directory I considered relevant, hoping to find a configuration line that would set a port number to 80.

  • That intuition paid off : /etc/init/httpd-user.conf contained the line echo "DocumentRoot \"/usr/syno/synoman/phpsrc/web\"" >> "${HttpdConf}" #port 80 to 5000. Bingo !

  • Looking at the top of the file, I discovered that the HttpdConf variable was referring to /etc/httpd/conf/httpd.conf. This is where the actual configuration was taking place.

From there it is relatively straightforward, even for those John Snow out there that know nothing about Apache configuration. The trick was to notice that httpd.conf was instantiated from some template at startup (and changing this file was therefore not enough). Performing a find / -name "*httpd.conf*", combined with some grep 80 gave me the list of files to modify.

When you look back all this looks obvious of course. However I wish Synology gave us more flexibility, so we don't have to perform dirty hacks like that...

Lubet answered 22/5, 2015 at 22:6 Comment(3)
Unfortunately then settings are back to 80 when I installed an updateThrelkeld
please do file a bug / feature request with synology. They are willing to make the standard ports configurable and the more users that want this feature, the sooner we will get it.Wraparound
I will. By the way, this answer is out of date because the situation has completely changed since the latest DSM updatesLubet

© 2022 - 2024 — McMap. All rights reserved.