Requirements:

  • Have a domain, or DDNS service that is configured to point to the public IP of your NAS.
  • Being able to open ports on the router

Let’s say our domain is called xpn.com and we want to create certificates for an application that is running in a docker container with port 5152.

From your network you would access that application using tuip:5152 but you want to log in from anywhere using https://miapp.xpn.com:5152 with its SSL certificates.

Steps

  1. Install the Web Station application on your nas by going to Package Center.
  2. Log into the router behind the NAS and port forward ports 80 and 443 to the internal ip of the NAS. This means that from outside the home network if you type https://miapp.xpn.com or http://miapp.xpn.com you should be able to see the following screenshot in your browser.
  3. The next step is to create a Virtual host in Web Station, for them we open the application and click on the left side on Virtual host and then on Create We will fill in the following data:
    hostname: miapp.xpn.com
    Port: 80/443
    Document root: Search folder “web”
    HSTS: marking
    HTTP/2: marked and we click on Ok. (I don’t think this step is completely necessary, but this is how I did it and it worked the first time, if someone tries skipping this step and everything works the same, let us know and we’ll remove it).

  4. Now we are going to create the Let’s Encrypt certificates for the subdomain. Go to Control panel > Security > Certificate tab and click the Add button, choose the first option (Add new certificate), then choose Get a certificate from Let’s Encrypt and fill in Domain name: miapp.xpn.com, Email: the email you want and then Apply.
    It will take a little while and if all goes well you will have your certificate.
     
  5. Now it’s time (if you don’t use them for anything else) to remove the port forward from ports 80 and 443 and add the port forward you want for your application, for example 5152.
  6. Make sure that the container with the application is running and that you can access it from ipdetunas:5152. If you can access it, then it is time to create an entry in the reverse proxy. To do this go to control panel > application portal > reverse proxy tab and click create. Description you can put whatever you want but I would put the name of the application:

    Source:

    • Protocol elige HTTPS
    • Hostname: miapp.xpn.com
    • Port: 5152 o el que necesites
    • HSTS y HTTP/2: Marcados los dos 

    Destination:

    • Protocol: el que necesites, normalmente HTTP
    • Hostnamelocalhost (escríbelo!!!)
    • Puerto: 5152.



  7. Now we only need to configure the certificate for the reverse proxy entry. To do this go to control panel > security > certificate and click configure. This will show us a list of services and the certificate configured for each of them, we are going to change the one for miapp.xpn.com:5152 so that it uses our certificate.

With all this we should now be able to log in to https://miapp.xpn.com:5152 from the outside with the LE certificates in place.