Install SSLH on your Synology DiskStation
You’re in an office or using public wifi and ports other than 53, 80 and 443 are blocked. How to SSH or VPN to your DiskStation? SSLH provides a solution for this, by acting as a proxy listening on port 443 and passing the traffic to deamons like SSHd, Apache or OpenVPN. The SSLH package is available in the SynoCommunity repository but manual work needs to be done to get it working.
By default, Apache on the Synology listens on port 443 without binding to an IP-address or interface. The first step would be to change the configuration so Apache listens on port 443 on localhost only. SSH to the DiskStation and change the configuration in these 3 files:
- /etc/httpd/conf/extra/httpd-ssl.conf
- /etc/httpd/conf/extra/httpd-ssl.conf-sys
- /etc/httpd/conf/extra/httpd-ssl.conf-user
This can be done recursively with sed:
mkdir /root/http-backup cp -a /etc/httpd/conf/extra/httpd-ssl.conf* /root/http-backup/ sed -i 's/*:443/127.0.0.1:443/g' /etc/httpd/conf/extra/httpd-ssl.conf*
Now change the configuration of SSLH. By default, de service listens on port 3000. The configuration file can be found in /usr/local/sslh/var/sslh.cfg. Also change your host (0.0.0.0) to the IP-address of the Synology. In case you use multiple interfaces, the interface to your router should be the one.
When done, reboot your Synology DiskStation and test if https, ssh and/or OpenVPN works via port 443.
Got an error when trying to access to my synology on port 443
ssh_exchange_identification: Connection closed by remote host
do I have to left 127.0.0.1 in all conf or do I have to set it to the local ip of my NAS ?
ssh with (full) debug on to get more details about the error with:
ssh user@hostname.tld -vvv
Hi Randy,
I tried your short tutorial, however it does not seem to work. I want to connect through openvpn from my work on port 443
I changed the apache configuration as stated above.
as host I use for listen: my local network IP of the NAS: 192.168.1.125, port 443
protocols: openvpn, 127.0.0.1 port 1194
The error that I get is: Address already in use.
Where did I go wrong?
Hi,
Following this tutorial, i encountered the same issue as Mickey and i managed to fix it.
The problem is that the port 443 is used by the webserver for for SSL (obviously) and sslh can not start on the same port (as it is already in use).
So you must change SSL port to something else (for example 1443) before you can start sslh on port 443
0) I assume, you already updated httpd-ssl.conf with { host: “0.0.0.0”; port: “443”; }
1) Change SSL ports to 1443 in webserver files (instead of 443) by editing all files /etc/httpd/conf/extra/httpd-ssl.conf*
2) Update the ssl line in /usr/local/sslh/var/sslh.cfg with port: “1443” instead of port: “443”
It becomes: { name: “ssl”; host: “127.0.0.1”; port: “1443”; probe: “builtin”; },
3) Restart the Nas (or just the webserver if you know how to do it)
Then, you should be able to start sslh package through the “Package Manager” and you should be able to connect to your nas using: ssh @ -p 443
I noticed that it’s still possible to ssh through the default port 22.
To avoid it:
1) Check your router and make sure that there is no port forwarding 22 to your nas IP
2) Using the “Control Panel”, go to “Firewall”, “Create”
* Port: Custom, Destination Port, All, 22
* Source IP: All
* Action: Deny
Then close the popup, the firewall line will appears, don’t forget to click “Save” (worst Save button location ever)
You should not be able to “ssh @” anymore.
You can only do it with the port 443 (-p 443)
I hope I helped
Let Apache listen on 127.0.0.1:443 and it’s solved.
I followed the tutorial and also get the same message. SSH via port 443 works and sslh is listening on port 443. /var/log/upstart/httpd-user.log shows
Start User Apache Server …..
(98)Address already in use: make_sock: could not bind to address [::]:443
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443
please advise
Thank you so much for this. I had it working perfectly up until the DSM 6 release in which synology has moved to nginx so the config changes to apache no longer work.
I first tried just changing the relevant spot in /etc/nginx/nginx.conf to bind to 127.0.0.1 but upon restarting the config had reverted. I finally figured out that synology uses mustache to create the synology configs at boot.
The mustache files are located in /usr/syno/share/nginx. Three of the files have reference to 443, DSM.mustache, WWWService.mustache and server.mustache. I modified each of those to change the 443 listen and added 127.0.0.1: to the line:
listen 127.0.0.1:443 default_server ssl
Upon rebooting sslh was back to working normally.
Kjell Breiland, the mustcashe thing helped me a lot trying to change the default nginx ports.
Thank you.
Kjell Breiland, that’s really helpful. However, my sshl won’t start even when I have changed the references to 127.0.0.1:443. Could it have anything to do with the Reverse Proxy rules in the Application Portal? I’m at a bit of a loss.