How to secure your connection to Synology NAS with HTTPS connection
This article will guide you on how to secure your connection to Synology NAS through the use of HTTPS to ensure without the possibility of information security being compromised.
HyperText Transfer Protocol Secure (HTTPS) connection keeps sensitive information sent across the Internet encrypted so that only the intended recipient can understand it.
- How HTTPS works
- Before you start
- Enable secure file transferring on DiskStation
- Import private key and digital certificate
The use of HTTPS is to allow secure connection over the Internet. This provides high level of protection against eavesdroppers or man-in-the-middle attacks; under the condition that server certificate is verified.
Web browsers know how to properly detect and trust server certificates and connections to HTTPS websites. Valid certificates provided from certificate authorities will gain the web browser’s trust when connecting to website with HTTPS connection.
You can identify whether the connection is encrypted in the address bar of the web browser. If the connection is encrypted with HTTPS, you will see the lock icon on the address bar.
This article assumes that you have done the following tasks for your DiskStation:
- Hardware installation for Synology DiskStation.
- Software installation for Synology DiskStation Manager (DSM, web-based operating system of DiskStation).
- Creating volumes and shared folders (See here).
- Creating DSM local users (See here).
- Setup Port-Forwarding on your router.
- Apply for a domain name for your DiskStation.
Refer to Quick Installation Guide for more information about hardware and software installation. You can also see Synology DiskStation User's Guide (available at Synology's Download Center) for a general idea about topics related to this article.
By default, you can access to your DiskStation through port 5000, which is a non-secured HTTP connection without encryption. However, without encryption, your data could be inspected by others when using public Wi-Fi hotspot. Therefore, it is recommended to use secured HTTPS connection to access your DiskStation over the Internet.
This section explains how to enable HTTPS connection for a DiskStation.
- Log in to DSM as an administrator, which could be an administrator (admin or a user belonging to the administrators group) or a domain administrator.
- Go to Main Menu > Control Panel > DSM Settings, click the HTTP Service tab, select Enable HTTPS connection, and then click OK. If you would like to automatically redirect all HTTP connection to HTTPS as the only choice of connection, please select Automatically redirect HTTP connections to HTTPS, and then click OK.
- Using the supported Web Browser, please direct to https://domain name:5001, where domain name is your registered domain name for access to your DiskStation.
To enable HTTPS connection for a DiskStation:
To access HTTPS connection for a DiskStation:
Note 3: If you have selected Automatically redirect HTTP connections to HTTPS under DSM Settings, then it is not necessary to add HTTPS and the default port number as it will redirect automatically.
Once you have enabled HTTPS connection and have all the configuration ready, you should be able to establish secure connection to your DiskStation. However, the following warning may appear on screen and blocks you from connecting directly to DSM. This is because the web browser requires a 3rd party certificate to verify that the server you are trying to connect is truly yours, not a fraud that cheat to get your password.
Note 2: You may bypass the above warning by adding this domain as a security exception, then you can still log into DSM as usual. The data is still encrypted regardless of the warning message.
You can take the warning message away by getting a certificate from a 3rd party provider. To get one, you must have a registered domain name already. Then use the domain to apply a certificate from one of the certificate authorities such as StartSSL, a company providing free Class 1 certificate (Class 1 are for individuals).
Figure: Go to StartSSL and get a certificate
Private key and digital certificate are used to validate HTTPS-based websites and assure that all communication is secure and guarantees that the website is genuine. If you obtained the private key and digital certificate from a 3rd party certificate authority, you may import this into DSM.
To import private key and digital certificate for a DiskStation:
- Go to Main Menu > Control Panel > DSM Settings, click the HTTP Service tab, and then click on Import Certificate.
- When an Import Certificate window appears, please click on Browse to locate your private key and digital certificate. Click OK to complete this import and your domain is now verified as a safe and trusted connection.
Note 4: The certificate issued by your certification authority (e.g. StartSSL) is the last step in the application process.