This document describes the key components of the reverse proxy system.

Purpose: Acts as the entry point for all web traffic, handling SSL termination and request forwarding.

Configuration Locations: Available Configs: /etc/nginx/sites-available/ Enabled Configs: /etc/nginx/sites-enabled/ (symlinks to sites-available)

Key Features: SSL/TLS termination HTTP to HTTPS redirects Proxy header forwarding WebSocket support Request routing based on hostname

Nginx forwards important headers to maintain client information:

Host: Preserves the original host header X-Real-IP: Client's real IP address X-Forwarded-For: Forwarded for chain (for multi-proxy scenarios) X-Forwarded-Proto: Original protocol (http/https) Upgrade & Connection: For WebSocket support

Provider: Let's Encrypt (free SSL certificates)

Management: Certbot (automatic renewal every 90 days)

Certificate Storage: /etc/letsencrypt/live/[domain]/ Features: Automatic renewal via cron/systemd timer Wildcard or single-domain certificates HTTPS enforcement (HTTP redirects to HTTPS)

Purpose: Creates a secure, encrypted tunnel between the VPS and Synology NAS.

Network Details: VPN Server: VPS (10.8.0.1) VPN Client: Synology NAS (10.8.0.2) Network Range: 10.8.0.0/24

Security: Encrypted traffic between VPS and NAS NAS not directly exposed to internet Internal services accessible only via VPN

iptables Rules: NAT Rules: Port forwarding for direct TCP connections MASQUERADE: Enables VPN clients to access internet through VPS FORWARD Rules: Controls traffic between VPN and internal networks

[Network Architecture](network-architecture.md) - Network topology [Security Architecture](security.md) - Security features

• [OpenVPN Server](index.md) - VPN configuration