System:Security
Security Architecture
This document describes the security architecture of the reverse proxy system.
Defense in Depth
The system uses multiple layers of security:
Public Layer: Nginx with SSL/TLS encryption
VPN Layer: Encrypted tunnel between VPS and NAS
Internal Layer: Services only accessible via VPN
Certificate Security: Automatic renewal prevents expired certificates
Security Benefits
- No Direct Exposure: Synology NAS is not directly accessible from the internet
- Encrypted Traffic: All public traffic uses HTTPS
- Isolated Network: Internal services communicate over VPN
- Certificate Management: Automatic SSL certificate renewal
Security Components
SSL/TLS Encryption
- All public-facing traffic uses HTTPS
- Let's Encrypt certificates automatically renew
- HTTP traffic is redirected to HTTPS
VPN Encryption
- OpenVPN provides encrypted tunnel between VPS and NAS
- All internal traffic is encrypted through VPN
- Certificate-based authentication for VPN clients
Network Isolation
- Internal services only accessible via VPN
- No direct internet exposure of Synology NAS
- Firewall rules control traffic flow
Related Documentation
- [Network Architecture](network-architecture.md) - Network topology
- [Key Components](components.md) - Component details
- [OpenVPN Server](index.md) - VPN security configuration