This document describes the key components of the reverse proxy system.

Purpose: Acts as the entry point for all web traffic, handling SSL termination and request forwarding.

Configuration Locations:

• Available Configs: /etc/nginx/sites-available/

• Enabled Configs: /etc/nginx/sites-enabled/ (symlinks to sites-available)

Key Features:

• SSL/TLS termination

• HTTP to HTTPS redirects

• Proxy header forwarding

• WebSocket support

• Request routing based on hostname

Nginx forwards important headers to maintain client information:

• Host: Preserves the original host header

• X-Real-IP: Client's real IP address

• X-Forwarded-For: Forwarded for chain (for multi-proxy scenarios)

• X-Forwarded-Proto: Original protocol (http/https)

• Upgrade & Connection: For WebSocket support

Provider: Let's Encrypt (free SSL certificates)

Management: Certbot (automatic renewal every 90 days)

Certificate Storage: /etc/letsencrypt/live/[domain]/ Features:

• Automatic renewal via cron/systemd timer

• Wildcard or single-domain certificates

• HTTPS enforcement (HTTP redirects to HTTPS)

Purpose: Creates a secure, encrypted tunnel between the VPS and Synology NAS.

Network Details:

• VPN Server: VPS (10.8.0.1)

• VPN Client: Synology NAS (10.8.0.2)

• Network Range: 10.8.0.0/24

Security:

• Encrypted traffic between VPS and NAS

• NAS not directly exposed to internet

• Internal services accessible only via VPN

iptables Rules:

• NAT Rules: Port forwarding for direct TCP connections

• MASQUERADE: Enables VPN clients to access internet through VPS

• FORWARD Rules: Controls traffic between VPN and internal networks

• [Network Architecture](network-architecture.md) - Network topology

• [Security Architecture](security.md) - Security features

• [OpenVPN Server](index.md) - VPN configuration