diff --git a/nginx-ssl.conf b/nginx-ssl.conf index ec912bd..53f3132 100644 --- a/nginx-ssl.conf +++ b/nginx-ssl.conf @@ -9,23 +9,7 @@ events { multi_accept on; } -stream { - log_format basic '$remote_addr [$time_local] ' - '$protocol $status $bytes_sent $bytes_received ' - '$session_time'; - access_log /var/log/nginx/stream.log basic; - upstream mac_screen_sharing { - server 192.168.1.122:5900; - } - - server { - listen 5901; - proxy_pass mac_screen_sharing; - proxy_connect_timeout 60s; - proxy_timeout 300s; - } -} http { include /etc/nginx/mime.types; @@ -118,8 +102,28 @@ http { keepalive 16; } - upstream news_backend { - server 192.168.1.227:8080; + upstream drive_backend { + server 192.168.1.227:10002; + keepalive 16; + } + + upstream mailplus_backend { + server 192.168.1.227:21680; + keepalive 16; + } + + upstream contacts_backend { + server 192.168.1.227:25555; + keepalive 16; + } + + upstream calendar_backend { + server 192.168.1.227:20002; + keepalive 16; + } + + upstream note_backend { + server 192.168.1.227:9350; keepalive 16; } @@ -129,7 +133,7 @@ http { # HTTP → HTTPS 리다이렉트 server { listen 80; - server_name jellyfin.hyungi.net komga.hyungi.net webdav.hyungi.net ds1525.hyungi.net document.hyungi.net git.hyungi.net vault.hyungi.net news.hyungi.net; + server_name jellyfin.hyungi.net komga.hyungi.net webdav.hyungi.net ds1525.hyungi.net document.hyungi.net git.hyungi.net vault.hyungi.net link.hyungi.net mailplus.hyungi.net contacts.hyungi.net calendar.hyungi.net note.hyungi.net; # Let's Encrypt 인증 경로 location /.well-known/acme-challenge/ { @@ -154,7 +158,7 @@ http { # SSL 보안 설정 ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; @@ -205,7 +209,7 @@ http { # SSL 보안 설정 ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; @@ -262,7 +266,7 @@ http { # SSL 보안 설정 ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; @@ -331,7 +335,7 @@ http { ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem; ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; client_max_body_size 0; @@ -352,7 +356,7 @@ http { ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem; ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; location / { @@ -371,7 +375,7 @@ http { ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem; ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; client_max_body_size 512M; @@ -392,7 +396,7 @@ http { ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem; ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; location / { @@ -405,22 +409,32 @@ http { } } - # HTTPS 서버 - News (RSS) + # HTTPS 서버 - Synology Drive (Link) server { listen 443 ssl; http2 on; - server_name news.hyungi.net; + server_name link.hyungi.net; ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem; ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem; ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; + + # 보안 헤더 (HSTS 포함) + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # 업로드 용량 제한 해제 + client_max_body_size 0; location / { - proxy_pass http://news_backend; + proxy_pass http://drive_backend; include /etc/nginx/conf.d/security.conf; + + # WebSocket 지원 (Connection 헤더 재정의) + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; } } @@ -434,19 +448,13 @@ http { ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem; ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; client_max_body_size 100M; location / { - # Assuming standard Synology MailPlus port or relying on DSM backend? - # Let's check proxy_service_map.md or trust standard 5000/5001 or separate port. - # Wait, commonly MailPlus uses standard web station ports or dedicated. - # I will use http://dsm_backend (5000) for now if unsure, or better yet, verify port. - # Actually, standard MailPlus runs on DSM ports unless customized. - # Let's use upstream dsm_backend for safety. - proxy_pass http://dsm_backend; + proxy_pass http://mailplus_backend; include /etc/nginx/conf.d/security.conf; } } @@ -461,11 +469,11 @@ http { ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem; ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; location / { - proxy_pass http://dsm_backend; + proxy_pass http://contacts_backend; include /etc/nginx/conf.d/security.conf; } } @@ -480,12 +488,38 @@ http { ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem; ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; - location / { - proxy_pass http://dsm_backend; + location / { + proxy_pass http://calendar_backend; include /etc/nginx/conf.d/security.conf; } } + + # HTTPS 서버 - Note Station + server { + listen 443 ssl; + http2 on; + server_name note.hyungi.net; + + ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem; + ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # 업로드 용량 제한 해제 (동기화 용) + client_max_body_size 0; + + location / { + proxy_pass http://note_backend; + include /etc/nginx/conf.d/security.conf; + + # WebSocket 지원 (Connection 헤더 재정의 - 모바일 앱 호환성) + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + } } diff --git a/troubleshooting/ds-note-ios-fix.md b/troubleshooting/ds-note-ios-fix.md new file mode 100644 index 0000000..0e45ee8 --- /dev/null +++ b/troubleshooting/ds-note-ios-fix.md @@ -0,0 +1,47 @@ +# Synology DS Note (iOS) Connection Troubleshooting + +## Issue +**Symptom**: Unable to connect to Synology Note Station via the DS Note iOS app using the Nginx reverse proxy. +**Error**: `A TLS error caused the secure connection to fail. (NSURLErrorDomain -1200)` +**Environment**: Nginx Reverse Proxy (Docker), Let's Encrypt SSL, Synology Note Station Backend (Port 9350). + +## Root Cause +The default SSL configuration (`ssl_ciphers`) in the Nginx setup was set to **"High" security**, which is too restrictive for some mobile clients and specific iOS network stacks. The DS Note app requires a broader set of ciphers (specifically from the **Mozilla Intermediate** compatibility list) to successfully perform the SSL handshake. + +Additionally, the mobile app requires **WebSocket** support and **Chunked Transfer Encoding** (buffering disabled) for stable sync and connectivity. + +## Solution + +### 1. Update SSL Ciphers (Crucial for iOS) +Change the `ssl_ciphers` directive in `nginx-ssl.conf` to the Mozilla Intermediate compatibility list. + +**Before (Too Strict):** +```nginx +ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384; +``` + +**After (Compatible):** +```nginx +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +``` + +### 2. Enable WebSocket & Disable Buffering +Ensure the following settings are present in the `location /` block for Note Station: + +```nginx +location / { + proxy_pass http://note_backend; + include /etc/nginx/conf.d/security.conf; + + # WebSocket Support (Required for mobile sync) + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Disable Buffering (Prevents timeouts/sync issues) + proxy_buffering off; +} +``` + +### 3. Usage +- **Address**: `https://note.hyungi.net` (or `note.hyungi.net:443` if app defaults to 5001) +- **HTTPS**: Checked