hyungi/home-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add Note Station proxy and fix iOS DS Note connection issues

Browse Source 
- Add reverse proxy for Note Station (note.hyungi.net)
- Update SSL ciphers to Mozilla Intermediate for iOS compatibility
- Enable WebSocket and disable buffering for mobile app stability
- Add troubleshooting documentation for DS Note iOS errors
This commit is contained in:
hyungi
2026-01-14 15:03:17 +09:00
parent 00c8231925
commit 789de08f99
2 changed files with 124 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

118
nginx-ssl.conf
View File

@@ -9,23 +9,7 @@ events {
multi_accept on;
}
stream {
log_format basic '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time';
access_log /var/log/nginx/stream.log basic;
upstream mac_screen_sharing {
server 192.168.1.122:5900;
}
server {
listen 5901;
proxy_pass mac_screen_sharing;
proxy_connect_timeout 60s;
proxy_timeout 300s;
}
}
http {
include /etc/nginx/mime.types;
@@ -118,8 +102,28 @@ http {
keepalive 16;
}
upstream news_backend {
server 192.168.1.227:8080;
upstream drive_backend {
server 192.168.1.227:10002;
keepalive 16;
}
upstream mailplus_backend {
server 192.168.1.227:21680;
keepalive 16;
}
upstream contacts_backend {
server 192.168.1.227:25555;
keepalive 16;
}
upstream calendar_backend {
server 192.168.1.227:20002;
keepalive 16;
}
upstream note_backend {
server 192.168.1.227:9350;
keepalive 16;
}
@@ -129,7 +133,7 @@ http {
# HTTP → HTTPS 리다이렉트
server {
listen 80;
server_name jellyfin.hyungi.net komga.hyungi.net webdav.hyungi.net ds1525.hyungi.net document.hyungi.net git.hyungi.net vault.hyungi.net news.hyungi.net;
server_name jellyfin.hyungi.net komga.hyungi.net webdav.hyungi.net ds1525.hyungi.net document.hyungi.net git.hyungi.net vault.hyungi.net link.hyungi.net mailplus.hyungi.net contacts.hyungi.net calendar.hyungi.net note.hyungi.net;
# Let's Encrypt 인증 경로
location /.well-known/acme-challenge/ {
@@ -154,7 +158,7 @@ http {
# SSL 보안 설정
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
@@ -205,7 +209,7 @@ http {
# SSL 보안 설정
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
@@ -262,7 +266,7 @@ http {
# SSL 보안 설정
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
@@ -331,7 +335,7 @@ http {
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
client_max_body_size 0;
@@ -352,7 +356,7 @@ http {
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
@@ -371,7 +375,7 @@ http {
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
client_max_body_size 512M;
@@ -392,7 +396,7 @@ http {
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
@@ -405,22 +409,32 @@ http {
}
}
# HTTPS 서버 - News (RSS)
# HTTPS 서버 - Synology Drive (Link)
server {
listen 443 ssl;
http2 on;
server_name news.hyungi.net;
server_name link.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# 보안 헤더 (HSTS 포함)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 업로드 용량 제한 해제
client_max_body_size 0;
location / {
proxy_pass http://news_backend;
proxy_pass http://drive_backend;
include /etc/nginx/conf.d/security.conf;
# WebSocket 지원 (Connection 헤더 재정의)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
@@ -434,19 +448,13 @@ http {
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
client_max_body_size 100M;
location / {
# Assuming standard Synology MailPlus port or relying on DSM backend?
# Let's check proxy_service_map.md or trust standard 5000/5001 or separate port.
# Wait, commonly MailPlus uses standard web station ports or dedicated.
# I will use http://dsm_backend (5000) for now if unsure, or better yet, verify port.
# Actually, standard MailPlus runs on DSM ports unless customized.
# Let's use upstream dsm_backend for safety.
proxy_pass http://dsm_backend;
proxy_pass http://mailplus_backend;
include /etc/nginx/conf.d/security.conf;
}
}
@@ -461,11 +469,11 @@ http {
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://dsm_backend;
proxy_pass http://contacts_backend;
include /etc/nginx/conf.d/security.conf;
}
}
@@ -480,12 +488,38 @@ http {
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://dsm_backend;
proxy_pass http://calendar_backend;
include /etc/nginx/conf.d/security.conf;
}
}
# HTTPS 서버 - Note Station
server {
listen 443 ssl;
http2 on;
server_name note.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/hyungi.net/fullchain_clean.pem;
ssl_certificate_key /etc/nginx/ssl/live/hyungi.net/privkey_clean.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# 업로드 용량 제한 해제 (동기화 용)
client_max_body_size 0;
location / {
proxy_pass http://note_backend;
include /etc/nginx/conf.d/security.conf;
# WebSocket 지원 (Connection 헤더 재정의 - 모바일 앱 호환성)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
}

47
troubleshooting/ds-note-ios-fix.md Normal file
View File

@@ -0,0 +1,47 @@
# Synology DS Note (iOS) Connection Troubleshooting
## Issue
**Symptom**: Unable to connect to Synology Note Station via the DS Note iOS app using the Nginx reverse proxy.
**Error**: `A TLS error caused the secure connection to fail. (NSURLErrorDomain -1200)`
**Environment**: Nginx Reverse Proxy (Docker), Let's Encrypt SSL, Synology Note Station Backend (Port 9350).
## Root Cause
The default SSL configuration (`ssl_ciphers`) in the Nginx setup was set to **"High" security**, which is too restrictive for some mobile clients and specific iOS network stacks. The DS Note app requires a broader set of ciphers (specifically from the **Mozilla Intermediate** compatibility list) to successfully perform the SSL handshake.
Additionally, the mobile app requires **WebSocket** support and **Chunked Transfer Encoding** (buffering disabled) for stable sync and connectivity.
## Solution
### 1. Update SSL Ciphers (Crucial for iOS)
Change the `ssl_ciphers` directive in `nginx-ssl.conf` to the Mozilla Intermediate compatibility list.
**Before (Too Strict):**
```nginx
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
```
**After (Compatible):**
```nginx
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
```
### 2. Enable WebSocket & Disable Buffering
Ensure the following settings are present in the `location /` block for Note Station:
```nginx
location / {
proxy_pass http://note_backend;
include /etc/nginx/conf.d/security.conf;
# WebSocket Support (Required for mobile sync)
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Disable Buffering (Prevents timeouts/sync issues)
proxy_buffering off;
}
```
### 3. Usage
- **Address**: `https://note.hyungi.net` (or `note.hyungi.net:443` if app defaults to 5001)
- **HTTPS**: Checked