home-gateway/troubleshooting/ds-note-ios-fix.md

Synology DS Note (iOS) Connection Troubleshooting

Issue

Symptom: Unable to connect to Synology Note Station via the DS Note iOS app using the Nginx reverse proxy. Error: A TLS error caused the secure connection to fail. (NSURLErrorDomain -1200) Environment: Nginx Reverse Proxy (Docker), Let's Encrypt SSL, Synology Note Station Backend (Port 9350).

Root Cause

The default SSL configuration (ssl_ciphers) in the Nginx setup was set to "High" security, which is too restrictive for some mobile clients and specific iOS network stacks. The DS Note app requires a broader set of ciphers (specifically from the Mozilla Intermediate compatibility list) to successfully perform the SSL handshake.

Additionally, the mobile app requires WebSocket support and Chunked Transfer Encoding (buffering disabled) for stable sync and connectivity.

Solution

1. Update SSL Ciphers (Crucial for iOS)

Change the ssl_ciphers directive in nginx-ssl.conf to the Mozilla Intermediate compatibility list.

Before (Too Strict):

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;

After (Compatible):

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

2. Enable WebSocket & Disable Buffering

Ensure the following settings are present in the location / block for Note Station:

location / {
    proxy_pass http://note_backend;
    include /etc/nginx/conf.d/security.conf;
    
    # WebSocket Support (Required for mobile sync)
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    # Disable Buffering (Prevents timeouts/sync issues)
    proxy_buffering off;
}

3. Usage

• Address: https://note.hyungi.net (or note.hyungi.net:443 if app defaults to 5001)
• HTTPS: Checked