QNAP - front your internet facing NAS with Cloudflare
Posted on July 26, 2021 • 5 minutes • 1031 words
Table of contents
This article shows you how to front your QNAP’s public DDNS with Cloudflare; an enterprise-class edge network service. Using Cloudflare - even on the free tier comes with a ton of benefits including:
- Distributed Denial-of-Service (DDoS) protection by default
- Origin Server privacy & our CNAME to our myqnapcloud Dynamic DNS address (DDNS)
- Web Application Firewall (WAF) to allow us to configure access
- Basic analytics
- Delivery optimisation techniques to speed up your access (Auto minify, Brotli etc)
Yey another feature we’ll use is to offload our responsibility of SSL certificate renewals to Cloudflare. If you’ve set up Let’s Encrypt such as in my previous post you’ll already know you need to manually renew this certificate every three months. Sure it’s just a click of a button, but it’s annoyingly not automatable directly from the QNAP’s user interface. Cloudflare are their own certificate authority, which means we can replace this old process with one which automatically renews 🚀
Introduction
When this article was originally written, DNS Flattening, which allows you to host a canonical name (CNAME) at the root of a domain was not yet available. Therefore I used a subdomain, which is a more traditional way of supporting a CNAME. Both ways should work and it’s up to you if you want your QNAP on a subdomain or at the root.
Before you begin
Before you start making changes, it’s worth knowing a few things.
Using Cloudflare in this way will only offer its benefits on your vanity domain - not on your DDNS myqnapcloud domain. If someone were to learn that address they could access it directly and skip Cloudflare. You could additionally set up some firewall rules to QuFirewall which only allow access from Cloudflare’s network, but those connections would still be received by the NAS, meaning DDoS attacks would still be possible. If I find a way to solve this problem, I’ll write a future post on how.
If you use your domain for multiple services
The following changes will affect all services or endpoints which you host on your custom vanity domain. For instance, if you have a vanity domain such as example.com and you currently host your QNAP on qnap.example.com but you also have a website on a subdomain such as blog.example.com, both will be affected. Once you configure Cloudflare, any existing SSL certificates will be overruled and become irrelevant. If you only intend to host your QNAP on your vanity domain, this warning is safe to ignore.
The process takes time
This process can take several hours to complete. DNS propagation takes time and you might end up debugging ghosts if you’re not careful. You will have limited and sometimes no access to your vanity domain until everything is finished. If you get something wrong you’ll have to resort to accessing your QNAP via your local IP address within your network until you resolve the issues, so it’s worth performing this work when you’re within the same network as your QNAP.
You may also need access to your domain registrar to make changes.
Preparing the NAS
Add Cloudflare access to QuFirewall
You may need to add Cloudflare to your firewall if you have one active, even with if you only have basic protection selected. This is because Cloudflare is an North American company and your GeoIP blocking will prevent any access unless you’re in North America. We’ll continue to use QuFirewall as your DDNS domain will not be directly protected.
Cloudflare’s IP ranges can be found here:
https://www.cloudflare.com/en-gb/ips/
We will need to add them all to the the firewall’s allow list.
Editing your QuFirewall Profile
-
Edit the active profile
-
Click Add Rule and enter the fist IP4 address to the list as an IP Range. Select the correct Subnet Mask via the drop-down like so:
-
Click Apply and rinse and repeat for all IP4 addresses in the list
-
Once all of the IP4 Addresses have been added, ensure they sit above the deny all rule in the list. You can drag and drop to modify ordering
-
Make sure you apply the changes
Setting Up Cloudflare
-
Create a Cloudflare account here if you do not have one already and sign in: https://dash.cloudflare.com/sign-up
-
Add your custom vanity domain you use for your QNAP using the Add a Site button. Don’t add your DDNS (qnap.myqnapcloud.com) here:
-
Select the Free Account
-
Let Cloudflare scan and add your existing DNS records. Once it’s populated them, click Add Record
-
Fill out the following details:
Type: selectCNAMEfrom the drop down menu
Name: enter your subdomain here, eg qnap if you want to access your QNAP at qnap.yourdomain.com. If you just want to host your QNAP at the root of the domain, simply enter an @ symbol. What this does is “flatten” your domain to allow you to use a CNAME to your DDNS.
Target: enter your QNAP DDNS domain here in full. Do this even if you’re using DNS flattening. The end result will be something like so:
A CNAME (canonical name) is an alias of another domain. This domain can be either another CNAME record, or different domain, such as qnap.example.com. You can read more about CNAMEs here -
Change your nameservers as instructed by the next page. You’ll need to visit your Domain Registrar and update the name server records to point to the ones Cloudflare assign you. Here’s the ones I have assigned for this blog:
This bit can take a while as the DNS changes need to be propagated around the world. -
I recommend setting up security with the following settings to get you started. Cloudflare are adding new features all the time, so it’s a good idea to take a look around and experimenting to see what works best for you.
Automatic HTTPS Rewrites : ON
Always use HTTPS : ON
Auto Minify : JS, CSS, HTML
Brotli : ON -
Check back in 24 hours. You may lose access to your QNAP if you have a Firewall running such as QFirewall etc. This will be because you have not yet added in access to and from Cloudflare.
That’s it. All going well you should now have some of the added benefits of fronting your QNAP with Cloudflare.