Problem Description
When ONLYOFFICE DocSpace is installed on-premises and accessed directly via its internal IP and port (e.g., 192.168.x.x:80), the login page loads correctly. However, when accessed through a Synology NAS reverse proxy (which uses Nginx internally under DSM), the DocSpace login page does not display and the connection fails.
This is a common issue caused by missing forwarded HTTP headers in the reverse proxy configuration. Without these headers, DocSpace cannot correctly determine the original protocol and host used by the client, which causes redirect or rendering failures.
Root Cause
Synology DSM uses Nginx as its native reverse proxy engine. When HTTPS (port 443) is terminated at the Synology level and traffic is forwarded to the DocSpace server over HTTP (port 80), DocSpace does not receive the information about the original protocol (https) and original host. This causes DocSpace to generate incorrect internal links or fail to load its frontend properly.
The solution is to add the required forwarded headers to the Synology reverse proxy configuration.
Solution: Add Custom Headers in Synology DSM Reverse Proxy
Step 1 — Open the Reverse Proxy settings in DSM
Go to Control Panel → Login Portal → Advanced tab → Reverse Proxy.
Step 2 — Edit the existing reverse proxy rule for DocSpace
Select the rule that forwards traffic to your DocSpace server (e.g., HTTPS on port 443 → HTTP on 192.168.x.x:80) and click Edit.
Step 3 — Navigate to the Custom Header tab
In the rule editor, click the Custom Header tab.
Step 4 — Add the required headers
Click Create and add the following two headers:
| Header Name | Value |
|---|---|
| X-Forwarded-Proto | https |
| X-Forwarded-Host | $host |
These headers are required by ONLYOFFICE DocSpace so that it correctly identifies the external protocol and hostname being used by the client. See the ONLYOFFICE Docs behind the proxy documentation for background on why these headers are necessary.
Step 5 — (Optional but recommended) Enable WebSocket support
While in the Custom Header tab, click Create → WebSocket. DSM will automatically add the Upgrade and Connection headers needed for WebSocket support. This is required for ONLYOFFICE to function correctly over HTTPS.
Step 6 — Save and apply
Click Save to apply the changes. Synology DSM will automatically reload Nginx — no manual restart is needed.
Step 7 — Verify access
Open a browser and navigate to your DocSpace domain (e.g., https://onlyoffice.yourname.synology.me). The DocSpace login page should now load correctly.
Additional Notes
- Synology DSM natively uses Nginx as its reverse proxy. Custom headers are managed through the DSM graphical interface under Control Panel → Login Portal → Advanced → Reverse Proxy → Custom Header, without needing to manually edit Nginx config files.
- If WebSocket is not enabled, real-time features and document editing in DocSpace may not function correctly even after the login page becomes accessible.
- Ensure that your Synology NAS has a valid SSL certificate assigned to the DocSpace subdomain (a Synology DDNS wildcard certificate or a Let's Encrypt certificate both work).
- For reference on installing ONLYOFFICE Docs on Synology via Docker, see the official guide: Installing ONLYOFFICE Docs on Synology.
Environment
- Product: ONLYOFFICE DocSpace (on-premises)
- Reverse proxy: Synology DSM (Nginx-based, managed via Control Panel)
- Symptom: DocSpace login page not displayed when accessed through reverse proxy, works fine on direct LAN IP/port
Comments
0 comments
Please sign in to leave a comment.