Overview
This article describes a scenario where ONLYOFFICE DocSpace on-premise is reachable directly via its internal HTTP address (e.g. http://192.168.x.x:80) but the login page fails to load when accessed through an HTTPS reverse proxy — specifically the built-in Nginx reverse proxy in Synology DiskStation Manager (DSM). The same underlying cause and fix apply to any Nginx-based reverse proxy performing SSL termination.
Symptom
- Accessing DocSpace directly at
http://192.168.x.x:80displays the login page correctly. - Accessing DocSpace via the Synology reverse proxy at
https://your-domain.synology.medoes not show the login page — the page either fails to load, is blank, or redirects incorrectly.
Root Cause
When the Synology DSM reverse proxy terminates SSL and forwards requests to DocSpace over plain HTTP, DocSpace does not automatically know the original protocol (https) or the public hostname used by the browser. Without this information, DocSpace cannot construct correct redirect URLs or serve the login page properly.
As documented in the ONLYOFFICE proxy configuration guide, forwarded HTTP headers must be configured to keep client information intact while requests pass through the proxy. Specifically, two headers are required: X-Forwarded-Proto and X-Forwarded-Host.
Solution: Add Required Custom Headers in Synology DSM
The Synology DSM reverse proxy (which uses Nginx natively) must be configured to forward the following two headers to DocSpace:
| Header Name | Value |
|---|---|
| X-Forwarded-Proto | https |
| X-Forwarded-Host | $host |
These headers tell DocSpace that the original client connection arrived over HTTPS and provide the correct public hostname.
Step-by-Step Instructions: Synology DSM Reverse Proxy
Step 1 — Open the Reverse Proxy settings
In DSM, navigate to Control Panel → Login Portal → Advanced tab → Reverse Proxy.
Step 2 — Edit the DocSpace reverse proxy rule
Select the existing rule that routes https://your-domain.synology.me (port 443) to http://192.168.x.x:80 and click Edit.
Step 3 — Open the Custom Header tab
In the rule editor dialog, switch to the Custom Header tab.
Step 4 — Add the two required forwarded headers
Click Create and add each of the following entries one at a time:
- Header Name:
X-Forwarded-Proto— Value:https - Header Name:
X-Forwarded-Host— Value:$host
Step 5 — Add WebSocket headers (strongly recommended)
Remaining on the Custom Header tab, click the dropdown arrow next to Create and select WebSocket. DSM will automatically insert the Upgrade and Connection headers required for real-time features in DocSpace.
Step 6 — Save the rule
Click Save. Synology DSM will automatically reload Nginx to apply the configuration changes.
Step 7 — Verify access
Open a browser and navigate to your DocSpace domain over HTTPS (e.g. https://your-domain.synology.me). The DocSpace login page should now load correctly.
For Manual Nginx Configurations (Non-Synology)
If you manage your Nginx configuration file directly, add the following directives inside the location / block of the relevant server block:
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";After saving, validate and reload the configuration:
nginx -t
nginx -s reloadIf the Issue Persists After Adding Headers
If the login page still does not load after applying the above steps:
1. Open the browser developer tools (F12) → Console tab while loading the HTTPS proxy URL. Check for errors such as mixed-content warnings or failed resource requests and share them with ONLYOFFICE Support.
2. Collect the DocSpace server logs and attach them to your support ticket for further analysis.
3. Confirm the reverse proxy rule correctly maps port 443 on the source to the DocSpace host on port 80 on the destination.
4. Verify no local firewall rule blocks the internal connection between the Synology NAS and the DocSpace host.
References
Comments
0 comments
Please sign in to leave a comment.