Free ports 80 and 443 on Synology NAS

free_ports.sh

#! /bin/bash

# NEWLY ADDED BACKUP FUNCTIONALITY IS NOT FULLY TESTED YET, USE WITH CARE, ESPECIALLY DELETION
# Developed for DSM 6. Not tested on other versions.
# Steps to install
# Save this script in one of your shares
# Backup /usr/syno/share/nginx/ as follows:
# # cd /usr/syno/share/
# # tar cvf ~/nginx.tar nginx
# Run this script as root
# Reboot and ensure everything is still working
# If not, restore the backup and post a comment on this script's gist page
# If it did, schedule it to run at boot
#   through Control Panel -> Task Scheduler

HTTP_PORT=81
HTTPS_PORT=444

BACKUP_FILES=true # change to false to disable backups
BACKUP_DIR=/volume1/apps/free_ports/backup
DELETE_OLD_BACKUPS=false # change to true to automatically delete old backups.
KEEP_BACKUP_DAYS=30
CURRENT_BACKUP_DIR="$BACKUP_DIR/$DATE"

DATE=$(date +%Y-%m-%d-%H-%M-%S)

if [ "$BACKUP_FILES" == "true" ]; then
  mkdir -p "$CURRENT_BACKUP_DIR"
  cp /usr/syno/share/nginx/*.mustache "$CURRENT_BACKUP_DIR"
fi

if [ "$DELETE_OLD_BACKUPS" == "true" ]; then
  find "$BACKUP_DIR/" -type d -mtime +$KEEP_BACKUP_DAYS -exec rm -r {} \;
fi

sed -i "s/^\([ \t]\+listen[ \t]\+[]:[]*\)80\([^0-9]\)/\1$HTTP_PORT\2/" /usr/syno/share/nginx/*.mustache
sed -i "s/^\([ \t]\+listen[ \t]\+[]:[]*\)443\([^0-9]\)/\1$HTTPS_PORT\2/" /usr/syno/share/nginx/*.mustache

echo "Made these changes:"

diff /usr/syno/share/nginx/ $CURRENT_BACKUP_DIR 2>&1 | tee $CURRENT_BACKUP_DIR/changes.log

Thanks!

Thanks for the great script

If you want to change the port variables to something that includes the old port say

1080 and 1443

You can use something like this to not append the same prefix each run
The first run it will turn 80 into 1080, but the second time it will turn 1080 into 101080
Same with 443 -> 1443 -> 11443 and so on

#!/bin/bash

# Save this script in one of your shares and schedule it to run as root at boot
#   through Control Panel -> Task Scheduler
# DSM upgrades will reset these changes, which is why we schedule them to happen automatically
# Set the variables below if you want to customise the ports which DSM will listen on instead
# NOTE: These ports are used for some services, e.g. Photo Station

HTTP_PORT=80
HTTP_PATCH_PORT=1080

HTTPS_PORT=443
HTTPS_PATCH_PORT=1443

sed -i "s/^\( *listen .*\)$HTTP_PATCH_PORT/\1$HTTP_PORT/" /usr/syno/share/nginx/*.mustache
sed -i "s/^\( *listen .*\)$HTTP_PORT/\1$HTTP_PATCH_PORT/" /usr/syno/share/nginx/*.mustache

sed -i "s/^\( *listen .*\)$HTTPS_PATCH_PORT/\1$HTTPS_PORT/" /usr/syno/share/nginx/*.mustache
sed -i "s/^\( *listen .*\)$HTTPS_PORT/\1$HTTPS_PATCH_PORT/" /usr/syno/share/nginx/*.mustache

port 101080

Wait. That's illegal.

Hi @hjbotha, thanks for the script.
Unfortunately since the last update, the script didn't works more.
Do you know why?

Apologies for the edit spam. I made some adjustments to the script to account for ports which contain 80/443. I ran into some bother editing and my mustache files may not be quite the same as they are by default so please use caution and take backups before trying out the new script.

@croghostrider, I've updated to DSM 6.2.2-24922 Update 2 and I don't see anything different. What's it doing on your system?

I am on the same version, Nginx occupies port 80

@NAS:/$ sudo netstat -ltnp | grep -w ':80'
Password:
tcp6       0      0 :::80                   :::*                    LISTEN      11992/nginx: master

if I try to load the webpage I see in Chrome:

400 Bad Request
Request Header Or Cookie Too Large
nginx

with grep I found in the file /etc/nginx/app.d/server.ReverseProxy.conf

server {
    listen 80 default_server;
    listen [::]:80 default_server;

but if I change the ports restart Nginx and check the file again, the port is back on 80.

The nginx server configuration file gets rebuilt from the mustache templates each time it's restarted so that's expected.

What do you get from this?
grep 80 /usr/syno/share/nginx/*.mustache

Also, on the NAS, go to Control Panel -> Application Portal -> Reverse Proxy. Do you have a reverse proxy configured to listen on 80 there? Cos I think that's what that config file might be for, so it would be behaving as expected.

Thank you, that's the problem.

With this script is possible to redirect the access from DSM from port 5001 to 443?

port 101080

Wait. That's illegal.

Sorry for the late answer @lesha-co
But that is correct and will also crash your system

Does someone have a backup file for me? I messed up and forgot to make the backup... Now my dsm is telling me, that there are some problems and i cant access through https anymore

Adding:
sudo synoservicecfg --restart nginx
Will save you from rebooting the whole NAS :)

THANK YOU 🙌. The longer I kept googling, the more I came across comments from others saying it took them way too long to figure their config out. Must've meant I was getting closer 😅

Thank you for this script!

You mentioned in it that the backups weren't 100%. The ONLY thing that was off a little was your folder structures for backup directory and delete old backup directories, as you added traefik to the latter:

BACKUP_DIR=/volume1/apps/free_ports/backup
DELETE_OLD_BACKUPS=/volume1/apps/traefik/backup_free_ports

Cheers, removed the hard-coding.
$DELETE_OLD_BACKUPS is meant to be set to "true" or "false". Old files will be deleted from $BACKUP_DIR.

Add this at the end of the script to apply the changes without restarting the nas

synoservicectl --restart nginx

DATE should be:
DATE=$(date +%Y-%m-%d-%H-%M-%S)

@remogloor thanks, fixed the date.

I'll leave out the restart because I think it's best to reboot after implementation to make sure it works. People can run that manually if they're so inclined.

After running this script it seems like nginx is still trying to listen on port 80. Here's the output from /var/log/nginx/error_default.log

2021/02/03 18:51:29 [emerg] 16536#16536: invalid number of arguments in "listen" directive in /etc/nginx/nginx.conf:180
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to [::]:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to [::]:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to [::]:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to [::]:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to [::]:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: still could not bind()

Is there somewhere else where I have to change the listen port?

After running this script it seems like nginx is still trying to listen on port 80. Here's the output from /var/log/nginx/error_default.log

2021/02/03 18:51:29 [emerg] 16536#16536: invalid number of arguments in "listen" directive in /etc/nginx/nginx.conf:180
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to [::]:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to [::]:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to [::]:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to [::]:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to [::]:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: still could not bind()

Is there somewhere else where I have to change the listen port?

Shouldn't be... Here's line 180 of my nginx.conf:
listen 5001 default_server ssl;

What does yours look like?

same here. i use DSM 6.1.5-15254. Port change for 443 works fine but change Port 80 is not working

no way to do this.

changing ports work. I can use them and old ports doesn't work, but if i want to use old ports in a docker container it says that they are in use...

Any thoughts?

After running this script it seems like nginx is still trying to listen on port 80. Here's the output from /var/log/nginx/error_default.log

2021/02/03 18:51:29 [emerg] 16536#16536: invalid number of arguments in "listen" directive in /etc/nginx/nginx.conf:180
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to [::]:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to [::]:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to [::]:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to [::]:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to 0.0.0.0:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: bind() to [::]:80 failed (98: Address already in use)
2021/02/03 18:51:29 [emerg] 16539#16539: still could not bind()

Is there somewhere else where I have to change the listen port?

Shouldn't be... Here's line 180 of my nginx.conf:
listen 5001 default_server ssl;

What does yours look like?

My lines 180 and 181 are:

        listen ;
        listen [::]:;

If I try to manually change line 180 to what you have, it fails with the same errors when I try to start NGINX, and when I check the configuration file I find that line 180 has been reverted to the way I just described.

EDIT:

Ok, I've done a bit of learning about how the server is set up and I understand why I can't directly edit /etc/nginx/nginx.conf but, I've also gone through and manually read through every single .mustache file in the /usr/syno/share/nginx/ folder and I can't find a single reference to port 80 that hasn't been properly changed to port 81. I'm at a loss here.

As I was collecting the data for this update I made a bit of progress. Lines 17 and 18 of my DSM.mustache looked like this:

    listen {{#reuseport}} reuseport{{/reuseport}};
    listen [::]: {{#reuseport}} reuseport{{/reuseport}};

I added port 81 to those and now my error message is different! 2021/02/05 20:33:53 [emerg] 10386#10386: a duplicate default server for 0.0.0.0:81 in /etc/nginx/nginx.conf:425

EDIT 2:
After a bit more tinkering, I've managed to get NGINX running (for a certain definition of "running"). If I remove every mention of "default_server" from DSM.mustache then I can start the NGINX service. Of course, that means that I still can't actually access the DSM itself but, I'll just call this a learning experience. I'm going to keep trying my hand at getting this thing working.

EDIT 3: It works! I've finally gotten this working. I'm not quite sure how but my DSM.mustache file appears to have been mangled (even my oldest backup didn't fix it) and I had to do some trial and error testing to figure out what needed to be changed. I'm going to include my current DSM.mustache file just in case anyone else has the same issue I've had. For some reason it won't let me upload that file even after renaming it. So, I'll include it inline.

{{#DSM}}
server {
    listen {{port}}{{#reuseport}} reuseport{{/reuseport}};
    listen [::]:{{port}}{{#reuseport}} reuseport{{/reuseport}};

    server_name _;

    gzip on;

    include app.d/alias.*.conf;
    {{> /usr/syno/share/nginx/DSM_Main}}
    {{> /usr/syno/share/nginx/optimization}}
}
{{#DSM.fqdn}}

server {
    listen 5000 default_server{{#reuseport}} reuseport{{/reuseport}};
    listen [::]:5000 default_server{{#reuseport}} reuseport{{/reuseport}};

    server_name {{DSM.server_name}};
    set $fqdn {{DSM.fqdn}};

    {{> /usr/syno/share/nginx/LetsEncrypt}}
    {{#DSM.https.hsts}}
    location / {
        return 301 https://$server_name$request_uri;
    }
    {{/DSM.https.hsts}}
    {{^DSM.https.hsts}}
    gzip on;

    include app.d/alias.*.conf;
    {{> /usr/syno/share/nginx/DSM_Main}}
    include app.d/www.*.conf;
    include /usr/syno/share/nginx/conf.d/www.*.conf;
    include conf.d/www.*.conf;
    {{> /usr/syno/share/nginx/optimization}}
    {{/DSM.https.hsts}}
}

server {
    listen {{port}} {{#reuseport}} reuseport{{/reuseport}};
    listen [::]:{{port}} {{#reuseport}} reuseport{{/reuseport}};

    server_name {{DSM.server_name}};

    location / {
        return 404;
    }

    {{> /usr/syno/share/nginx/error_page}}
}
{{/DSM.fqdn}}
{{#ssl}}

server {
    listen {{port}} ssl{{#spdy}} http2{{/spdy}}{{#reuseport}} reuseport{{/reuseport}};
    listen [::]:{{port}} ssl{{#spdy}} http2{{/spdy}}{{#reuseport}} reuseport{{/reuseport}};

    server_name _;

    {{#DSM.https.compression}}
    gzip on;
    {{/DSM.https.compression}}

    {{#DSM.https.hsts}}
    {{> /usr/syno/share/nginx/HSTS}}
    {{/DSM.https.hsts}}

    include app.d/alias.*.conf;
    {{> /usr/syno/share/nginx/DSM_Main}}
    {{> /usr/syno/share/nginx/optimization}}
}
{{#DSM.fqdn}}

server {
    listen 5001 default_server ssl{{#spdy}} http2{{/spdy}}{{#reuseport}} reuseport{{/reuseport}};
    listen [::]:5001 default_server ssl{{#spdy}} http2{{/spdy}}{{#reuseport}} reuseport{{/reuseport}};

    server_name {{DSM.server_name}};
    set $fqdn {{DSM.fqdn}};

    {{> /usr/syno/share/nginx/LetsEncrypt}}
    {{#https.certificate}}
    ssl_certificate {{https.certificate}};
    {{/https.certificate}}
    {{#https.key}}
    ssl_certificate_key {{https.key}};
    {{/https.key}}

    {{#DSM.https.compression}}
    gzip on;
    {{/DSM.https.compression}}

    {{#DSM.https.hsts}}
    {{> /usr/syno/share/nginx/HSTS}}
    {{/DSM.https.hsts}}

    include app.d/alias.*.conf;
    {{> /usr/syno/share/nginx/DSM_Main}}
    include app.d/www.*.conf;
    include /usr/syno/share/nginx/conf.d/www.*.conf;
    include conf.d/www.*.conf;
    {{> /usr/syno/share/nginx/optimization}}
}

server {
    listen {{port}} ssl{{#spdy}} http2{{/spdy}}{{#reuseport}} reuseport{{/reuseport}};
    listen [::]:{{port}} ssl{{#spdy}} http2{{/spdy}}{{#reuseport}} reuseport{{/reuseport}};

    server_name {{DSM.server_name}};

    location / {
        return 404;
    }

    {{> /usr/syno/share/nginx/error_page}}
}
{{/DSM.fqdn}}
{{/ssl}}
{{/DSM}}

Yeah I don't know what happened, sorry. I've added something to the script to write a log of the changes to the backup directory, should hopefully let you see what exactly it did to ease troubleshooting in future.

As you probably found, the nginx.conf gets recreated by the NAS based on the .mustache files, and I believe this happens whenever there's an update.

What version of DSM are you running?

@n00bsportz, need some more info. What's not working?

@inogueira82 which port remains in use? Could you run the following, changing 80 for the port you're after?
netstat -plnt | grep ":80 "

Yeah I don't know what happened, sorry. I've added something to the script to write a log of the changes to the backup directory, should hopefully let you see what exactly it did to ease troubleshooting in future.

As you probably found, the nginx.conf gets recreated by the NAS based on the .mustache files, and I believe this happens whenever there's an update.

What version of DSM are you running?

Yes, once I started reading through the mustache files, I figured out how nginx.conf was built from them. It appears that nginx.conf is rebuilt on every restart of the server though, not just after system updates. My guess is that something managed to change one of those files even before I ran your script so, I don't think my issue was caused by this script. Just in case I'm wrong though, I'm running DSM 6.2.3-25426 Update 3 on a DS 220+.

netstat -plnt | grep ":80 "

it says there's nothing using This port. But i can't assign it to a docker package. When I use bridge network for a container and i try to use port 80 or 443 it says ther's a conflict.

If I use host network i can start it, but there's no response for port 80 or 443

Yeah I don't know what happened, sorry. I've added something to the script to write a log of the changes to the backup directory, should hopefully let you see what exactly it did to ease troubleshooting in future.

As you probably found, the nginx.conf gets recreated by the NAS based on the .mustache files, and I believe this happens whenever there's an update.

What version of DSM are you running?

@n00bsportz, need some more info. What's not working?

@inogueira82 which port remains in use? Could you run the following, changing 80 for the port you're after?
netstat -plnt | grep ":80 "

This is the response when i have the docker container running in host network:

sudo netstat -plnt | grep ":80"
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 17759/python3
tcp6 0 0 :::8080 :::* LISTEN 25587/java

And this is what i get if i stop the container:

sudo netstat -plnt | grep ":80"
tcp6 0 0 :::8080 :::* LISTEN 25587/java

Solved: It was a firewall problem

Some additional things for the sake of completeness.

DSM's reverse proxy — its config is in Portal.mustache, and unless you set it to listen to 80 or 443, it shouldn't interfere

{{#ReverseProxy}}
server {
    listen {{port}}{{#https}} ssl{{/https}}{{#https.http2}} http2{{/https.http2}}{{#reuseport}} reuseport{{/reuseport}}{{^fqdn}} default_server{{/fqdn}};
    listen [::]:{{port}}{{#https}} ssl{{/https}}{{#https.http2}} http2{{/https.http2}}{{#reuseport}} reuseport{{/reuseport}}{{^fqdn}} default_server{{/fqdn}};

WebStation — it have additional separate config (since version 2.1.9, IIRC) in /volume1/@appstore/WebStation/misc/VirtualHost-*.mustache (depending on which backend you use and whether you use it with ports 80/443).

Lastly, if you intend to later proxy some of those ports on the same NAS, you could try limiting them to localhost, i.e. inserting 127.0.0.1: instead of changing port number. One such use case is setting up SSLH (as described here)

Does this script already works with DSM 7? Since I did upgrade to DSM 7 I'm no longer able to free port 80/443.

Does this script already works with DSM 7? Since I did upgrade to DSM 7 I'm no longer able to free port 80/443.

I'm holding off on the upgrade for now so haven't tested on DSM 7.

I just ran this on a fresh DSM7 upgrade from 6.2.4 and it seems to have worked fine. It at least survived a reboot.

I can confirm, that this script is working on DSM7(DS1817+). It was no clean install. I just updated, tried the script, didn't work. Did a restart and bam it all worked fine !

Version: 7.0-41890

DS918+
DSM 7.0-41890

It works for me, but with one caveat: I had to install WebStation and turn it on before rebooting and letting the script run. Without WebStation, some other listener is doing the redirect on 80/443 -> 5000/5001 and its configuration must be somewhere else other than /usr/syno/share/nginx. Once I let WebStation take over the reverse proxy service for 80/443, the script was able to change the ports on bootup, and it worked.