5 min read

TSL and CNAME flattening for a Synology-hosted site

Getting started with blogdown on Synology described how to set up an unencrypted (http) blogdown website hosted on a Synology, accessible at, for example www.michaelbolger.net, where the www prefix is mandatory. Here, we use CNAME flattening, so that the website can be accessed directly at, for example, michaelbolger.net, and add TLS encryption (i.e. https).

CNAME flattening

In Getting started with blogdown on Synology, we assumed that the Synology did not have a static IP address, which is generally the case for home broadband services. Instead, we used the Synology dynamic DNS (DDNS) service to keep track of our Synology’s public IP address.

As discussed in the blogdown book, a consequence of this setup is that we cannot generally have our site’s ‘apex’ domain (e.g. michaelbolger.net, without any subdomain in front of it, including www) point to the website. This is because DNS A records, the kind of recorded intended to point to the location of the apex domain, must point to an IP address which, in our case, is variable, not a subdomain like we set up (i.e. your_subdomain.synology.me). ‘CNAME’ DNS records can point to subdomains but, per the DNS specifications, cannot be used for apex domains.

However Clourflare1, a provider of content delivery network services, has introduced a service it calls CNAME flattening that allows CNAME DNS records to be used for apex domains. To make use of this service, you have to register for a (free) Cloudflare account.

Having registered, select ‘Add site’ then enter your website address. Select a plan–the free plan is sufficient for personal websites–then review the DNS settings that Cloudflare imports, comparing them to your existing settings (particularly if you have multiple DNS entries, and especially if you have email-related entries). Add CNAME records pointing your apex domain to your Synology DDNS address and, if you want, pointing the www subdomain to your apex domain, so that anyone trying to access your site including the www will be forwarded automatically:

Once you have set up your DNS with Cloudflare as appropriate (e.g., including MX records for mail, and other CNAME records for other subdomains as required–the above is just the bare minimum to host a site), amend your nameservers at your registrar to those provided by Cloudflare for your site (see Cloudflare DNS tab). To change nameservers for a Hover-registered domain, from the overview page for the domain select edit nameservers, then edit them to match the name servers assigned to your site by Cloudflare:

Cloudflare is now the source for your site’s DNS settings–once the change in nameservers propogates, you will be able to access your site via its apex domain.

Using Cloudflare also has the benefit of delivering your site’s content via Cloudflare’s content delivery network, which can speed up serving of your site, particularly in parts of the world that are far from the location of your Synology. This caching, however, means that changes you make to your website may not be visible immediately. To get around this, when updating your website, toggle Cloudflare’s development mode (in the Overview tab), which bypasses the cache:

TSL encryption

To add TLS encryption to a Synology, we will request a free certificate from Let’s Encrypt. In the Control Panel > Security > Certificate tab, select Add, then add a new certificate. Enter a description and select the ‘Get a certificate from Let’s Encrypt’ option. Enable ‘Set as default certificate’2:

On the second Create certificate page, for Domain name, enter the apex domain name of your site and provide a valid email address. In Subject Alternative Name, enter your Synology DDNS address. It is the subject alternative name that tells Let’s Encrypt/visitors to your site that, although the site is being delivered from a server that is not directly associated with your domain, it is nevertheless valid3.

Once set up, click Configure (in Control Panel > Security > Certificate tab) and assign your new certificate to all of the relevant services. If you selected to use the new certificate as the default, it will automatically be applied to new services here as you add them.

Assuming you forwarded port 443 as well as 80 when setting up port forwarding on your router, you should now be able to access your site via https at your apex domain, e.g. https://michaelbolger.net:


  1. Cloudflare offers a range of related site reliability-related services including defence against distributed denial of service attacks (DDNS). Recently, it began offering domain name registration at competitive prices, but only for domains transferred from other registrars. I still recommend Hover for general domain registration, primarily for their non-scummyness and excellent support, but if you have a domain at another registrar and want to use it with Cloudflare, transferring it to them is certainly an option.

  2. Synologies can have multiple certificates for differet services, e.g. the main DSM interface, the Drive app etc. Unless you plan to have different certificates for some/each of these services, go ahead and set the new certificate as default. Synologies ship with a default Synology self-signed certificate. While a self-signed certificate will still offer encryption, it doesn’t provide any assurance as to the server’s identity. Consequently, modern web browsers make you jump through hoops to access sites with self signed certificates.

  3. I have no idea how all this works with a content delivery network like Cloudflare–I just assume someone else is invoking the appropriate incantations on my behalf.