This blog is running on green.ch, not on my Synology Diskstation. I use the Disk Station for private data hosting, which doesn’t mix well with a publicly accessible blog, for various reasons:
- I might turn off the Synology (at night, need to cut power in the building etc.)
- I want to focus the security settings of the Synology around my personal needs (firewall everything except the ports / services that I need personally)
- The hardware is geared towards my personal needs (e.g. the amount of RAM in the Disk Station).
Nevertheless, I did want to explore how WordPress (and a number of other services) perform on a Synology Diskstation. I might switch from green.ch to a Synology in the future, but I would use a dedicated machine for this purpose (e.g. the new DS619slim).
WordPress and MySQL are available as “native” Synology applications in the packet manager. There is nothing wrong with these packages. I did try them out, and WordPress worked fine. If I had a Synology dedicated as a web server, then I would probably use these packages. As it is, I was only experimenting with WordPress on my private Synology workstation, containing my private data.
Therefore I wanted a solution with a minimal amount of risk. In Docker, if an attacker knows of a zero day exploit to break out of WordPress into the underlying machine, then s/he would land in the Docker virtual machine. Another zero day exploit would be necessary to also break out of Docker into the real Synology. I declared this to be “secure enough” for a trial run.
Plus, I wanted to learn about Docker anyway. Once you have a working Docker image, it can be deployed on many cloud services.
Go to the packer manager and install Docker, it’s that simple.
The Synology GUI for Docker is great for supervising the Docker environment. One can easily see the running images, how much RAM and CPU they use etc. To actually define docker containers, I prefer to use declarative files, based on the Docker Compose solution (https://docs.docker.com/compose/).
The files can be edited with any text editor (I use UltraEdit on my Mac), but for starting/stopping the containers one needs a command line on the Synology. Therefore, SSH needs to be enabled.
Check the Synology documentation for instructions on how to do this.
After installing Docker, a new share gets created named “docker”. On this share, I create a directory “wordpress”. Place the definition file “docker-compose.yaml” into this directory. This is the file content:
version: "3" services: db: image: mysql:5 container_name: wordpress_db volumes: - db_data:/var/lib/mysql restart: always environment: MYSQL_ROOT_PASSWORD: myRootPwd MYSQL_DATABASE: wordpress MYSQL_USER: wordpress MYSQL_PASSWORD: MyWpPwd wordpress: depends_on: - db image: wordpress:latest container_name: wordpress ports: - "30080:80" volumes: - wp_data:/var/www/html/wp-content restart: always environment: WORDPRESS_DB_HOST: db:3306 WORDPRESS_DB_NAME: wordpress WORDPRESS_DB_USER: wordpress WORDPRESS_DB_PASSWORD: MyWpPwd volumes: db_data: wp_data:
SSH into the Synology. Then, change into the WordPress directory, e.g.
cd /volume1/docker/wordpress. The command to start the image is
sudo docker-compose up -d. That’s it, wordpress is now running. If you want to stop it, use
sudo docker-compose down. If you want to stop the image and delete all data (really, everything will be gone, you will have a “factory reset” WordPress!):
sudo docker-compose down --volume.
“Wire up” the Ports
First, you have to make the Synology accessible from the Internet. There are way too many possibilities to do this, so I’ll just mention the things to do summarily:
- Use a DDNS service (e.g. the one built-in to the Synology) to define a host name.
- On the router / firewall, you need to add port forwarding from ports 80/443 to 80/443 of the Synology
If you now connect to the Synology via http you will be greeted by the built in web server (the “Web Station” service of Synology). The https protocol won’t work properly at this time. What I wanted is this:
- Port 80 (http) remains on the Web Station
- Port 443 (https) goes to WordPress, and actually uses SSL.
To achieve this, the Synology Reverse Proxy service is used. This is how it gets configured:
First, add the host. Target ist the port used in the docker image, in our example this is “30080”. Port 80 should still ho to the Web Station, therefore it points to “localhost”.
As a last step, you will need a certificate. I used the Let’s Encrypt service. There is a GUI in the Synology to order such a certificate. Look at the Synology help for details.
Ue a browser and call the public address of the blog the you want to use, e.g. https://blog.erzi.ch. You should be greeted with the Synology install wizard. It should be obvious what needs to be done.
That’s it, WordPress should be running.
- E-Mail: WordPress can’t send any e-mail. You need a plugin for this, and an SMTP service that you can use.
- Backup: With the above setup, Docker manages all data volumes (they are in /volume1/@docker, by the way). If you back up your Synology, make sure that this data is included in the backup.
Alternatively, mount the volumes to directories under the docker/wordpress directory. This way, you can see all files, and backup them manually if desired. The “docker-compose.yaml” is no longer portable to another server when you do this, so weigh the advantages / disadvantages of this approach.