# Synology Snapshot Admin Firewall and Reverse Proxy Copy-Paste Use these values verbatim in DSM. ## Reverse proxy - Rule name: `snapshot-admin` - Source protocol: `HTTPS` - Source hostname: `admin.example.com` - Source port: `443` - Source path: `/` - Destination protocol: `HTTP` - Destination hostname: `127.0.0.1` - Destination port: `8787` ## Firewall - Allow: `443/TCP` from WAN or trusted CIDR - Deny: `8787/TCP` from WAN - Optional allow: `443/TCP` from office/VPN CIDR only ## Certificate binding - Hostname: `admin.example.com` - Bind to: reverse proxy rule `snapshot-admin` ## Notes - Do not expose `8787/TCP` directly. - Keep Basic Auth enabled in the Python service. - Use `127.0.0.1` for the destination host unless direct-bind testing is intentional.