Addendum:
If you want to secure your password to the NAS from being viewed by your ISP, you may want HTTPS too?
The "s" in HTTPS means it runs over SSL/TLS, so one needs some software to fan-out based on the TLS SNI header instead of the HTTP host header. Same concept, the headers simply contain whatever hostname that the client used to do a DNS lookup before it contacted your IP.
In that case you need something called a TLS/SSL reverse proxy. There's a couple different ones too, I can think of pound, ssltunnel and haproxy. If built with SSL support, probably nginx can too.
SSL reverse proxies can accept HTTPS and fan-out to HTTPS servers, but usually one would have the SSL keys lying around on the reverse proxy anyway, so in most cases it's easier to also use the SSL reverse proxy to terminate SSL entirely and then fan-out plain HTTP to the servers.
Here's a configuration example /etc/haproxy/haproxy.cfg
:
frontend tls_terminate
bind *:443 ssl strict-sni crt /etc/nas.coolnet.com.pem /etc/stuff.coolnet.com.pem /etc/files.coolnet.com.pem
use_backend nas if { ssl_fc_sni -i nas.coolnet.com }
use_backend stuff if { ssl_fc_sni -i stuff.coolnet.com }
default_backend files
backend nas
server s1 192.168.0.52:80
backend stuff
server s2 192.168.0.10:485
backend files
server s3 192.168.0.4:2000
To use SSL, one also needs SSL certificates and keys.
Either create your own and install the certificates on all your client devices, or use some piece of software to pull down officially recognized SSL certificates that will work anywhere. I think the default many people use is called certbot
.
You can tunnel anything, so this works for stuff other than HTTPS too. If you come across a protocol that ends with an "s", odds are that it is SSL-tunneled.
Technical detail: The "strict-"sni" option above means that the client has to present a SNI servername header, or it will be shown the door. But essentially all modern software that supports SSL does this.
EDIT: I can think of one exception, a piece of software called postfix
. For some reason, that project refused to add SNI header support when all the other modern email transport software and all major email providers did. For this particular edge case, or if you come across other archaic software that doesn't support modern TLS, it's possible to omit "strict-sni" and instead configure a so-called "default certificate".