Current Status: At present, the Supernote private cloud service software does not include built-in SSL/TLS encryption configuration options. This means we cannot directly specify certificate and key file paths within the private cloud's configuration files, as is possible with Apache or Nginx.

The core reasons are as follows: As you have noted, the Supernote team cannot issue trusted SSL certificates for users operating their own private cloud deployments. Certificate issuance relies on trusted Certificate Authorities and requires domain ownership verification—a process that is impractical for private cloud services distributed across countless user-managed servers.

Solutions: Use a Reverse Proxy (Recommended and Industry Standard) Although the private cloud service itself does not handle SSL, the standard and recommended solution is to use a reverse proxy server. This proxy server sits between the internet client (your Supernote device) and your private cloud service, specifically handling SSL/TLS encryption and decryption.

Schematic Diagram of Working Principle:

Supernote Device (HTTPS) -> Reverse Proxy (Decryption) -> Supernote Private Cloud Service (HTTP)
Supernote Private Cloud Service (HTTP) -> Reverse Proxy (Encryption) -> Supernote Device (HTTPS)

Your data remains encrypted throughout transmission—from your device to AWS servers and back. However, once inside your Supernote Private Cloud instance, the reverse proxy communicates with the Supernote Private Cloud service using plain HTTP. This represents the most secure, mature, and performance-optimized approach.

Regarding Future Optimizations: Thank you very much for your valuable suggestions. We have forwarded the request to “simplify the SSL configuration process” to our development team for consideration in future version optimizations. The team will evaluate how to better assist users—especially those with advanced deployment needs like yours—in achieving secure deployments more conveniently. Currently, the reverse proxy solution remains the absolutely reliable and recommended approach.

Nginx Reverse Proxy Configuration Process We strongly recommend using Nginx or Apache as your reverse proxy. Here's the implementation approach using Nginx:

Step 1: Obtain an SSL Certificate Since your purpose is commercial use, it is recommended to use a trusted certificate. There are several methods:

1. Let's Encrypt (Free, Automated, Trusted): The most popular choice. You can use the Certbot tool to automatically obtain and renew certificates. This is ideal for scenarios like supernote.yourcompany.com.
2. Purchase a Commercial Certificate: Acquire one from providers like DigiCert, GoDaddy, etc.

Step 2: Install and Configure Nginx

1. Install Nginx on your Linux or other instance.
2. Edit the Nginx configuration file (e.g., /etc/nginx/sites-available/supernote-cloud) and create a new server block. Below is a basic configuration example:

   server {
           listen 80;
           listen 443 ssl;
           server_name  your_domain_name; # Please set up your external domain name.
           ssl_certificate CERT_PATH;   # Please enter the SSL certificate address.
           ssl_certificate_key KEY_PATH; # Please enter the SSL certificate private key address.
           ssl_session_timeout 60m;
           ssl_protocols TLSv1.2;
           ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
           ssl_prefer_server_ciphers on;
           access_log ACCESS_LOG_PATH;  # Please set your access log path.
           error_log ERROR_LOG_PATH; # Please set your error log path.
           client_max_body_size 20480m;
   location / {
           # Please replace “YOUR_PRIVATE_CLOUD_IP_ADDRESS” with your private cloud IP address.
           proxy_pass http://YOUR_PRIVATE_CLOUD_IP_ADDRESS:19072;
           proxy_set_header Host $proxy_host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
           proxy_set_header X-Forwarded-Host $host;
           # Please replace “YOUR_PRIVATE_CLOUD_IP_ADDRESS” with your private cloud IP address.
           proxy_redirect http:///YOUR_PRIVATE_CLOUD_IP_ADDRESS:19072/ https://$host/; 
           proxy_redirect https:///YOUR_PRIVATE_CLOUD_IP_ADDRESS:19072/ https://$host/;
           proxy_redirect ~*^https?://[^/]+:19072(/?.*)$ https://$host$1;
   
           sub_filter_once off;
           sub_filter_types *;
           # Please replace “YOUR_PRIVATE_CLOUD_IP_ADDRESS” with your private cloud IP address.
           sub_filter 'http:///YOUR_PRIVATE_CLOUD_IP_ADDRESS:19072' 'https://$host';
           sub_filter 'https:///YOUR_PRIVATE_CLOUD_IP_ADDRESS:19072' 'https://$host';
           sub_filter ':19072' '';
   
           proxy_buffering on;
           proxy_buffer_size 4k;
           proxy_buffers 8 4k;
   
           proxy_connect_timeout 6000;
           proxy_send_timeout 6000;
           proxy_read_timeout 6000;
    }
   }

Step 3: Restart Nginx and Test Restart the Nginx service to apply the configuration changes. You can then access your private cloud using https://supernote.yourcompany.com.

Core Concepts and Network Topology

Before beginning configuration, please understand your network structure. Assume your environment is as follows:

• Synology NAS: The IP address is 192.168.100.32
• Supernote Private Cloud Server: The IP address is 192.168.100.32, where your Supernote Private Cloud is running on port 19072.
• **Objective: **Access the Supernote Private Cloud service on the internal network server 192.168.100.32:19072 by visiting https://notebook.your-domain.com.

Data flow direction: Browser/Supernote device -> Reverse proxy -> Supernote Private Cloud service.

Configuration Steps (Using DSM 7.x as an Example)

Step 1: Ensure internal network services are accessible.

1. Access the Supernote Private Cloud service directly via its internal IP address and port in your browser or device to verify its proper operation, for example: http://192.168.100.32:19072.
2. Ensure your internal network firewall permits connections from the Synology NAS IP address (192.168.100.32).

Step 2: Configure Reverse Proxy on Synology NAS

1. Log in to DSM using the administrator account.
2. Open Control Panel -> Login Portal (or Application Portal) -> Advanced -> Reverse Proxy.
3. Click Creare to create a new rule.

Reverse Proxy Rules:

• Reverse Proxy Name:： Customize an easily recognizable name, such as Supernote Private Cloud Proxy
• Source (How does the client access Synology)
  • Protocol: HTTPS（Recommended, Safe）
  • Hostname: The external domain name you plan to use, such as notebook.your-domain.com
  • Port: 443（HTTPS Standard Port）
  • Enable HSTS: Do not check
  • Access control profile: Keep default
• Destination (Where should Synology requests be sent)：
  • Protocol: HTTPor HTTPS（Depending on the configuration of your internal network Supernote Private Cloud server, it is typically HTTP.)
  • Hostname: The IP address of your internal Supernote Private Cloud server, for example 192.168.100.32
  • Port: The port your internal Supernote Private Cloud server listens on, by default 19072

Step 3: Configure SSL Certificate

To ensure your external domain functions properly, you need to configure an SSL certificate for this domain.

1. Go to Control Panel -> Security -> Certificates.
2. Click Add, then select Add New Certificate.
3. Select Import Certificate or Get Certificate from Let's Encrypt, then enter your hostname (notebook.your-domain.com) in the “Domain” field.
4. After importing the certificate or obtaining a certificate from Let's Encrypt, navigate to > Security > Certificates > Settings > select the hostname you just entered > select the certificate you just imported/obtained from Let's Encrypt to set this certificate as the default.
5. Access via HTTPS using a browser or Supernote, for example: https://notebook.your-domain.com

Supernote Private Cloud Container Port Usage Guide

• Container Port 8080: Port 8080 within the container is listened to by Nginx, which acts as a reverse proxy, forwarding requests to the supernote-service container to provide synchronization and web management interface services. To access the private cloud using a browser or Supernote device, this port must be mapped to the Docker host to allow access from outside the Docker host. For instructions on publishing applications from within Docker containers, see the "Exposing Ports" section (see "Host Port Mapping 19072").
• Container Port 18072: This port is primarily used for automatic synchronization with supernote-service
• Conatiner Port 443: Port 443 within the container is listened to by Nginx, and it works in the same way as port 8080. Port 443 provides HTTPS service by default. Please refer to the latest deployment manual for instructions on configuring HTTPS.
• Host Port Mapping 19072: This port is primarily used to map the 8080 port of the supernote-service container to the Docker host where Supernote Private Cloud is currently deployed. Through this port mapping, you can access the Supernote service's web management interface on the host, enabling browser-based management and configuration. This mapping opens a port on the Docker host (e.g., 19072) and creates a rule to forward all traffic destined for that host port directly to the specified container's internal port (e.g., 8080). Refer to the Docker official documentation on port exposure: https://docs.docker.com/engine/containers/run/#exposed-ports
• Host Port Mapping 18072: This port primarily maps the automatic synchronization feature within the supernote-serce container to the current host. Through this port, you can utilize the automatic synchronization functionality implemented via the WebSocket protocol on SuperNote devices. If you confirm you will not use the automatic synchronization feature, you may choose not to open this port. For detailed instructions on port configuration, please refer to the official Docker documentation: https://docs.docker.com/engine/containers/run/#exposed-ports

Port Specifications FAQ

1. Why does the supernote-service container need to expose port 8080?

• Port 8080 within the container is listened to by Nginx, which provides reverse proxy services to forward requests to the supernote-service container for synchronization services and the web management interface. To enable browsers or Supernote devices to access the private cloud, this port must be mapped to the Docker host for external access.
• Docker's official documentation explicitly states: “By default, the container runtime does not expose any ports to the host. To access a port listening inside a container from the host, you must publish the port.” Port publishing is typically performed using the format -p {host_port}:{container_port}. For reference: https://docs.docker.com/engine/containers/run/#exposed-ports

2. Why is it necessary to map port 8080 to port 19072 on the host?
   Supernote Private Cloud must accommodate users who cannot utilize reverse proxies, so we need to provide a default port on the Docker host as the access point for private cloud container services. Port mapping (e.g., -p 19072:8080) is Docker's recommended standard practice: it opens the specified port (e.g., 19072) on the host machine and forwards all traffic destined for that port to the container's internal port (e.g., 8080). This is the standard and necessary method for accessing container services from outside the host machine. For reference: https://docs.docker.com/engine/containers/run/#exposed-ports
3. Why does Supernote default to using port 19072 instead of ports 80 or 443 for publishing applications within containers?

• Supernote Private Cloud currently does not provide HTTPS service. Ports 80 and 443 are commonly used service ports. Directly mapping port 8080 within the container to port 80 or 443 on the Docker host can easily cause port conflicts, resulting in service unavailability. Therefore, we have designated port 19072 as the default mapping port to reduce conflict risks and ensure service stability.
• To customize the port, follow these steps:
  • For users deploying based on docker: directly modify the -p <custom port>:8080 entry in the Docker or Docker Compose configuration.
  • Users deploying via the install.sh script: The port is currently fixed at 19072. The next version will support custom configuration.

4. Why Supernote Cannot Provide HTTPS Service

• The Supernote team cannot issue trusted SSL certificates for each user's self-deployed private cloud instance. Certificate issuance requires verification from a trusted certificate authority and proof of domain ownership, which is impractical for private cloud services distributed across numerous user-owned servers. Therefore, Supernote provides sample Nginx and NAS reverse proxy configurations for users requiring HTTPS functionality.
• We are actively exploring the possibility of integrating support for untrusted certificates into our web server and enabling SSL/TLS configurations by default. Stay tuned for updates.

5. Why is port 18072 required?

• Port 18072 enables automatic synchronization between SuperNote devices and private clouds. If you require this automatic functionality, you must expose this port on your Docker host. If you confirm you will not use automatic synchronization, you may close this port. To disable it:
  • Users who deployed via Docker or Docker Compose can directly remove the -p 18072:18072 configuration.
  • Users deploying via the install.sh script: The port is currently fixed at 19072. The next version will support custom configuration.