About Nginx steam feature for sync port behind nginx

Hi all,

I found another topic about this issue, but the topic already closed. https://forum.syncthing.net/t/resolved-expected-1-certificate-got-2-error/16015/5

I can’t make the stream feature work.

Here is my server setting

  • Router (
  • Nginx (
  • Syncthing Server (

I want to set tcp://syncthing.test.com:12345 → tcp://

Here is my part of nginx.conf

stream {

    upstream syncthing{
        hash $remote_addr consistent;

    map $ssl_preread_server_name $name {
        syncthing.test.com syncthing;

    server {
        proxy_pass $name;

Any idea?


You need to explain what you did in Syncthing, what it is that doesn’t work, and what you see instead.

(Also not clear to me why as it seems the proxy is just beside Syncthing in the same network.)

Also, I don’t think this will work, as we don’t use SNI, so you couldn’t put more than 1 syncthing behind the proxy.

Plus things like discovery make zero sense at that point, as you somehow would need to discover nginx and not syncthing.

Sorry for my bad explanation. It is “Discover” problem not “Sync” problem.

Since I cannot use port “22000” in office. I can use port “12345” only. And port “12345” forwarded to Nginx Server 443 port.

I can access the GUI outside the network, followed by this guide https://docs.syncthing.net/users/reverseproxy.html

But the Syncthing server cannot discovery by other outside the network.

And I found the post, https://forum.syncthing.net/t/resolved-expected-1-certificate-got-2-error/16015/5

He seems can config the Nginx to act as port forwarding.

But I can’t make it work.

After the above setting, When I use “tcp://syncthing.test.com:12345”, for the server address. I will got another device id (an unknown id), which is not the Server real device id.

Yeah I don’t know ngingx but as Audrius says we don’t send SNI, so the “map” and “preread $name” stuff looks suspicious and is probably not going to work. Just a straight TCP proxy on port 12345 should work with your statically configured address.

Note the caveat @calmh mentioned that discovering this node will not work, as there is no way to discover the proxy the instamce is behind, so you will have to configure the device address (point it at the proxy) manually.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.