diff --git a/.env.example b/.env.example
index ebb65d3..78a4efa 100644
--- a/.env.example
+++ b/.env.example
@@ -99,6 +99,8 @@ YOUTUBE_DATA_API_KEY=
 DSM_HOST=https://gahusb.synology.me:5001
 DSM_USER=
 DSM_PASS=
+# LAN IP로 DSM 접근 시 self-signed cert가 IP에 매칭 안 되어 검증 실패. 그 경우 false 설정 (LAN 내부 통신이라 허용 가능). 도메인 + 정상 cert면 true 유지.
+DSM_VERIFY_SSL=true
 
 # Vercel SaaS ↔ backend HMAC 시크릿 (양쪽 동일 값)
 BACKEND_HMAC_SECRET=
diff --git a/CLAUDE.md b/CLAUDE.md
index e59eae4..239f4db 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -646,6 +646,7 @@ docker compose up -d
 
 **환경변수**
 - `DSM_HOST` / `DSM_USER` / `DSM_PASS`: Synology DSM 7.x 인증 (공유 링크 발급용)
+- `DSM_VERIFY_SSL`: SSL 검증 (default `true`). LAN IP + self-signed cert 환경에서 IP mismatch 시 `false` 설정 (LAN 내부 통신이라 허용)
 - `BACKEND_HMAC_SECRET`: Vercel SaaS와 양쪽 공유 시크릿 (HMAC SHA256)
 - `SUPABASE_URL` / `SUPABASE_SERVICE_KEY`: Supabase pack_files 테이블 접근 (service_role, RLS 우회)
 - `UPLOAD_TOKEN_TTL_SEC`: admin upload 토큰 TTL (기본 1800초 = 30분)
diff --git a/docker-compose.yml b/docker-compose.yml
index dc36304..1920065 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -198,6 +198,7 @@ services:
       - DSM_HOST=${DSM_HOST:-}
       - DSM_USER=${DSM_USER:-}
       - DSM_PASS=${DSM_PASS:-}
+      - DSM_VERIFY_SSL=${DSM_VERIFY_SSL:-true}
       - BACKEND_HMAC_SECRET=${BACKEND_HMAC_SECRET:-}
       - SUPABASE_URL=${SUPABASE_URL:-}
       - SUPABASE_SERVICE_KEY=${SUPABASE_SERVICE_KEY:-}
diff --git a/packs-lab/app/dsm_client.py b/packs-lab/app/dsm_client.py
index eef6763..22469c5 100644
--- a/packs-lab/app/dsm_client.py
+++ b/packs-lab/app/dsm_client.py
@@ -15,6 +15,9 @@ logger = logging.getLogger("packs-lab.dsm")
 DSM_HOST = os.getenv("DSM_HOST", "")  # 예: https://gahusb.synology.me:5001
 DSM_USER = os.getenv("DSM_USER", "")
 DSM_PASS = os.getenv("DSM_PASS", "")
+# LAN IP로 DSM 접근 시 self-signed cert가 IP에 매칭 안 되어 검증 실패. LAN 내부 통신이라 false 허용.
+# 운영에서 LAN IP + self-signed면 DSM_VERIFY_SSL=false. 도메인 + 정상 cert면 기본값(true) 유지.
+DSM_VERIFY_SSL = os.getenv("DSM_VERIFY_SSL", "true").strip().lower() != "false"
 
 API_AUTH = "/webapi/auth.cgi"
 API_SHARE = "/webapi/entry.cgi"
@@ -74,7 +77,7 @@ async def create_share_link(file_path: str, expires_in_sec: int = 14400) -> tupl
     expires_at = datetime.now(timezone.utc) + timedelta(seconds=expires_in_sec)
     expire_time_ms = int(expires_at.timestamp() * 1000)
 
-    async with httpx.AsyncClient(verify=True) as client:
+    async with httpx.AsyncClient(verify=DSM_VERIFY_SSL) as client:
         sid = await _login(client)
         try:
             r = await client.get(