In this tutorial I’ll show you how to secure your connection to SABnzbd Web Interface using a Let’s Encrypt’s SSL-certificate through a Reverse Proxy using Nginx and OpenMediaVault.
If you landed here from Google or you haven’t set up an SSL-connection to OpenMediaVault yet, turn back to page one of this tutorial. You’ll need it before you can continue with the rest of this how-to.
Setting Up a SSL-Secured Reverse Proxy for SABnzbd
This how-to essentially consists of three parts:
- Gathering the files we need to provide SSL to SABnzb,
- Enabling SSL in SABnzbd,
- And configuring a reverse proxy for this application in Nginx.
First we need to convert Let’s Encrypt’s certificates to a format SABnzbd understands…
Converting Let’s Encrypt’s PEM-files for usage in SABnzbd
All the files belonging to the certificate you generated in the previous chapter are located in /etc/letsencrypt/live/nas.mydomain.com/. Where ‘nas.mydomain.com‘ is the Web Address you configured for your NAS.
These files belong to the root user and this should stay that way. The ability of symlinking to these files would be nice, but then we would need to either give the user sabnzbd root priviliges or change the owner of Let’s Encrypt’s .pem-files. Both aren’t very smart moves.
So I came up with the solution of periodically copying the needed pem-files to sabnzbd’s install-folder and changing the owner of these files to sabnzbd:users The command is as follows:
cp /etc/letsencrypt/live/nas.mydomain.com/cert.pem /var/opt/sabnzbd/server.cert; cp /etc/letsencrypt/live.nas.mydomain.com/privkey.pem /var/opt/sabnzbd/server.key; chown sabnzbd:users /var/opt/sabnzbd/server.* -vvv[/shell]
Don’t forget to replace nas.mydomain.com with your server’s Web Address!
To execute this command periodically, add it to OMV’s crontab:

- Go to ‘Scheduled Jobs‘
- Click ‘Add‘
- Copy the above command in the ‘Command‘-field and make sure ‘Enable‘ is toggled. Choose an execution time of your liking (I picked ‘Weekly‘, the same as my Let’s Encrypt-cron) and make sure it’s executed by User root. If you don’t have any friends (like me), you can choose to toggle ‘Send command output via email‘ and click ‘Save‘.
Configuring Let’s Encrypt SSL-encryption in SABnzbd
Now we have everything we need to configure SSL in SABnzbd. The certificate-files will be automatically refreshed. Let’s configure SABnzbd to use the generated Let’s Encrypt certificate.

- In the SABnzbd Web Interface, go to settings by pressing the crowbar in the top-right corner.
- Click on the ‘General‘-tab and click ‘Advanced‘ to show advanced settings.
- Check ‘Enable HTTPS‘.
- In the ‘HTTPS Certificate‘ field enter the path to the server.cert-file (if you stuck to my earlier example, it should be /var/opt/sabnzbd/server.cert).
- In the ‘HTTPS Key‘ field enter the path to the server.ket file (/var/opt/sabnzbd/server.key).
- Click ‘Save‘.
That’s it! You’re SABnzbd is now configured to use your Let’s Encrypt SSL-certificate.
Setting up a Nginx Reverse Proxy for SABnzbd in OpenMediaVault
This is the (sort of) difficult part and there are multiple ways to approach this. With a Reverse Proxy we’re going to tell Nginx to send all traffic pointing to ‘/sabnzbd‘ to the port you configured. Here’s how.
- Open a terminal and connect to your NAS using SSH.
- Go to the folder containing the Nginx configuration files:
cd /etc/nginx/openmediavault-webgui.d/
- In this folder we’re going to create a .conf-file. This will contain all mappings to your applications. We’re using the terminal text-editor nano for this:
nano apps.conf[/shell]
- Insert the following text to the top of the file:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersserver_name nas.yourdomain.com 192.168.xxx.xxx; location /sabnzbd { proxy_pass https://localhost:9080/sabnzbd; }
Make sure you replace nas.yourdomain.com with your NAS’ Web Address and replace 192.168.xxx.xxx with your NAS’ local IP-address. Also make sure the port after localhost is the same as the SSL-port you saw earlier in SABnzbd’s SSL settings (default: 9080). - Save the file and restart Nginx:
service nginx restart[/shell]
If you’ve just setup your DNS-records to make your NAS accessible outside your LAN, it might take a little while for the settings to take effect.
After you restarted Nginx, SABnzbd should be accessible via your brand new SSL-secured Reverse Proxy for OpenMediaVault immediately. If that’s all you wanted to do, you’re done now. If not, keep reading and I’ll tell you how to do the same for Sonarr, Radarr and Transmission.
You don’t need Sonarr’s “Enable SSL” if you’re implementing the HTTPS encryption with Let’s Encrypt at the reverse proxy level, I assume.
You’re right. I guess I enabled that setting without thinking. Just make sure you’re directing the proxy to the non-ssl port, but that’s all!
While I appreciate the time you took to write this article, the title is incredibly misleading. I came here for info on sonarr reverse proxying yet I can only find sabnzbd, with a configuration that will result in a imperfect configuration at that.
What are you talking about? It’s on page 3 of this article…
This tutorial is outdated. You should consider revising it as certain things changed in Letsencrypt interface.
Al right. Thanks for the feedback. I’ll add it to my to-do list!
Hi Daan,
Thanks so much for your useful guide! I set this up months ago and it’s been working perfectly up until yesterday. I haven’t changed any settings but it’s just stopped working 🙁 I rebooted my router, double checked the port forwarding was still in place, checked the certificate was still valid etc and nada 🙁 I can see that DuckDNS is working correctly also, it’s correctly obtaining my WAN IP.
Do you have any ideas?
I’m a bit confused when you say that the NAS needs to be accessible from outside. So if I want to access OMV, I need to type for example mydomain.com:portToMyNAS. Then my router will forward this request to my NAS and the login page will be displayed. Is this what you mean?
Also isn’t this a security risk – shouldn’t we use an VPN service instead of leaving it directly open to the public internet?
If you want to use a VPN, then using a reverse proxy isn’t relevant IMO. You can just access your NAS from inside your VPN.
But to answer your question. It’s not necessarily a security risk if OMV (your NAS’s IP, on port 443/80) is accessible over WAN.