In this chapter I will show you how you can setup a reverse proxy in Nginx for Sonarr and/or Radarr using the Let’s Encrypt SSL-certificates you’ve generated in the first chapter of this giant how-to for OpenMediaVault (OMV). Let’s begin.
How to Setup a Reverse Proxy with SSL (HTTPS) for Sonarr and/or Radarr
Setting up an SSL-secured Reverse Proxy for Sonarr/Radarr is much easier, compared to e.g. SABnzbd or Plex. Sonarr and Radarr have all the tools included to map it to a sub-directory, which will allow it to use the same Let’s Encrypt SSL-certificate you’ve generated on the first page of this tutorial. It’s built in such a way, that there’s need to provide custom certificates.
Configuring Let’s Encrypt SSL in Sonarr/Radarr
Because Sonarr and Radarr are basically the same software, I’ll use Sonarr in my example, but the steps should be exactly the same in Radarr. If this changes in a later release, I’ll update this how-to.

- In Sonarr/Radarr, go to Settings > General and click on the toggle next to ‘Advanced Settings‘ so it says ‘Shown‘.
- If you haven’t already, change the ‘URL Base‘ to ‘/sonarr‘.
- Toggle ‘Enable SSL‘ to ‘Yes‘.
- The default ‘SSL Port Number‘ isn’t relevant as Sonarr/Radarr will be listening on both ports.
- Click ‘Save‘.
That’s it. Sonarr will now prefix every request to both ports with the provided Base-URL so we can make it work with a Reverse Proxy.
How to Set Up a Nginx Reverse Proxy for Sonarr and/or Radarr
If you’ve followed the steps on the previous page, this part will be easy. For the sake of full disclosure, I will assume you didn’t. If you did, you can skip steps 2 and 3:
- Open a terminal and connect with your NAS using SSH.
- Go to the folder containing OMV’s Nginx configuration files:
cd /etc/nginx/openmediavault-webgui.d/
- Create a new .conf-file or edit the existing file using your favourite shell text-editor, e.g.
nano apps.conf
- Insert the following text to the top of the file:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characterslocation /sonarr { proxy_pass http://localhost:8989/sonarr; } location /radarr { proxy_pass http://localhost:7878/radarr; }
Obviously, nas.yourdomain.com and 192.168.xxx.xxx need to be replaced by your NAS’ web-address and its local IP-address. If the server_name-node is already there. Don’t replace it or re-add it. Only add the location-node and make sure the port after localhost points to Sonarr (default: 8989). - Save the file and restart Nginx:
service nginx restart
Give it a view hours for the settings to take effect. If you’ve just set up your CNAME-records to make your NAS accessible from outside your LAN it can take while. Your domain’s DNS-settings need to be propagated among all internet providers worldwide.
In all other cases Sonarr/Radarr should be accessible from the outside immediately after restarting Nginx. So you can confirm your Let’s Encrypt SSL-secured Reverse Proxy for OpenMediaVault is working correctly. You can do the same for Transmission. I’ll tell you all about it on the next page.
You don’t need Sonarr’s “Enable SSL” if you’re implementing the HTTPS encryption with Let’s Encrypt at the reverse proxy level, I assume.
You’re right. I guess I enabled that setting without thinking. Just make sure you’re directing the proxy to the non-ssl port, but that’s all!
While I appreciate the time you took to write this article, the title is incredibly misleading. I came here for info on sonarr reverse proxying yet I can only find sabnzbd, with a configuration that will result in a imperfect configuration at that.
What are you talking about? It’s on page 3 of this article…
This tutorial is outdated. You should consider revising it as certain things changed in Letsencrypt interface.
Al right. Thanks for the feedback. I’ll add it to my to-do list!
Hi Daan,
Thanks so much for your useful guide! I set this up months ago and it’s been working perfectly up until yesterday. I haven’t changed any settings but it’s just stopped working 🙁 I rebooted my router, double checked the port forwarding was still in place, checked the certificate was still valid etc and nada 🙁 I can see that DuckDNS is working correctly also, it’s correctly obtaining my WAN IP.
Do you have any ideas?
I’m a bit confused when you say that the NAS needs to be accessible from outside. So if I want to access OMV, I need to type for example mydomain.com:portToMyNAS. Then my router will forward this request to my NAS and the login page will be displayed. Is this what you mean?
Also isn’t this a security risk – shouldn’t we use an VPN service instead of leaving it directly open to the public internet?
If you want to use a VPN, then using a reverse proxy isn’t relevant IMO. You can just access your NAS from inside your VPN.
But to answer your question. It’s not necessarily a security risk if OMV (your NAS’s IP, on port 443/80) is accessible over WAN.