How to Setup a Reverse Proxy in OMV with Let’s Encrypt SSL for Sabnzbd, Radarr, Sonarr and Transmission

In this tutorial I’ll show you how to secure your connection to SABnzbd Web Interface using a Let’s Encrypt’s SSL-certificate through a Reverse Proxy using Nginx and OpenMediaVault.

If you landed here from Google or you haven’t set up an SSL-connection to OpenMediaVault yet, turn back to page one of this tutorial. You’ll need it before you can continue with the rest of this how-to.

Setting Up a SSL-Secured Reverse Proxy for SABnzbd

This how-to essentially consists of three parts:

  1. Gathering the files we need to provide SSL to SABnzb,
  2. Enabling SSL in SABnzbd,
  3. And configuring a reverse proxy for this application in Nginx.

First we need to convert Let’s Encrypt’s certificates to a format SABnzbd understands…

Converting Let’s Encrypt’s PEM-files for usage in SABnzbd

All the files belonging to the certificate you generated in the previous chapter are located in /etc/letsencrypt/live/ Where ‘‘ is the Web Address you configured for your NAS.

These files belong to the root user and this should stay that way. The ability of symlinking to these files would be nice, but then we would need to either give the user sabnzbd root priviliges or change the owner of Let’s Encrypt’s .pem-files. Both aren’t very smart moves.

So I came up with the solution of periodically copying the needed pem-files to sabnzbd’s install-folder and changing the owner of these files to sabnzbd:users The command is as follows:

cp /etc/letsencrypt/live/ /var/opt/sabnzbd/server.cert; cp /etc/letsencrypt/ /var/opt/sabnzbd/server.key; chown sabnzbd:users /var/opt/sabnzbd/server.* -vvv[/shell]

(don’t forget to replace with your server’s Web Address!)

To execute this command periodically, add it to OMV's crontab:

Creating a cronjob to periodically copy Let's Encrypt's PEM-files to SabNZBd's install directory.

  1. Go to 'Scheduled Jobs'
  2. Click 'Add'
  3. Copy the above command in the 'Command'-field and make sure 'Enable' is toggled. Choose an execution time of your liking (I picked 'Weekly', the same as my Let's Encrypt-cron) and make sure it's executed by User root. If you don't have any friends (like me), you can choose to toggle 'Send command output via email' and click 'Save'.

Configuring Let's Encrypt SSL-encryption in SABnzbd

Now we have everything we need to configure SSL in SABnzbd. The certificate-files will be automatically refreshed. Let's configure SABnzbd to use the generated Let's Encrypt certificate.

Configure Sabnzbd to use SSL (Https)

Configuring SABnzbd to use SSL (https)

  1. In the SABnzbd Web Interface, go to settings by pressing the crowbar in the top-right corner.
  2. Click on the 'General'-tab and click 'Advanced' to show advanced settings.
  3. Check 'Enable HTTPS'.
  4. In the 'HTTPS Certificate' field enter the path to the server.cert-file (if you stuck to my earlier example, it should be /var/opt/sabnzbd/server.cert).
  5. In the 'HTTPS Key' field enter the path to the server.ket file (/var/opt/sabnzbd/server.key).
  6. Click 'Save'.

That's it! You're SABnzbd is now configured to use your Let's Encrypt SSL-certificate.

Setting up a Nginx Reverse Proxy for SABnzbd in OpenMediaVault

This is the (sort of) difficult part and there are multiple ways to approach this. With a Reverse Proxy we're going to tell Nginx to send all traffic pointing to '/sabnzbd' to the port you configured. Here's how.

  1. Open a terminal and connect to your NAS using SSH.
  2. Go to the folder containing the Nginx configuration files: cd /etc/nginx/openmediavault-webgui.d/
  3. In this folder we're going to create a .conf-file. This will contain all mappings to your applications. We're using the terminal text-editor nano for this:nano apps.conf[/shell]
  4. Insert the following text to the top of the file:
    location /sabnzbd {
    proxy_pass https://localhost:9080/sabnzbd;
    view raw apps.conf hosted with ❤ by GitHub
    Make sure you replace with your NAS' Web Address and replace with your NAS' local IP-address. Also make sure the port after localhost is the same as the SSL-port you saw earlier in SABnzbd's SSL settings (default: 9080).
  5. Save the file and restart Nginx:service nginx restart[/shell]

If you've just setup your DNS-records to make your NAS accessible outside your LAN, it might take a little while for the settings to take effect.

After you restarted Nginx, SABnzbd should be accessible via your brand new SSL-secured Reverse Proxy for OpenMediaVault immediately. If that's all you wanted to do, you're done now. If not, keep reading and I'll tell you how to do the same for Sonarr, Radarr and Transmission.

Pages: 1 2 3 4 5