in ,

How to Setup a Reverse Proxy in OMV with Let’s Encrypt SSL for Sabnzbd, Radarr, Sonarr and Transmission

Setup a Reverse Proxy with Let's Encrypt SSL

In this tutorial I’ll show you how to secure your connection to SABnzbd Web Interface using a Let’s Encrypt’s SSL-certificate through a Reverse Proxy using Nginx and OpenMediaVault.

If you landed here from Google or you haven’t set up an SSL-connection to OpenMediaVault yet, turn back to page one of this tutorial. You’ll need it before you can continue with the rest of this how-to.

Setting Up a SSL-Secured Reverse Proxy for SABnzbd

This how-to essentially consists of three parts:

  1. Gathering the files we need to provide SSL to SABnzb,
  2. Enabling SSL in SABnzbd,
  3. And configuring a reverse proxy for this application in Nginx.

First we need to convert Let’s Encrypt’s certificates to a format SABnzbd understands…

Converting Let’s Encrypt’s PEM-files for usage in SABnzbd

All the files belonging to the certificate you generated in the previous chapter are located in /etc/letsencrypt/live/nas.mydomain.com/. Where ‘nas.mydomain.com‘ is the Web Address you configured for your NAS.

These files belong to the root user and this should stay that way. The ability of symlinking to these files would be nice, but then we would need to either give the user sabnzbd root priviliges or change the owner of Let’s Encrypt’s .pem-files. Both aren’t very smart moves.

So I came up with the solution of periodically copying the needed pem-files to sabnzbd’s install-folder and changing the owner of these files to sabnzbd:users The command is as follows:

cp /etc/letsencrypt/live/nas.mydomain.com/cert.pem /var/opt/sabnzbd/server.cert; cp /etc/letsencrypt/live.nas.mydomain.com/privkey.pem /var/opt/sabnzbd/server.key; chown sabnzbd:users /var/opt/sabnzbd/server.* -vvv[/shell]

(don’t forget to replace nas.mydomain.com with your server’s Web Address!)

To execute this command periodically, add it to OMV's crontab:

Creating a cronjob to periodically copy Let's Encrypt's PEM-files to SabNZBd's install directory.
  1. Go to 'Scheduled Jobs'
  2. Click 'Add'
  3. Copy the above command in the 'Command'-field and make sure 'Enable' is toggled. Choose an execution time of your liking (I picked 'Weekly', the same as my Let's Encrypt-cron) and make sure it's executed by User root. If you don't have any friends (like me), you can choose to toggle 'Send command output via email' and click 'Save'.

Configuring Let's Encrypt SSL-encryption in SABnzbd

Now we have everything we need to configure SSL in SABnzbd. The certificate-files will be automatically refreshed. Let's configure SABnzbd to use the generated Let's Encrypt certificate.

Configure Sabnzbd to use SSL (Https)
Configuring SABnzbd to use SSL (https)
  1. In the SABnzbd Web Interface, go to settings by pressing the crowbar in the top-right corner.
  2. Click on the 'General'-tab and click 'Advanced' to show advanced settings.
  3. Check 'Enable HTTPS'.
  4. In the 'HTTPS Certificate' field enter the path to the server.cert-file (if you stuck to my earlier example, it should be /var/opt/sabnzbd/server.cert).
  5. In the 'HTTPS Key' field enter the path to the server.ket file (/var/opt/sabnzbd/server.key).
  6. Click 'Save'.

That's it! You're SABnzbd is now configured to use your Let's Encrypt SSL-certificate.

Setting up a Nginx Reverse Proxy for SABnzbd in OpenMediaVault

This is the (sort of) difficult part and there are multiple ways to approach this. With a Reverse Proxy we're going to tell Nginx to send all traffic pointing to '/sabnzbd' to the port you configured. Here's how.

  1. Open a terminal and connect to your NAS using SSH.
  2. Go to the folder containing the Nginx configuration files: cd /etc/nginx/openmediavault-webgui.d/
  3. In this folder we're going to create a .conf-file. This will contain all mappings to your applications. We're using the terminal text-editor nano for this:nano apps.conf[/shell]
  4. Insert the following text to the top of the file:
    server_name nas.yourdomain.com 192.168.xxx.xxx;
    location /sabnzbd {
    proxy_pass https://localhost:9080/sabnzbd;
    }
    view raw apps.conf hosted with ❤ by GitHub
    Make sure you replace nas.yourdomain.com with your NAS' Web Address and replace 192.168.xxx.xxx with your NAS' local IP-address. Also make sure the port after localhost is the same as the SSL-port you saw earlier in SABnzbd's SSL settings (default: 9080).
  5. Save the file and restart Nginx:service nginx restart[/shell]

If you've just setup your DNS-records to make your NAS accessible outside your LAN, it might take a little while for the settings to take effect.

After you restarted Nginx, SABnzbd should be accessible via your brand new SSL-secured Reverse Proxy for OpenMediaVault immediately. If that's all you wanted to do, you're done now. If not, keep reading and I'll tell you how to do the same for Sonarr, Radarr and Transmission.

Written by Daan van den Bergh

Magento 2 Back-end Developer with a passion for trainlifting, airplane-gliding, hunting trees and creating fake hobbies.

12 Comments

Leave a Reply
  1. You don’t need Sonarr’s “Enable SSL” if you’re implementing the HTTPS encryption with Let’s Encrypt at the reverse proxy level, I assume.

  2. While I appreciate the time you took to write this article, the title is incredibly misleading. I came here for info on sonarr reverse proxying yet I can only find sabnzbd, with a configuration that will result in a imperfect configuration at that.

  3. This tutorial is outdated. You should consider revising it as certain things changed in Letsencrypt interface.

  4. Hi Daan,

    Thanks so much for your useful guide! I set this up months ago and it’s been working perfectly up until yesterday. I haven’t changed any settings but it’s just stopped working :( I rebooted my router, double checked the port forwarding was still in place, checked the certificate was still valid etc and nada :( I can see that DuckDNS is working correctly also, it’s correctly obtaining my WAN IP.

    Do you have any ideas?

  5. I’m a bit confused when you say that the NAS needs to be accessible from outside. So if I want to access OMV, I need to type for example mydomain.com:portToMyNAS. Then my router will forward this request to my NAS and the login page will be displayed. Is this what you mean?

    Also isn’t this a security risk – shouldn’t we use an VPN service instead of leaving it directly open to the public internet?

    • If you want to use a VPN, then using a reverse proxy isn’t relevant IMO. You can just access your NAS from inside your VPN.

      But to answer your question. It’s not necessarily a security risk if OMV (your NAS’s IP, on port 443/80) is accessible over WAN.

  6. Hi Daan,
    I’ve successfully installed the certificate, and installed sonarr – used your config for the ngnix. The problem is that i get the following web page when I try to load mydomain.com/sonarr: https://imgur.com/a/HUxfC16 (this image shows my internal IP, but the same thing happens if I use my domain)

    I’ve port forwarded port 80 and 443 in my router to my OMV server. Also the OMV server has ports 80 and 443 setup (in general settings > web administration).
    What am I doing wrong?
    Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.