User Manual FAQ Contact Introduction Installation Configuration Scripts Advanced Topics Extensions for SABnzbd

Incorrect or missing information? How to hide SABnzbd behind a Reverse Proxy

Assuming the server is already running correctly and SABnzbd is running on http://localhost:8080.

What is a Reverse Proxy?

A reverse proxy, also known as an "inbound" proxy is a server that receives requests from the Internet and forwards (proxies) them to a small set of servers, usually located on an internal network and not directly accessible from outside. A reverse proxy can be used to allow authenticated users access to an intranet even when they are located outside. Users on the internal network can access intranet servers directly (their IP address is their authentication), but users outside it must authenticate themselves to the proxy server (usually with a username and password) in order to be allowed in.

Why use a Reverse Proxy?

Lets say you have SABnzbd, Sonarr, and Radarr installed and working locally. To get to each of these you would navigate to their web server's ip:port. Depending on how you setup the apps (binding an IP to your network adapter) you may not be able to get to the sites outside your network.

NOTE You can use your cellphone with WiFi turned off if you want an easy way to test access outside your network.

So while most likely the apps are running on the same machine then you just have to change the port, but this is not very user friendly. Using a reverse proxy you could just go to an IP (or hostname if you use dyndns or something similar) but then use /sabnzbd, /sonarr, /whatever instead of a different port. Not only does this make accessing your multiple apps more user friendly, it allows flexibility of being a gatekeeper to all the sites (for access/security/data logging).

Below are sample configurations for the two main webservers, Apache and Ngnix:

Apache 2

Required modules: proxy.load and proxy_http.load.

The following goes in Apache's httpd.conf file.
For Linux: /etc/apache2/httpd.conf and for Windows: C:\Program Files\Apache2.2\conf\httpd.conf.

<Location /sabnzbd>
    order deny,allow
    deny from all
    allow from all
    ProxyPass http://localhost:8080/sabnzbd
    ProxyPassReverse http://localhost:8080/sabnzbd

NOTE On Apache 2.4 Config files for a2enmod and proxy proxy_http are located in: /etc/apache2/sites-available/000-default.conf (for HTTP) and *ssl*.conf (for HTTPS).


The following files go in the nginx conf.d directory /etc/nginx/conf.d/.


ssl_certificate      /etc/pki/tls/certs/example_com.crt;
ssl_certificate_key  /etc/pki/tls/private/example_com.key;
ssl_session_timeout  5m;
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers  HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers   on;


client_max_body_size 10m;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;


upstream SABnzbd {
    server localhost:8080;
    keepalive 512;

upstream sickbeard {
    server localhost:8081;
    keepalive 512;

server {
    listen 80;
    listen 443 default ssl;

    access_log      /var/log/nginx/sabnzbd-access.log;
    error_log       /var/log/nginx/sabnzbd-error.log debug;

    if ( $scheme = http )
        rewrite ^ https://$server_name$request_uri? permanent;

    include /etc/nginx/conf.d/ssl.conf;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;

    location /sabnzbd {
        include /etc/nginx/conf.d/proxy.conf;
        proxy_pass http://localhost:8080/sabnzbd;

    location /sickbeard {
        include /etc/nginx/conf.d/proxy.conf;
        proxy_pass http://localhost:8081;

    location /nginx_status {
        stub_status on;
        access_log off;