Ubuntu SABnzbd+ protected by an apache2 proxy and htpasswd

Basic SABnzbd+ Setup – SAB for short.

There are plenty of tutorials out there which cover configuring a normal SAB installation so I won’t cover that here. What I am going to do is make my SAB available through a web accessible passworded page, this can be accomplished with default SAB features by putting a web username/password in the general configuration section. However I find it annoying to have to enter the password when I’m on my internal 192.168 home network just to make it protected from the outside, and I don’t like the way it presents the username/password prompt in a website form rather than an generic apache pop-up. I’m sure open accessibility could be fixed in the SABnzbd+ code but I’m not a pro python hacker yet so I’ll just stick to what I know.

Basically I want a generic pop-up password that is only for people outside my network so I’m not bothered with SAB passwords while at home (And I can’t get nzbdStatus to work with a pass enabled). The htpasswd also acts as a bit of camouflage and additional security. There are some concepts which aren’t covered here which are required, you need to know how to configure your own SAB servers, Portforwarding or Firewall/iptables.

If you’re using a router, you’re going to want to make sure you’re not port forwarding the default SAB port of 8080 (which would make it wide open) and only are forwarding the apache2 port you setup for the SAB proxy. If you’re not on an internal IP subnet and have a static IP assigned directly to the linux machine you’re doing this on then I expect you have enough knowledge of IPTables to block the SAB port and allow the proxy port.

SABnzbd Daemon (optional)

Download the latest SABnzbd version from http://www.sabnzbd.org/download/ to your favorite place to install python apps and optionally install a deamon to auto start SAB: http://artur.hefczyc.net/node/10. Mine is modified to include a restart command:

#!/bin/sh
# Source: http://sabnzbd.wikidot.com/install-as-a-unix-daemon
case "$1" in
start)
echo "Starting SABnzbd."
/usr/bin/sudo -u sabuser -H /usr/local/src/SABnzbd/SABnzbd.py -d -f /home/sabuser/.sabnzbd/sabnzbd.ini
;;
stop)
echo "Shutting down SABnzbd."
/usr/bin/wget -q --delete-after "http://localhost:8080/sabnzbd/api?mode=shutdown"
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

At this point I’ll assume you have a working sabnzbd installation and have tested to confirm it’s working.

vi /home/sabuser/.sabnzbd/sabnzbd.ini

Change

host = localhost

to

host = 192.168.0.53

to make it accessible from elsewhere besides the box running SAB.
That’s all you need to do with SAB other than configure servers and preferences.

Apache Proxy Setup

apt-get install apache2
htpasswd -c /usr/local/src/SABnzbd/.htpasswd username # Enter your password when prompted
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_html

Ubuntu mod_proxy Denies all but default so you’ll need to make a similar modification to what follows – see your Apache error files for something like if your proxy isn’t working. You can either change

Deny from all

to

Allow from all

if you expect to be using it from any external IP address or individual IPs you’ll expect needing access (work IP). In my case 192.168.0.1 port forwards so that’s the only one I need but I put in my entire internal subnet for testing purposes.

vi /etc/apache2/mods-enabled/proxy.conf
<Proxy *>
  AddDefaultCharset off
  Order deny,allow
  Deny from all
  Allow from 192.168.0.0/24
<Proxy>

Add something like this to your apache2 vhost config (logs are optional)

vi /etc/apache2/conf.d/vhosts.conf
Listen 8001 # Use whatever port you want, I usually use obscure ports that aren't regularly scanned.
NameVirtualHost 192.168.0.53:8001  # Change 192.168.0.53 to whatever your SAB server's IP is (make sure it's static too).
<VirtualHost 192.168.0.53:8001>
ServerName sabuser.dyndns.org # Enter your hostname or <strong>static</strong> IP address here.  I use dyndns.org since I have a dynamic IP
ProxyPass /sabnzbd http://192.168.0.53:8080/sabnzbd/
ProxyPassReverse /sabnzbd http://192.168.0.53:8080/sabnzbd/
ProxyPreserveHost On
# Password Protect the external proxy only.
<Location /sabnzbd>
AuthUserFile /usr/local/src/SABnzbd/.htpasswd
AuthName "Authenticate Yourself."
AuthType Basic
Require valid-user
</Location>
# Alternate method, requires rewrite mod:
#RewriteEngine   on
#RewriteRule     (.*) http://192.168.0.53:8080/sabnzbd/$1 [P]
</VirtualHost>

References

# Apache Proxy
http://snippets.dzone.com/posts/show/1318
http://mail-archives.apache.org/mod_mbox/httpd-users/200307.mbox/%3C20030723191854.43885.qmail@web40903.mail.yahoo.com%3E
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

Be Sociable, Share!
  • Google Reader
  • HackerNews
  • Reddit
  • email
  • StumbleUpon
  • Delicious
  • Posterous

5 thoughts on “Ubuntu SABnzbd+ protected by an apache2 proxy and htpasswd

  1. Thanks for putting up this guide.
    I am stuck at the last hurdle though. When I browse :8001/sabnzbd I get a message “Authentication Failed
    ————————
    You need to supply a valid username and password”
    But I never get a popup asking for authentication.

    I’m pretty sure my ports are forwarded correctly because if I forward port 80 I get the generic “It Works!” apache message.

    Also is there a fail2ban like script for apache to secure better? And if I wanted to limit access to one particular IP (school) I’d just configure the router to port forward from a single address, right?

  2. Till,

    Check your apache logs in /var/log/apache2/other_vhosts_access.log to see what error it’s giving. Make sure you have the htpasswd exists and is setup correctly.

    As for fail2ban, it can be applied to any log file that has a pattern. Simply add a log file line to your virtual host, point fail2ban to it, and tell it to look for repeated htpasswd authentication failures.

  3. I don’t if this will work, because I cannot find the vhost.conf file…. Ubuntu uses some other config files for vhost or not?
    Ubuntu documentation says something about sites-avaible…. why not use that?

    • You have to create vhosts.conf.

      I just choose to use vhosts.conf in conf.d/ folder rather that sites-enabled/sites-available because it’s just what I’m used to. Sites-en/av is great for a multi-file virtual host configuration setup but I like having all the virtual hosts housed in a few files so you can easily see all the different sites’ configurations for comparison, copying as templates, and seeing conflicts. I just comment out deactivated vhosts, sites-en/av is superior in that it’s quicker at enabling/disabling vhosts in that respect but for me the benefits outweigh the costs.

Leave a Reply