If you want to access your Audiobookshelf server from outside your home network (and you should, if you want SoundLeaf to work on cellular), you’ll need a reverse proxy. This handles SSL certificates and forwards traffic to Audiobookshelf.

The one thing every config has in common: WebSocket support is required. Audiobookshelf uses WebSockets for real-time updates, and things will break without it.

Caddy (the easy option)

If you don’t already have a preference, use Caddy. It handles SSL certificates automatically and the config is two lines:

audiobookshelf.yourdomain.com {
    reverse_proxy localhost:13378
}

That’s the entire config. Caddy handles SSL via Let’s Encrypt, WebSocket proxying, and HTTP/2 automatically.

Nginx

server {
    listen 443 ssl;
    server_name audiobookshelf.yourdomain.com;

    ssl_certificate /path/to/certificate;
    ssl_certificate_key /path/to/key;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_http_version 1.1;
        proxy_pass http://localhost:13378;
        proxy_redirect http:// https://;
        client_max_body_size 10240M;
    }
}

The Upgrade and Connection headers are the WebSocket bits. The large client_max_body_size allows uploading audiobook files through the web UI.

Nginx Proxy Manager

If you’re running Nginx Proxy Manager (common on home servers):

1. Add a new Proxy Host
2. Set your domain name
3. Forward to your server’s IP on port 13378
4. Enable Websockets Support — this is the toggle that trips people up
5. Under SSL, enable Force SSL and HTTP/2

Apache

Requires mod_ssl, mod_proxy, mod_proxy_wstunnel, and mod_rewrite:

<VirtualHost *:443>
    ServerName audiobookshelf.yourdomain.com

    ProxyPreserveHost On
    ProxyPass / http://localhost:13378/
    ProxyPassReverse / http://localhost:13378/

    RewriteEngine on
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule ^/?(.*) "ws://localhost:13378/$1" [P,L]

    SSLCertificateFile /path/to/cert
    SSLCertificateKeyFile /path/to/key
</VirtualHost>

On Apache 2.4.47+, there’s a simpler syntax:

<VirtualHost *:443>
    ServerName audiobookshelf.yourdomain.com

    ProxyPreserveHost on
    ProxyPass / http://localhost:13378/ upgrade=websocket
    ProxyPassReverse / http://localhost:13378/

    SSLCertificateFile /path/to/cert
    SSLCertificateKeyFile /path/to/key
</VirtualHost>

HAProxy

frontend my_frontend
    bind :443 ssl crt-list /path/to/cert.crt_list alpn h2,http/1.1
    acl is_audiobookshelf hdr_beg(host) -i audiobookshelf
    use_backend audiobookshelf_backend if is_audiobookshelf

backend audiobookshelf_backend
    mode http
    server audiobookshelf 127.0.0.1:13378

Traefik

Traefik works with standard Docker labels. One important gotcha: do NOT apply CORS middleware headers (accessControlAllowMethods, accessControlAllowOriginList, accessControlMaxAge). They cause an “Unknown Error” on the login screen. Just let Audiobookshelf handle CORS itself.

Running under a subfolder

If you want to run Audiobookshelf at yourdomain.com/audiobookshelf instead of a subdomain, the path must be /audiobookshelf. This is hardcoded and not configurable.

Verify it works

After setting up your reverse proxy:

1. Open https://audiobookshelf.yourdomain.com in a browser
2. Log in and check that the web player works (this confirms WebSockets are working)
3. In SoundLeaf, use the full URL including https:// to connect

If you can log in but the player doesn’t work, WebSocket proxying isn’t set up correctly.