I've just set up my apps as follows:

NZB360 -> Apache SSL reverse proxy with basic authentication -> unencrypted connection to apps

Everything works a little too well in that NZB360 never prompted me to accept the certificate. I'm concerned that my credentials could be intercepted rather trivially on an untrusted wifi connection.

Should NZB360 have prompted for the cert? Can I configure it to be less trusting?

Does your browser ask you to confirm a certificate ? When you're using something that the browser supports, then it doesn't If you made your own certificate, then perhaps yes.

If you don't know for sure whether the connection is encrypted, then sniff the traffic and see for yourself.

Optionally, if you like having a secure connection, yet no passwords, you might want to consider a vpn setup.