Radicale/proxy.md

---
layout: page
title: Reverse Proxy
permalink: /proxy/
---

When a reverse proxy is used, the path at which Radicale is available must
be provided via the `X-Script-Name` header. The proxy must remove the location
from the URL path that is forwarded to Radicale.

Example **nginx** configuration:
```nginx
location /radicale/ { # The trailing / is important!
    proxy_pass        http://localhost:5232/; # The / is important!
    proxy_set_header  X-Script-Name /radicale;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass_header Authorization;
}
```

Be reminded that Radicale's default configuration enforces limits on the
maximum number of parallel connections, the maximum file size and the rate of
incorrect authentication attempts. Connections are terminated after a timeout.

## Manage user accounts with the reverse proxy

(This feature is only available in the development version!)

Set the configuration option `type` in the `auth` section to
`http_x_remote_user`.
Radicale uses the user name provided in the `X-Remote-User` HTTP header and
disables HTTP authentication.

Example **nginx** configuration:

```nginx
location /radicale/ {
    proxy_pass           http://localhost:5232/;
    proxy_set_header     X-Script-Name /radicale;
    proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header     X-Remote-User $remote_user;
    auth_basic           "Radicale - Password Required";
    auth_basic_user_file /etc/nginx/htpasswd;
}
```

## Secure connection between Radicale and the reverse proxy

(This feature is only available in the development version!)

SSL certificates can be used to encrypt and authenticate the connection between
Radicale and the reverse proxy. First you have to generate a certificate for
Radicale and a certificate for the reverse proxy. The following commands
generate self-signed certificates. You will be asked to enter additional
information about the certificate, the values don't matter and you can keep the
defaults.

```shell
$ openssl req -x509 -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem -nodes -days 9999
$ openssl req -x509 -newkey rsa:4096 -keyout client_key.pem -out client_cert.pem -nodes -days 9999
```

Use the following configuration for Radicale:

```ini
[server]
ssl = True
certificate = /path/to/server_cert.pem
key = /path/to/server_key.pem
certificate_authority = /path/to/client_cert.pem
```

Example **nginx** configuration:

```nginx
location /radicale/ {
    ...
    # Place the files somewhere nginx is allowed to access (e.g. /etc/nginx/...).
    proxy_ssl_certificate         /path/to/client_cert.pem;
    proxy_ssl_certificate_key     /path/to/client_key.pem;
    proxy_ssl_trusted_certificate /path/to/server_cert.pem;
}
```
WIP 2017-05-24 19:13:47 +02:00			`---`
			`layout: page`
			`title: Reverse Proxy`
			`permalink: /proxy/`
			`---`

Improve reverse proxy documentation 2017-05-29 02:20:41 +02:00			`When a reverse proxy is used, the path at which Radicale is available must`
			be provided via the `X-Script-Name` header. The proxy must remove the location
			`from the URL path that is forwarded to Radicale.`
WIP 2017-05-24 19:13:47 +02:00
			`Example nginx configuration:`
Minor fixes 2017-05-27 12:06:41 +02:00			```nginx
Improve nginx example 2017-06-01 10:25:31 +02:00			`location /radicale/ { # The trailing / is important!`
			`proxy_pass http://localhost:5232/; # The / is important!`
			`proxy_set_header X-Script-Name /radicale;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_pass_header Authorization;`
WIP 2017-05-24 19:13:47 +02:00			`}`
			```

WIP (add missing configuration options) 2017-05-25 19:58:22 +02:00			`Be reminded that Radicale's default configuration enforces limits on the`
			`maximum number of parallel connections, the maximum file size and the rate of`
			`incorrect authentication attempts. Connections are terminated after a timeout.`
Document features of the development version 2017-06-07 21:39:54 +02:00
			`## Manage user accounts with the reverse proxy`

			`(This feature is only available in the development version!)`

			Set the configuration option `type` in the `auth` section to
			`http_x_remote_user`.
			Radicale uses the user name provided in the `X-Remote-User` HTTP header and
			`disables HTTP authentication.`

			`Example nginx configuration:`

			```nginx
			`location /radicale/ {`
			`proxy_pass http://localhost:5232/;`
			`proxy_set_header X-Script-Name /radicale;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Remote-User $remote_user;`
			`auth_basic "Radicale - Password Required";`
			`auth_basic_user_file /etc/nginx/htpasswd;`
			`}`
			```

			`## Secure connection between Radicale and the reverse proxy`

			`(This feature is only available in the development version!)`

			`SSL certificates can be used to encrypt and authenticate the connection between`
			`Radicale and the reverse proxy. First you have to generate a certificate for`
			`Radicale and a certificate for the reverse proxy. The following commands`
			`generate self-signed certificates. You will be asked to enter additional`
			`information about the certificate, the values don't matter and you can keep the`
			`defaults.`

			```shell
			`$ openssl req -x509 -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem -nodes -days 9999`
			`$ openssl req -x509 -newkey rsa:4096 -keyout client_key.pem -out client_cert.pem -nodes -days 9999`
			```

			`Use the following configuration for Radicale:`

			```ini
			`[server]`
			`ssl = True`
			`certificate = /path/to/server_cert.pem`
			`key = /path/to/server_key.pem`
			`certificate_authority = /path/to/client_cert.pem`
			```

			`Example nginx configuration:`

			```nginx
			`location /radicale/ {`
			`...`
			`# Place the files somewhere nginx is allowed to access (e.g. /etc/nginx/...).`
			`proxy_ssl_certificate /path/to/client_cert.pem;`
			`proxy_ssl_certificate_key /path/to/client_key.pem;`
			`proxy_ssl_trusted_certificate /path/to/server_cert.pem;`
			`}`
			```