Radicale is really easy to install and works out-of-the-box.
$ python3 -m pip install --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gz
- $ python3 -m radicale --storage-filesystem-folder=~/.var/lib/radicale/collectionsWhen the server is launched, open http://localhost:5232/ in your browser! You can login with any username and password.
Want more? Check the tutorials and the documentation.
@@ -269,9 +269,9 @@First, make sure that python 3.5 or later (python ≥ 3.6 is recommended) and pip are installed. On most distributions it should be enough to install the package python3-pip.
Then open a console and type:
# Run the following command as root or
- # add the --user argument to only install for the current user
- $ python3 -m pip install --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gz
- $ python3 -m radicale --storage-filesystem-folder=~/.var/lib/radicale/collectionsVictory! Open http://localhost:5232/ in your browser! You can log in with any username and password.
The first step is to install Python. Go to python.org and download the latest version of Python 3. Then run the installer. On the first window of the installer, check the "Add Python to PATH" box and click on "Install now". Wait a couple of minutes, it's done!
Launch a command prompt and type:
C:\Users\User> python -m pip install --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gz
- C:\Users\User> python -m radicale --storage-filesystem-folder=~/radicale/collectionsVictory! Open http://localhost:5232/ in your browser! You can log in with any username and password.
The users file can be created and managed with htpasswd:
# Create a new htpasswd file with the user "user1"
- $ htpasswd -c /path/to/users user1
- New password:
- Re-type new password:
- # Add another user
- $ htpasswd /path/to/users user2
- New password:
- Re-type new password:Authentication can be enabled with the following configuration:
[auth]
- type = htpasswd
- htpasswd_filename = /path/to/users
- # encryption method used in the htpasswd file
- htpasswd_encryption = md5Create the users file by hand with lines containing the user name and password separated by :. Example:
user1:password1
- user2:password2Authentication can be enabled with the following configuration:
[auth]
- type = htpasswd
- htpasswd_filename = /path/to/users
- # encryption method used in the htpasswd file
- htpasswd_encryption = plainThe default configuration binds the server to localhost. It can't be reached from other computers. This can be changed with the following configuration options (IPv4 and IPv6):
[server]
- hosts = 0.0.0.0:5232, [::]:5232Data is stored in the folder /var/lib/radicale/collections. The path can be changed with the following configuration:
[storage]
- filesystem_folder = /path/to/storage@@ -343,15 +343,15 @@Security: The storage folder should not be readable by unauthorized users. Otherwise, they can read the calendar data and lock the storage. You can find OS dependent instructions in the Running as a service section.
Radicale enforces limits on the maximum number of parallel connections, the maximum file size (important for contacts with big photos) and the rate of incorrect authentication attempts. Connections are terminated after a timeout. The default values should be fine for most scenarios.
[server]
- max_connections = 20
- # 100 Megabyte
- max_content_length = 100000000
- # 30 seconds
- timeout = 30
-
- [auth]
- # Average delay after failed login attempts in seconds
- delay = 1Create the file /etc/systemd/system/radicale.service:
[Unit]
- Description=A simple CalDAV (calendar) and CardDAV (contact) server
- After=network.target
- Requires=network.target
-
- [Service]
- ExecStart=/usr/bin/env python3 -m radicale
- Restart=on-failure
- User=radicale
- # Deny other users access to the calendar data
- UMask=0027
- # Optional security settings
- PrivateTmp=true
- ProtectSystem=strict
- ProtectHome=true
- PrivateDevices=true
- ProtectKernelTunables=true
- ProtectKernelModules=true
- ProtectControlGroups=true
- NoNewPrivileges=true
- ReadWritePaths=/var/lib/radicale/collections
-
- [Install]
- WantedBy=multi-user.targetRadicale will load the configuration file from /etc/radicale/config.
To enable and manage the service run:
# Enable the service
- $ systemctl enable radicale
- # Start the service
- $ systemctl start radicale
- # Check the status of the service
- $ systemctl status radicale
- # View all log messages
- $ journalctl --unit radicale.serviceCreate the file ~/.config/systemd/user/radicale.service:
[Unit]
- Description=A simple CalDAV (calendar) and CardDAV (contact) server
-
- [Service]
- ExecStart=/usr/bin/env python3 -m radicale
- Restart=on-failure
-
- [Install]
- WantedBy=default.targetRadicale will load the configuration file from ~/.config/radicale/config. You should set the configuration option filesystem_folder in the storage section to something like ~/.var/lib/radicale/collections.
To enable and manage the service run:
# Enable the service
- $ systemctl --user enable radicale
- # Start the service
- $ systemctl --user start radicale
- # Check the status of the service
- $ systemctl --user status radicale
- # View all log messages
- $ journalctl --user --unit radicale.serviceRadicaleC:\Path\To\Python\python.exe-m radicale --config C:\Path\To\ConfigC:\Path\To\Radicale.logWhen a reverse proxy is used, the path at which Radicale is available must be provided via the X-Script-Name header. The proxy must remove the location from the URL path that is forwarded to Radicale.
Example nginx configuration:
location /radicale/ { # The trailing / is important!
- proxy_pass http://localhost:5232/; # The / is important!
- proxy_set_header X-Script-Name /radicale;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header Host $http_host;
- proxy_pass_header Authorization;
- }Example Apache configuration:
RewriteEngine On
- RewriteRule ^/radicale$ /radicale/ [R,L]
-
- <Location "/radicale/">
- ProxyPass http://localhost:5232/ retry=0
- ProxyPassReverse http://localhost:5232/
- RequestHeader set X-Script-Name /radicale
- </Location>Example Apache .htaccess configuration:
DirectoryIndex disabled
- RewriteEngine On
- RewriteRule ^(.*)$ http://localhost:5232/$1 [P,L]
-
- # Set to directory of .htaccess file:
- RequestHeader set X-Script-Name /radicaleBe reminded that Radicale's default configuration enforces limits on the maximum number of parallel connections, the maximum file size and the rate of incorrect authentication attempts. Connections are terminated after a timeout.
Set the configuration option type in the auth section to http_x_remote_user. Radicale uses the user name provided in the X-Remote-User HTTP header and disables HTTP authentication.
Example nginx configuration:
location /radicale/ {
- proxy_pass http://localhost:5232/;
- proxy_set_header X-Script-Name /radicale;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Remote-User $remote_user;
- proxy_set_header Host $http_host;
- auth_basic "Radicale - Password Required";
- auth_basic_user_file /etc/nginx/htpasswd;
- }Example Apache configuration:
RewriteEngine On
- RewriteRule ^/radicale$ /radicale/ [R,L]
-
- <Location "/radicale/">
- AuthType Basic
- AuthName "Radicale - Password Required"
- AuthUserFile "/etc/radicale/htpasswd"
- Require valid-user
-
- ProxyPass http://localhost:5232/ retry=0
- ProxyPassReverse http://localhost:5232/
- RequestHeader set X-Script-Name /radicale
- RequestHeader set X-Remote-User expr=%{REMOTE_USER}
- </Location>Example Apache .htaccess configuration:
DirectoryIndex disabled
- RewriteEngine On
- RewriteRule ^(.*)$ http://localhost:5232/$1 [P,L]
-
- AuthType Basic
- AuthName "Radicale - Password Required"
- AuthUserFile "/etc/radicale/htpasswd"
- Require valid-user
-
- # Set to directory of .htaccess file:
- RequestHeader set X-Script-Name /radicale
- RequestHeader set X-Remote-User expr=%{REMOTE_USER}@@ -521,22 +521,22 @@Security: Untrusted clients should not be able to access the Radicale server directly. Otherwise, they can authenticate as any user.
SSL certificates can be used to encrypt and authenticate the connection between Radicale and the reverse proxy. First you have to generate a certificate for Radicale and a certificate for the reverse proxy. The following commands generate self-signed certificates. You will be asked to enter additional information about the certificate, the values don't matter and you can keep the defaults.
$ openssl req -x509 -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem -nodes -days 9999
- $ openssl req -x509 -newkey rsa:4096 -keyout client_key.pem -out client_cert.pem -nodes -days 9999Use the following configuration for Radicale:
[server]
- ssl = True
- certificate = /path/to/server_cert.pem
- key = /path/to/server_key.pem
- certificate_authority = /path/to/client_cert.pemExample nginx configuration:
location /radicale/ {
- proxy_pass https://localhost:5232/;
- ...
- # Place the files somewhere nginx is allowed to access (e.g. /etc/nginx/...).
- proxy_ssl_certificate /path/to/client_cert.pem;
- proxy_ssl_certificate_key /path/to/client_key.pem;
- proxy_ssl_trusted_certificate /path/to/server_cert.pem;
- }A configuration file can be set with the RADICALE_CONFIG environment variable, otherwise no configuration file is loaded and the default configuration is used.
Example uWSGI configuration:
[uwsgi]
- http-socket = 127.0.0.1:5232
- processes = 8
- plugin = python3
- module = radicale
- env = RADICALE_CONFIG=/etc/radicale/configExample Gunicorn configuration:
gunicorn --bind '127.0.0.1:5232' --workers 8 --env 'RADICALE_CONFIG=/etc/radicale/config' radicaleThis tutorial describes how to keep track of all changes to calendars and address books with git (or any other version control system).
The repository must be initialized by running git init in the file system folder. Internal files of Radicale can be excluded by creating the file .gitignore with the following content:
.Radicale.cache
- .Radicale.lock
- .Radicale.tmp-*The configuration option hook in the storage section must be set to the following command:
git add -A && (git diff --cached --quiet || git commit -m "Changes by "%(user)s)The command gets executed after every change to the storage and commits the changes into the git repository.
@@ -576,16 +576,16 @@Radicale can be configured with a configuration file or with command line arguments.
An example configuration file looks like:
[server]
- # Bind all addresses
- hosts = 0.0.0.0:5232, [::]:5232
-
- [auth]
- type = htpasswd
- htpasswd_filename = ~/.config/radicale/users
- htpasswd_encryption = md5
-
- [storage]
- filesystem_folder = ~/.var/lib/radicale/collectionsRadicale tries to load configuration files from /etc/radicale/config and ~/.config/radicale/config. Custom paths can be specified with the --config /path/to/config command line argument or the RADICALE_CONFIG environment variable. Multiple configuration files can be separated by : (resp. ; on Windows). Paths that start with ? are optional.
The same example configuration via command line arguments looks like:
python3 -m radicale --server-hosts 0.0.0.0:5232,[::]:5232 --auth-type htpasswd --auth-htpasswd-filename ~/.config/radicale/users --auth-htpasswd-encryption md5Available methods:
plain : Passwords are stored in plaintext. This is obviously not secure! The htpasswd file for this can be created by hand and looks like:
user1:password1
- user2:password2bcrypt : This uses a modified version of the Blowfish stream cipher. It's very secure. The installation of radicale[bcrypt] is required for this.
md5 : This uses an iterated md5 digest of the password with a salt.
Default: md5
This is not the recommended way of creating and managing your calendars and address books. Use Radicale's web interface or a client with support for it (e.g. DAVx⁵).
To create a new calendar run something like:
$ curl -u user -X MKCOL 'http://localhost:5232/user/calendar' --data \
- '<?xml version="1.0" encoding="UTF-8" ?>
- <create xmlns="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:I="http://apple.com/ns/ical/">
- <set>
- <prop>
- <resourcetype>
- <collection />
- <C:calendar />
- </resourcetype>
- <C:supported-calendar-component-set>
- <C:comp name="VEVENT" />
- <C:comp name="VJOURNAL" />
- <C:comp name="VTODO" />
- </C:supported-calendar-component-set>
- <displayname>Calendar</displayname>
- <C:calendar-description>Example calendar</C:calendar-description>
- <I:calendar-color>#ff0000ff</I:calendar-color>
- </prop>
- </set>
- </create>'To create a new address book run something like:
$ curl -u user -X MKCOL 'http://localhost:5232/user/addressbook' --data \
- '<?xml version="1.0" encoding="UTF-8" ?>
- <create xmlns="DAV:" xmlns:CR="urn:ietf:params:xml:ns:carddav">
- <set>
- <prop>
- <resourcetype>
- <collection />
- <CR:addressbook />
- </resourcetype>
- <displayname>Address book</displayname>
- <CR:addressbook-description>Example address book</CR:addressbook-description>
- </prop>
- </set>
- </create>'The collection /USERNAME will be created automatically, when the user authenticates to Radicale for the first time. Clients with automatic discovery of collections will only show calendars and address books that are direct children of the path /USERNAME/.
Delete the collections by running something like:
$ curl -u user -X DELETE 'http://localhost:5232/user/calendar'The recommended rights method is owner_only. If access to calendars and address books outside the home directory of users (that's /USERNAME/) is granted, clients won't detect these collections and will not show them to the user. This is only useful if you access calendars and address books directly via URL.
An example rights file:
# Allow reading root collection for authenticated users
- [root]
- user: .+
- collection:
- permissions: R
-
- # Allow reading and writing principal collection (same as user name)
- [principal]
- user: .+
- collection: {user}
- permissions: RW
-
- # Allow reading and writing calendars and address books that are direct
- # children of the principal collection
- [calendars]
- user: .+
- collection: {user}/[^/]+
- permissions: rwThe titles of the sections are ignored (but must be unique). The keys user and collection contain regular expressions, that are matched against the user name and the path of the collection. Permissions from the first matching section are used. If no section matches, access gets denied.
The user name is empty for anonymous users. Therefore, the regex .+ only matches authenticated users and .* matches everyone (including anonymous users).
The path of the collection is separated by / and has no leading or trailing /. Therefore, the path of the root collection is empty.
Use the flock utility.
# Exclusive
- $ flock --exclusive /path/to/storage/.Radicale.lock COMMAND
- # Shared
- $ flock --shared /path/to/storage/.Radicale.lock COMMANDTo get started we walk through the creation of a simple authentication plugin, that accepts login attempts with a static password.
The easiest way to develop and install python modules is Distutils. For a minimal setup create the file setup.py with the following content in an empty folder:
#!/usr/bin/env python3
-
- from distutils.core import setup
-
- setup(name="radicale_static_password_auth",
- packages=["radicale_static_password_auth"])In the same folder create the sub-folder radicale_static_password_auth. The folder must have the same name as specified in packages above.
Create the file __init__.py in the radicale_static_password_auth folder with the following content:
from radicale.auth import BaseAuth
- from radicale.log import logger
-
- PLUGIN_CONFIG_SCHEMA = {"auth": {
- "password": {"value": "", "type": str}}}
-
-
- class Auth(BaseAuth):
- def __init__(self, configuration):
- super().__init__(configuration.copy(PLUGIN_CONFIG_SCHEMA))
-
- def login(self, login, password):
- # Get password from configuration option
- static_password = self.configuration.get("auth", "password")
- # Check authentication
- logger.info("Login attempt by %r with password %r",
- login, password)
- if password == static_password:
- return login
- return ""Install the python module by running the following command in the same folder as setup.py:
python3 -m pip install .To make use this great creation in Radicale, set the configuration option type in the auth section to radicale_static_password_auth:
[auth]
- type = radicale_static_password_auth
- password = secretYou can uninstall the module with:
python3 -m pip uninstall radicale_static_password_authBecause settings are the same for InfCloud, CalDavZAP and CardDavMATE
- only InfCloud is used in description below.
Radicale configuration ¶
Add/Modify the following section in Radicale main configuration file:
# Additional HTTP headers
- [headers]
- Access-Control-Allow-Origin = *
- Access-Control-Allow-Methods = GET, POST, OPTIONS, PROPFIND, PROPPATCH, REPORT, PUT, MOVE, DELETE, LOCK, UNLOCK
- Access-Control-Allow-Headers = Authorization, Content-type, Depth, Destination, If-match, If-None-Match, Lock-Token, Overwrite, Prefer, Timeout, User-Agent, X-Client, X-Requested-With
- Access-Control-Expose-Headers = EtagInfCloud needs read access for everybody (including anonymous users) on Radicale's root directory. If using Radicales rights management add the following section to rights file:
# Allow caldavzap, carddavmate and infcloud to work
- [infcloud]
- user: .*
- collection: /
- permission: rAdditional you need to change [owner-write] section to use the same syntax for collection as shown in [public] section.
# Give write access to owners
- [owner-write]
- user: .+
- # collection: ^%(login)s/.+$ # DOES NOT WORK
- collection: ^%(login)s(/.+)?$
- permission: rwInfCloud configuration ¶
Inside InfCloud configuration file config.js you need to set globalNetworkCheckSettings like following example:
// href:
- // put in here your protocol, host and port where Radicale is listening
- // additionalResources:
- // put in here a comma separated list of collections you want additionally look at.
- // Don't forget '' around each collections name
- var globalNetworkCheckSettings={
- href: 'https://host.example.com:5232/',
- hrefLabel: null,
- crossDomain: null,
- additionalResources: ['public'],
- forceReadOnly: null,
- withCredentials: false,
- showHeader: true,
- settingsAccount: true,
- syncInterval: 60000,
- timeOut: 30000,
- lockTimeOut: 10000,
- delegation: false,
- ignoreAlarms: false,
- backgroundCalendars: []
- }Note
InfCloud,CardDavMATEandCalDavZAPcannot create calendars and/or address books. They need to be created before first login. Each user needs to have minimum of one calendar and/or one adressbook even if only using shared addresses and/or calendars. Client will not login, if the user collections don't exists.
You can easily create them by directly calling the URL's from your browser:
- http(s)://host.example.com:5232/user/calendar.ics/
- http(s)://host.example.com:5232/user/addresses.vcf/
http(s)://host.example.com:5232/user/calendar.ics/http(s)://host.example.com:5232/user/addresses.vcf/
Replace "http(s)" with the correct protocol, "host.example.com:5232" with you host:port where Radicale is running,
- "user" with the correct login name or the shared resource name i.e. 'public',
- "calendar.ics" and "addresses.vcf" with the collection names you want to use
- and do NOT forget the '/' at line end.
Note
If using self-signed certificates you need to do the following steps before using
+With your browser call one of the above URLs.InfCloud, CardDavMATEorCalDavZAP.
- With your browser call one of the above URLs.
- Your browser warn you that you are trying to access anInsecuresite.
- Download and accept the certificate offered by the Radicale server.
- After installing and accepting it you should restart your browser.
+Your browser warn you that you are trying to access anInsecuresite.
+Download and accept the certificate offered by the Radicale server.
+After installing and accepting it you should restart your browser.
The server configuration can be modified in /etc/radicale/config or in ~/.config/radicale/config. You can use the --config parameter in the command line to choose a specific path. You can also set the RADICALE_CONFIG environment variable to a path of your choice. Here is the default configuration file, with the main parameters:
[server]
-
- # CalDAV server hostnames separated by a comma
- # IPv4 syntax: address:port
- # IPv6 syntax: [address]:port
- # For example: 0.0.0.0:9999, [::]:9999
- # IPv6 adresses are configured to only allow IPv6 connections
- #hosts = 0.0.0.0:5232
-
- # Daemon flag
- #daemon = False
-
- # File storing the PID in daemon mode
- #pid =
-
- # SSL flag, enable HTTPS protocol
- #ssl = False
-
- # SSL certificate path
- #certificate = /etc/apache2/ssl/server.crt
-
- # SSL private key
- #key = /etc/apache2/ssl/server.key
-
- # SSL Protocol used. See python's ssl module for available values
- #protocol = PROTOCOL_SSLv23
-
- # Ciphers available. See python's ssl module for available ciphers
- #ciphers =
-
- # Reverse DNS to resolve client address in logs
- #dns_lookup = True
-
- # Root URL of Radicale (starting and ending with a slash)
- #base_prefix = /
-
- # Possibility to allow URLs cleaned by a HTTP server, without the base_prefix
- #can_skip_base_prefix = False
-
- # Message displayed in the client when a password is needed
- #realm = Radicale - Password Required
-
-
- [encoding]
-
- # Encoding for responding requests
- #request = utf-8
-
- # Encoding for storing local collections
- #stock = utf-8
-
-
- [well-known]
-
- # Path where /.well-known/caldav/ is redirected
- #caldav = '/%(user)s/caldav/'
-
- # Path where /.well-known/carddav/ is redirected
- #carddav = '/%(user)s/carddav/'
-
-
- [auth]
-
- # Authentication method
- # Value: None | htpasswd | IMAP | LDAP | PAM | courier | http | remote_user | custom
- #type = None
-
- # Custom authentication handler
- #custom_handler =
-
- # Htpasswd filename
- #htpasswd_filename = /etc/radicale/users
-
- # Htpasswd encryption method
- # Value: plain | sha1 | ssha | crypt | bcrypt | md5
- #htpasswd_encryption = crypt
-
- # LDAP server URL, with protocol and port
- #ldap_url = ldap://localhost:389/
-
- # LDAP base path
- #ldap_base = ou=users,dc=example,dc=com
-
- # LDAP login attribute
- #ldap_attribute = uid
-
- # LDAP filter string
- # placed as X in a query of the form (&(...)X)
- # example: (objectCategory=Person)(objectClass=User)(memberOf=cn=calenderusers,ou=users,dc=example,dc=org)
- # leave empty if no additional filter is needed
- #ldap_filter =
-
- # LDAP dn for initial login, used if LDAP server does not allow anonymous searches
- # Leave empty if searches are anonymous
- #ldap_binddn =
-
- # LDAP password for initial login, used with ldap_binddn
- #ldap_password =
-
- # LDAP scope of the search
- #ldap_scope = OneLevel
-
- # IMAP Configuration
- #imap_hostname = localhost
- #imap_port = 143
- #imap_ssl = False
-
- # PAM group user should be member of
- #pam_group_membership =
-
- # Path to the Courier Authdaemon socket
- #courier_socket =
-
- # HTTP authentication request URL endpoint
- #http_url =
- # POST parameter to use for username
- #http_user_parameter =
- # POST parameter to use for password
- #http_password_parameter =
-
-
- [git]
-
- # Git default options
- #committer = Radicale <radicale@example.com>
-
-
- [rights]
-
- # Rights backend
- # Value: None | authenticated | owner_only | owner_write | from_file | custom
- #type = None
-
- # Custom rights handler
- #custom_handler =
-
- # File for rights management from_file
- #file = ~/.config/radicale/rights
-
-
- [storage]
-
- # Storage backend
- # -------
- # WARNING: ONLY "filesystem" IS DOCUMENTED AND TESTED,
- # OTHER BACKENDS ARE NOT READY FOR PRODUCTION.
- # -------
- # Value: filesystem | multifilesystem | database | custom
- #type = filesystem
-
- # Custom storage handler
- #custom_handler =
-
- # Folder for storing local collections, created if not present
- #filesystem_folder = ~/.config/radicale/collections
-
- # Database URL for SQLAlchemy
- # dialect+driver://user:password@host/dbname[?key=value..]
- # For example: sqlite:///var/db/radicale.db, postgresql://user:password@localhost/radicale
- # See http://docs.sqlalchemy.org/en/rel_0_8/core/engines.html#sqlalchemy.create_engine
- #database_url =
-
-
- [logging]
-
- # Logging configuration file
- # If no config is given, simple information is printed on the standard output
- # For more information about the syntax of the configuration file, see:
- # http://docs.python.org/library/logging.config.html
- #config = /etc/radicale/logging
- # Set the default logging level to debug
- #debug = False
- # Store all environment variables (including those set in the shell)
- #full_environment = False
-
-
- [headers]
-
- # Additional HTTP headers
- #Access-Control-Allow-Origin = *This configuration file is read each time the server is launched. If some values are not given, the default ones are used. If no configuration file is available, all the default values are used.
radicale --debugRadicale can also be configured to send the messages to the console, logging files, syslog, etc. For more information about the syntax of the configuration file, see: http://docs.python.org/library/logging.config.html. Here is an example of logging configuration file:
# Loggers, handlers and formatters keys
-
- [loggers]
- # Loggers names, main configuration slots
- keys = root
-
- [handlers]
- # Logging handlers, defining logging output methods
- keys = console,file
-
- [formatters]
- # Logging formatters
- keys = simple,full
-
-
- # Loggers
-
- [logger_root]
- # Root logger
- level = DEBUG
- handlers = console,file
-
-
- # Handlers
-
- [handler_console]
- # Console handler
- class = StreamHandler
- level = INFO
- args = (sys.stdout,)
- formatter = simple
-
- [handler_file]
- # File handler
- class = FileHandler
- args = ('/var/log/radicale',)
- formatter = full
-
-
- # Formatters
-
- [formatter_simple]
- # Simple output format
- format = %(message)s
-
- [formatter_full]
- # Full output format
- format = %(asctime)s - %(levelname)s: %(message)sTo use Radicale with Apache's mod_wsgi, you first have to install the Radicale module in your Python path and write your .wsgi file (in /var/www for example):
import radicale
- radicale.log.start()
- application = radicale.Application()Note
The
hosts,daemon,pid,ssl,certificate,key,protocolandcipherskeys of the[server]part of the configuration are ignored.
Next you have to create the Apache virtual host (adapt the configuration to your environment):
<VirtualHost *:80>
- ServerName cal.yourdomain.org
-
- WSGIDaemonProcess radicale user=www-data group=www-data threads=1
- WSGIScriptAlias / /var/www/radicale.wsgi
-
- <Directory /var/www>
- WSGIProcessGroup radicale
- WSGIApplicationGroup %{GLOBAL}
- AllowOverride None
- Order allow,deny
- allow from all
- </Directory>
- </VirtualHost>Warning
You should use the root of the (sub)domain (
@@ -1008,28 +1008,28 @@WSGIScriptAlias /), else some CalDAV features may not work.Deactivate any rights and module in Radicale and use your favourite Apache authentication backend. You can then restrict the access: allow the
aliceuser to access/alice/*URLs, and everything should work as expected.Here is one example of Apache configuration file:
+ ServerName radicale.local + + WSGIDaemonProcess radicale user=radicale group=radicale threads=1 + WSGIScriptAlias / /usr/share/radicale/radicale.wsgi + + <Directory /usr/share/radicale/> + WSGIProcessGroup radicale + WSGIApplicationGroup %{GLOBAL} + + AuthType Basic + AuthName "Radicale Authentication" + AuthBasicProvider file + AuthUserFile /usr/share/radicale/radicale.passwd + + AllowOverride None + Require valid-user + + RewriteEngine On + RewriteCond %{REMOTE_USER}%{PATH_INFO} !^([^/]+/)\1 + RewriteRule .* - [Forbidden] + </Directory> +</VirtualHost><VirtualHost *:80> - ServerName radicale.local - - WSGIDaemonProcess radicale user=radicale group=radicale threads=1 - WSGIScriptAlias / /usr/share/radicale/radicale.wsgi - - <Directory /usr/share/radicale/> - WSGIProcessGroup radicale - WSGIApplicationGroup %{GLOBAL} - - AuthType Basic - AuthName "Radicale Authentication" - AuthBasicProvider file - AuthUserFile /usr/share/radicale/radicale.passwd - - AllowOverride None - Require valid-user - - RewriteEngine On - RewriteCond %{REMOTE_USER}%{PATH_INFO} !^([^/]+/)\1 - RewriteRule .* - [Forbidden] - </Directory> - </VirtualHost>If you're still convinced that access control is better with Radicale, you have to add
WSGIPassAuthorization Onin your Apache configuration files, as explained in the mod_wsgi documentation.Note
@@ -1085,45 +1085,45 @@Leading or ending slashes are trimmed from collection's path.
Example:
+# This can be changed in the configuration file +# +# This file gives independant examples to help users write their own +# configuration files. Using these examples together in the same configuration +# file is meaningless. +# +# The first rule matching both user and collection patterns will be returned. + +# This means all users starting with "admin" may read any collection +[admin] +user: ^admin.*$ +collection: .* +permission: r + +# This means all users may read and write any collection starting with public. +# We do so by just not testing against the user string. +[public] +user: .* +collection: ^public(/.+)?$ +permission: rw + +# A little more complex: give read access to users from a domain for all +# collections of all the users (ie. user@domain.tld can read domain/*). +[domain-wide-access] +user: ^.+@(.+)\..+$ +collection: ^{0}/.+$ +permission: r + +# Allow authenticated user to read all collections +[allow-everyone-read] +user: .+ +collection: .* +permission: r + +# Give write access to owners +[owner-write] +user: .+ +collection: ^%(login)s/.*$ +permission: w# The default path for this kind of files is ~/.config/radicale/rights - # This can be changed in the configuration file - # - # This file gives independant examples to help users write their own - # configuration files. Using these examples together in the same configuration - # file is meaningless. - # - # The first rule matching both user and collection patterns will be returned. - - # This means all users starting with "admin" may read any collection - [admin] - user: ^admin.*$ - collection: .* - permission: r - - # This means all users may read and write any collection starting with public. - # We do so by just not testing against the user string. - [public] - user: .* - collection: ^public(/.+)?$ - permission: rw - - # A little more complex: give read access to users from a domain for all - # collections of all the users (ie. user@domain.tld can read domain/*). - [domain-wide-access] - user: ^.+@(.+)\..+$ - collection: ^{0}/.+$ - permission: r - - # Allow authenticated user to read all collections - [allow-everyone-read] - user: .+ - collection: .* - permission: r - - # Give write access to owners - [owner-write] - user: .+ - collection: ^%(login)s/.*$ - permission: w
The package offers 8 modules.
__main__
- The main module provides a simple function called run. Its main work is to read the configuration from the configuration file and from the options given in the command line; then it creates a server, according to the configuration.
run. Its main work is to read the configuration from the configuration file and from the options given in the command line; then it creates a server, according to the configuration.
__init__
- This is the core part of the module, with the code for the CalDAV server. The server inherits from a HTTP or HTTPS server class, which relies on the default HTTP server class given by Python. The code managing the different HTTP requests according to the CalDAV normalization is written here.
config
- This part gives a dict-like access to the server configuration, read from the configuration file. The configuration can be altered when launching the executable with some command line options.
ical
- In this module are written the classes to represent collections and items in Radicale. The simple iCalendar and vCard readers and writers are included in this file. The readers and writers are small and stupid: they do not fully understand the iCalendar format and do not know at all what a date is.
xmlutils
- The functions defined in this module are mainly called by the CalDAV server class to read the XML part of the request, read or alter the calendars, and create the XML part of the response. The main part of this code relies on ElementTree.
log
- The start function provided by this module starts a logging mechanism based on the default Python logging module. Logging options can be stored in a logging configuration file.
start function provided by this module starts a logging mechanism based on the default Python logging module. Logging options can be stored in a logging configuration file.
acl
- This module is a set of Access Control Lists, a set of methods used by Radicale to manage rights to access the calendars. When the CalDAV server is launched, an Access Control List is chosen in the set, according to the configuration. The HTTP requests are then filtered to restrict the access using a list of login/password-based access controls.
storage
- This folder is a set of storage modules able to read and write collections. Currently there are three storage modules: filesystem, storing each collection into one flat plain-text file, multifilesystem, storing each entries into separates plain-text files, and database, storing entries in a database. filesystem is stable and battle-tested, others are experimentals.
filesystem, storing each collection into one flat plain-text file, multifilesystem, storing each entries into separates plain-text files, and database, storing entries in a database. filesystem is stable and battle-tested, others are experimentals.
Some features have been added in the git repository during the last weeks, thanks to Jerome and Mariusz!
Personal Calendars
- Calendars accessed through the htpasswd ACL module can now be personal. Thanks to the personal option, a user called bob can access calendars at /bob/* but not to the /alice/* ones.
personal option, a user called bob can access calendars at /bob/* but not to the /alice/* ones.
HEAD Requests
- Radicale can now answer HEAD requests. HTTP headers can be retrieved thanks to this request, without getting contents given by the GET requests.
Last-Modified HTTP header
- The Last-Modified header gives the last time when the calendar has been modified. This is used by some clients to cache the calendars and not retrieving them if they have not been modified.
HTTPS connections and authentication have been added to Radicale this week. Command-line options and personal configuration files are also ready for test. According to the TODO file included in the package, the next version will finally be 0.2, when sunbird 1.0 is out. Go, Mozilla hackers, go!
HTTPS connection
- HTTPS connections are now available using the standard TLS mechanisms. Give Radicale a private key and a certificate, and your data are now safe.
Authentication
- A simple authentication architecture is now available, allowing different methods thanks to different modules. The first two modules are fake (no authentication) and htpasswd (authentication with an htpasswd file created by the Apache tool). More methods such as LDAP are coming soon!
fake (no authentication) and htpasswd (authentication with an htpasswd file created by the Apache tool). More methods such as LDAP are coming soon!
Radicale is really easy to install and works out-of-the-box.
$ python3 -m pip install --upgrade radicale==2.1.*
- $ python3 -m radicale --config "" --storage-filesystem-folder=~/.var/lib/radicale/collectionsWhen your server is launched, you can check that everything's OK by going to http://localhost:5232/ with your browser! You can login with any username and password.
Want more? Why don't you check our wonderful documentation?
First of all, make sure that python 3.3 or later (python ≥ 3.6 is recommended) and pip are installed. On most distributions it should be enough to install the package python3-pip.
Then open a console and type:
# Run the following command as root or
- # add the --user argument to only install for the current user
- $ python3 -m pip install --upgrade radicale==2.1.*
- $ python3 -m radicale --config "" --storage-filesystem-folder=~/.var/lib/radicale/collectionsVictory! Open http://localhost:5232/ in your browser! You can login with any username and password.
The first step is to install Python. Go to python.org and download the latest version of Python 3. Then run the installer. On the first window of the installer, check the "Add Python to PATH" box and click on "Install now". Wait a couple of minutes, it's done!
Launch a command prompt and type:
C:\Users\User> python -m pip install --upgrade radicale==2.1.*
- C:\Users\User> python -m radicale --config "" --storage-filesystem-folder=~/radicale/collectionsIf you are using PowerShell replace --config "" with --config '""'.
Victory! Open http://localhost:5232/ in your browser! You can login with any username and password.
The users file can be created and managed with htpasswd:
# Create a new htpasswd file with the user "user1"
- $ htpasswd -B -c /path/to/users user1
- New password:
- Re-type new password:
- # Add another user
- $ htpasswd -B /path/to/users user2
- New password:
- Re-type new password:bcrypt is used to secure the passwords. Radicale requires additional dependencies for this encryption method:
$ python3 -m pip install --upgrade radicale[bcrypt]==2.1.*Authentication can be enabled with the following configuration:
[auth]
- type = htpasswd
- htpasswd_filename = /path/to/users
- # encryption method used in the htpasswd file
- htpasswd_encryption = bcryptCreate the users file by hand with lines containing the user name and password separated by :. Example:
user1:password1
- user2:password2Authentication can be enabled with the following configuration:
[auth]
- type = htpasswd
- htpasswd_filename = /path/to/users
- # encryption method used in the htpasswd file
- htpasswd_encryption = plainThe default configuration binds the server to localhost. It can't be reached from other computers. This can be changed with the following configuration options:
[server]
- hosts = 0.0.0.0:5232More addresses can be added (separated by commas).
Data is stored in the folder /var/lib/radicale/collections. The path can be changed with the following configuration:
[storage]
- filesystem_folder = /path/to/storageSecurity: The storage folder should not be readable by unauthorized users. Otherwise, they can read the calendar data and lock the storage. You can find OS dependent instructions in the Running as a service section.
Radicale enforces limits on the maximum number of parallel connections, the maximum file size (important for contacts with big photos) and the rate of incorrect authentication attempts. Connections are terminated after a timeout. The default values should be fine for most scenarios.
[server]
- max_connections = 20
- # 100 Megabyte
- max_content_length = 100000000
- # 30 seconds
- timeout = 30
-
- [auth]
- # Average delay after failed login attempts in seconds
- delay = 1Create the file ~/.config/systemd/user/radicale.service:
[Unit]
- Description=A simple CalDAV (calendar) and CardDAV (contact) server
-
- [Service]
- ExecStart=/usr/bin/env python3 -m radicale
- Restart=on-failure
-
- [Install]
- WantedBy=default.targetRadicale will load the configuration file from ~/.config/radicale/config. You should set the configuration option filesystem_folder in the storage section to something like ~/.var/lib/radicale/collections.
To enable and manage the service run:
# Enable the service
- $ systemctl --user enable radicale
- # Start the service
- $ systemctl --user start radicale
- # Check the status of the service
- $ systemctl --user status radicale
- # View all log messages
- $ journalctl --user --unit radicale.serviceSecurity: The storage should not be readable by others. (Run chmod -R o= /var/lib/radicale/collections as root.)
Create the file /etc/systemd/system/radicale.service:
[Unit]
- Description=A simple CalDAV (calendar) and CardDAV (contact) server
- After=network.target
- Requires=network.target
-
- [Service]
- ExecStart=/usr/bin/env python3 -m radicale
- Restart=on-failure
- User=radicale
- # Deny other users access to the calendar data
- UMask=0027
- # Optional security settings
- PrivateTmp=true
- ProtectSystem=strict
- ProtectHome=true
- PrivateDevices=true
- ProtectKernelTunables=true
- ProtectKernelModules=true
- ProtectControlGroups=true
- NoNewPrivileges=true
- ReadWritePaths=/var/lib/radicale/collections
-
- [Install]
- WantedBy=multi-user.targetRadicale will load the configuration file from /etc/radicale/config.
To enable and manage the service run:
# Enable the service
- $ systemctl enable radicale
- # Start the service
- $ systemctl start radicale
- # Check the status of the service
- $ systemctl status radicale
- # View all log messages
- $ journalctl --unit radicale.serviceRadicaleC:\Path\To\Python\python.exe-m radicale --config C:\Path\To\ConfigC:\Path\To\Radicale.logWhen a reverse proxy is used, the path at which Radicale is available must be provided via the X-Script-Name header. The proxy must remove the location from the URL path that is forwarded to Radicale.
Example nginx configuration:
location /radicale/ { # The trailing / is important!
- proxy_pass http://localhost:5232/; # The / is important!
- proxy_set_header X-Script-Name /radicale;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_pass_header Authorization;
- }Example Apache configuration:
RewriteEngine On
- RewriteRule ^/radicale$ /radicale/ [R,L]
-
- <Location "/radicale/">
- ProxyPass http://localhost:5232/ retry=0
- ProxyPassReverse http://localhost:5232/
- RequestHeader set X-Script-Name /radicale/
- </Location>Be reminded that Radicale's default configuration enforces limits on the maximum number of parallel connections, the maximum file size and the rate of incorrect authentication attempts. Connections are terminated after a timeout.
Set the configuration option type in the auth section to http_x_remote_user. Radicale uses the user name provided in the X-Remote-User HTTP header and disables HTTP authentication.
Example nginx configuration:
location /radicale/ {
- proxy_pass http://localhost:5232/;
- proxy_set_header X-Script-Name /radicale;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Remote-User $remote_user;
- auth_basic "Radicale - Password Required";
- auth_basic_user_file /etc/nginx/htpasswd;
- }Example Apache configuration:
RewriteEngine On
- RewriteRule ^/radicale$ /radicale/ [R,L]
-
- <Location "/radicale/">
- AuthType Basic
- AuthName "Radicale - Password Required"
- AuthUserFile "/etc/radicale/htpasswd"
- Require valid-user
-
- ProxyPass http://localhost:5232/ retry=0
- ProxyPassReverse http://localhost:5232/
- RequestHeader set X-Script-Name /radicale/
- RequestHeader set X-Remote-User expr=%{REMOTE_USER}
- </Location>Security: Untrusted clients should not be able to access the Radicale server directly. Otherwise, they can authenticate as any user.
SSL certificates can be used to encrypt and authenticate the connection between Radicale and the reverse proxy. First you have to generate a certificate for Radicale and a certificate for the reverse proxy. The following commands generate self-signed certificates. You will be asked to enter additional information about the certificate, the values don't matter and you can keep the defaults.
$ openssl req -x509 -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem -nodes -days 9999
- $ openssl req -x509 -newkey rsa:4096 -keyout client_key.pem -out client_cert.pem -nodes -days 9999Use the following configuration for Radicale:
[server]
- ssl = True
- certificate = /path/to/server_cert.pem
- key = /path/to/server_key.pem
- certificate_authority = /path/to/client_cert.pemExample nginx configuration:
location /radicale/ {
- proxy_pass https://localhost:5232/;
- ...
- # Place the files somewhere nginx is allowed to access (e.g. /etc/nginx/...).
- proxy_ssl_certificate /path/to/client_cert.pem;
- proxy_ssl_certificate_key /path/to/client_key.pem;
- proxy_ssl_trusted_certificate /path/to/server_cert.pem;
- }Security: The None authentication type disables all rights checking. Don't use it with REMOTE_USER. Use remote_user instead.
Example uWSGI configuration:
[uwsgi]
- http-socket = 127.0.0.1:5232
- processes = 8
- plugin = python3
- module = radicale
- env = RADICALE_CONFIG=/etc/radicale/configExample Gunicorn configuration:
gunicorn --bind '127.0.0.1:5232' --workers 8 --env 'RADICALE_CONFIG=/etc/radicale/config' radicaleThis page describes how to keep track of all changes to calendars and address books with git (or any other version control system).
The repository must be initialized by running git init in the file system folder. Internal files of Radicale can be excluded by creating the file .gitignore with the following content:
.Radicale.cache
- .Radicale.lock
- .Radicale.tmp-*The configuration option hook in the storage section must be set to the following command:
git add -A && (git diff --cached --quiet || git commit -m "Changes by "%(user)s)The command gets executed after every change to the storage and commits the changes into the git repository.
@@ -826,40 +826,40 @@To create a new calendar run something like:
$ curl -u user -X MKCOL 'http://localhost:5232/user/calendar' --data \
- '<?xml version="1.0" encoding="UTF-8" ?>
- <create xmlns="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:I="http://apple.com/ns/ical/">
- <set>
- <prop>
- <resourcetype>
- <collection />
- <C:calendar />
- </resourcetype>
- <C:supported-calendar-component-set>
- <C:comp name="VEVENT" />
- <C:comp name="VJOURNAL" />
- <C:comp name="VTODO" />
- </C:supported-calendar-component-set>
- <displayname>Calendar</displayname>
- <C:calendar-description>Example calendar</C:calendar-description>
- <I:calendar-color>#ff0000ff</I:calendar-color>
- </prop>
- </set>
- </create>'To create a new address book run something like:
$ curl -u user -X MKCOL 'http://localhost:5232/user/addressbook' --data \
- '<?xml version="1.0" encoding="UTF-8" ?>
- <create xmlns="DAV:" xmlns:CR="urn:ietf:params:xml:ns:carddav">
- <set>
- <prop>
- <resourcetype>
- <collection />
- <CR:addressbook />
- </resourcetype>
- <displayname>Address book</displayname>
- <CR:addressbook-description>Example address book</CR:addressbook-description>
- </prop>
- </set>
- </create>'The collection /USERNAME will be created automatically, when the user authenticates to Radicale for the first time. Clients with automatic discovery of collections will only show calendars and address books that are direct children of the path /USERNAME/.
Delete the collections by running something like:
$ curl -u user -X DELETE 'http://localhost:5232/user/calendar'Radicale can be configured with a configuration file or with command line arguments.
An example configuration file looks like:
[server]
- # Bind all addresses
- hosts = 0.0.0.0:5232
-
- [auth]
- type = htpasswd
- htpasswd_filename = /path/to/users
- htpasswd_encryption = bcrypt
- [storage]
- filesystem_folder = ~/.var/lib/radicale/collectionsRadicale tries to load configuration files from /etc/radicale/config, ~/.config/radicale/config and the RADICALE_CONFIG environment variable. This behaviour can be overwritten by specifying a path with the --config /path/to/config command line argument.
The same example configuration via command line arguments looks like:
python3 -m radicale --config "" --server-hosts 0.0.0.0:5232 --auth-type htpasswd --htpasswd-filename /path/to/htpasswd --htpasswd-encryption bcryptAvailable methods:
plain : Passwords are stored in plaintext. This is obviously not secure! The htpasswd file for this can be created by hand and looks like:
user1:password1
- user2:password2bcrypt : This uses a modified version of the Blowfish stream cipher. It's very secure. The passlib python module is required for this. Additionally you may need one of the following python modules: bcrypt, py-bcrypt or bcryptor.
md5 : This uses an iterated md5 digest of the password with a salt. The passlib python module is required for this.
sha1 : Passwords are stored as SHA1 hashes. It's insecure!
The recommended rights method is owner_only. If access to calendars and address books outside of the home directory of users (that's /USERNAME/) is granted, clients won't detect these collections and will not show them to the user. This is only useful if you access calendars and address books directly via URL.
An example rights file:
# The user "admin" can read and write any collection.
- [admin]
- user = admin
- collection = .*
- permission = rw
-
- # Block access for the user "user" to everything.
- [block]
- user = user
- collection = .*
- permission =
-
- # Authenticated users can read and write their own collections.
- [owner-write]
- user = .+
- collection = %(login)s(/.*)?
- permission = rw
-
- # Everyone can read the root collection
- [read]
- user = .*
- collection =
- permission = rThe titles of the sections are ignored (but must be unique). The keys user and collection contain regular expressions, that are matched against the user name and the path of the collection. Permissions from the first matching section are used. If no section matches, access gets denied.
The user name is empty for anonymous users. Therefore, the regex .+ only matches authenticated users and .* matches everyone (including anonymous users).
The path of the collection is separated by / and has no leading or trailing /. Therefore, the path of the root collection is empty.
Use the flock utility.
# Exclusive
- $ flock --exclusive /path/to/storage/.Radicale.lock COMMAND
- # Shared
- $ flock --shared /path/to/storage/.Radicale.lock COMMANDAn example configuration to write the log output to the file /var/log/radicale/log:
[loggers]
- keys = root
-
- [handlers]
- keys = file
-
- [formatters]
- keys = full
-
- [logger_root]
- # Change this to DEBUG or INFO for higher verbosity.
- level = WARNING
- handlers = file
-
- [handler_file]
- class = FileHandler
- # Specify the output file here.
- args = ('/var/log/radicale/log',)
- formatter = full
-
- [formatter_full]
- format = %(asctime)s - [%(thread)x] %(levelname)s: %(message)sYou can specify multiple logger, handler and formatter if you want to have multiple simultaneous log outputs.
The parent folder of the log files must exist and must be writable by Radicale.
Security: The log files should not be readable by unauthorized users. Set permissions accordingly.
@@ -1214,23 +1214,23 @@An example handler configuration to write the log output to the file /var/log/radicale/log and rotate it. Replace the section handler_file from the file logging example:
[handler_file]
- class = handlers.TimedRotatingFileHandler
- # Specify the output file and parameter for rotation here.
- # See https://docs.python.org/3/library/logging.handlers.html#logging.handlers.TimedRotatingFileHandler
- # Example: rollover at midnight and keep 7 files (means one week)
- args = ('/var/log/radicale/log', 'midnight', 1, 7)
- formatter = fullAn example handler configuration to write the log output to the file /var/log/radicale/log and rotate it . Replace the section handle_file from the file logging example:
[handler_file]
- class = handlers.RotatingFileHandler
- # Specify the output file and parameter for rotation here.
- # See https://docs.python.org/3/library/logging.handlers.html#logging.handlers.RotatingFileHandler
- # Example: rollover at 100000 kB and keep 10 files (means 1 MB)
- args = ('/var/log/radicale/log', 'a', 100000, 10)
- formatter = fullTo get started we walk through the creation of a simple authentication plugin, that accepts login attempts if the username and password are equal.
The easiest way to develop and install python modules is Distutils. For a minimal setup create the file setup.py with the following content in an empty folder:
#!/usr/bin/env python3
-
- from distutils.core import setup
-
- setup(name="radicale_silly_auth", packages=["radicale_silly_auth"])In the same folder create the sub-folder radicale_silly_auth. The folder must have the same name as specified in packages above.
Create the file __init__.py in the radicale_silly_auth folder with the following content:
from radicale.auth import BaseAuth
-
-
- class Auth(BaseAuth):
- def is_authenticated(self, user, password):
- # Example custom configuration option
- foo = ""
- if self.configuration.has_option("auth", "foo"):
- foo = self.configuration.get("auth", "foo")
- self.logger.info("Configuration option %r is %r", "foo", foo)
-
- # Check authentication
- self.logger.info("Login attempt by %r with password %r",
- user, password)
- return user == passwordInstall the python module by running the following command in the same folder as setup.py:
python3 -m pip install --upgrade .To make use this great creation in Radicale, set the configuration option type in the auth section to radicale_silly_auth:
[auth]
- type = radicale_silly_auth
- foo = barYou can uninstall the module with:
python3 -m pip uninstall radicale_silly_authThis release is compatible with version 2.0.0. Follow our migration guide if you want to switch from 1.x.x to 2.1.0.
owner_only plugin is used (information leakage)remote_user plugin, that gets the login from the REMOTE_USER environment variable (for WSGI server)http_x_remote_user plugin, that gets the login from the X-Remote-User HTTP header (for reverse proxies)Radicale is really easy to install and works out-of-the-box.
$ python3 -m pip install --upgrade radicale
- $ python3 -m radicale --storage-filesystem-folder=~/.var/lib/radicale/collectionsWhen the server is launched, open http://localhost:5232/ in your browser! You can login with any username and password.
Want more? Check the tutorials and the documentation.
@@ -269,9 +269,9 @@First, make sure that python 3.5 or later (python ≥ 3.6 is recommended) and pip are installed. On most distributions it should be enough to install the package python3-pip.
Then open a console and type:
# Run the following command as root or
- # add the --user argument to only install for the current user
- $ python3 -m pip install --upgrade radicale
- $ python3 -m radicale --storage-filesystem-folder=~/.var/lib/radicale/collectionsVictory! Open http://localhost:5232/ in your browser! You can log in with any username and password.
The first step is to install Python. Go to python.org and download the latest version of Python 3. Then run the installer. On the first window of the installer, check the "Add Python to PATH" box and click on "Install now". Wait a couple of minutes, it's done!
Launch a command prompt and type:
C:\Users\User> python -m pip install --upgrade radicale
- C:\Users\User> python -m radicale --storage-filesystem-folder=~/radicale/collectionsVictory! Open http://localhost:5232/ in your browser! You can log in with any username and password.
The users file can be created and managed with htpasswd:
# Create a new htpasswd file with the user "user1"
- $ htpasswd -c /path/to/users user1
- New password:
- Re-type new password:
- # Add another user
- $ htpasswd /path/to/users user2
- New password:
- Re-type new password:Authentication can be enabled with the following configuration:
[auth]
- type = htpasswd
- htpasswd_filename = /path/to/users
- # encryption method used in the htpasswd file
- htpasswd_encryption = md5Create the users file by hand with lines containing the user name and password separated by :. Example:
user1:password1
- user2:password2Authentication can be enabled with the following configuration:
[auth]
- type = htpasswd
- htpasswd_filename = /path/to/users
- # encryption method used in the htpasswd file
- htpasswd_encryption = plainThe default configuration binds the server to localhost. It can't be reached from other computers. This can be changed with the following configuration options (IPv4 and IPv6):
[server]
- hosts = 0.0.0.0:5232, [::]:5232Data is stored in the folder /var/lib/radicale/collections. The path can be changed with the following configuration:
[storage]
- filesystem_folder = /path/to/storage@@ -343,15 +343,15 @@Security: The storage folder should not be readable by unauthorized users. Otherwise, they can read the calendar data and lock the storage. You can find OS dependent instructions in the Running as a service section.
Radicale enforces limits on the maximum number of parallel connections, the maximum file size (important for contacts with big photos) and the rate of incorrect authentication attempts. Connections are terminated after a timeout. The default values should be fine for most scenarios.
[server]
- max_connections = 20
- # 100 Megabyte
- max_content_length = 100000000
- # 30 seconds
- timeout = 30
-
- [auth]
- # Average delay after failed login attempts in seconds
- delay = 1Create the file /etc/systemd/system/radicale.service:
[Unit]
- Description=A simple CalDAV (calendar) and CardDAV (contact) server
- After=network.target
- Requires=network.target
-
- [Service]
- ExecStart=/usr/bin/env python3 -m radicale
- Restart=on-failure
- User=radicale
- # Deny other users access to the calendar data
- UMask=0027
- # Optional security settings
- PrivateTmp=true
- ProtectSystem=strict
- ProtectHome=true
- PrivateDevices=true
- ProtectKernelTunables=true
- ProtectKernelModules=true
- ProtectControlGroups=true
- NoNewPrivileges=true
- ReadWritePaths=/var/lib/radicale/collections
-
- [Install]
- WantedBy=multi-user.targetRadicale will load the configuration file from /etc/radicale/config.
To enable and manage the service run:
# Enable the service
- $ systemctl enable radicale
- # Start the service
- $ systemctl start radicale
- # Check the status of the service
- $ systemctl status radicale
- # View all log messages
- $ journalctl --unit radicale.serviceCreate the file ~/.config/systemd/user/radicale.service:
[Unit]
- Description=A simple CalDAV (calendar) and CardDAV (contact) server
-
- [Service]
- ExecStart=/usr/bin/env python3 -m radicale
- Restart=on-failure
-
- [Install]
- WantedBy=default.targetRadicale will load the configuration file from ~/.config/radicale/config. You should set the configuration option filesystem_folder in the storage section to something like ~/.var/lib/radicale/collections.
To enable and manage the service run:
# Enable the service
- $ systemctl --user enable radicale
- # Start the service
- $ systemctl --user start radicale
- # Check the status of the service
- $ systemctl --user status radicale
- # View all log messages
- $ journalctl --user --unit radicale.serviceRadicaleC:\Path\To\Python\python.exe-m radicale --config C:\Path\To\ConfigC:\Path\To\Radicale.logWhen a reverse proxy is used, the path at which Radicale is available must be provided via the X-Script-Name header. The proxy must remove the location from the URL path that is forwarded to Radicale.
Example nginx configuration:
location /radicale/ { # The trailing / is important!
- proxy_pass http://localhost:5232/; # The / is important!
- proxy_set_header X-Script-Name /radicale;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header Host $http_host;
- proxy_pass_header Authorization;
- }Example Apache configuration:
RewriteEngine On
- RewriteRule ^/radicale$ /radicale/ [R,L]
-
- <Location "/radicale/">
- ProxyPass http://localhost:5232/ retry=0
- ProxyPassReverse http://localhost:5232/
- RequestHeader set X-Script-Name /radicale
- </Location>Example Apache .htaccess configuration:
DirectoryIndex disabled
- RewriteEngine On
- RewriteRule ^(.*)$ http://localhost:5232/$1 [P,L]
-
- # Set to directory of .htaccess file:
- RequestHeader set X-Script-Name /radicaleBe reminded that Radicale's default configuration enforces limits on the maximum number of parallel connections, the maximum file size and the rate of incorrect authentication attempts. Connections are terminated after a timeout.
Set the configuration option type in the auth section to http_x_remote_user. Radicale uses the user name provided in the X-Remote-User HTTP header and disables HTTP authentication.
Example nginx configuration:
location /radicale/ {
- proxy_pass http://localhost:5232/;
- proxy_set_header X-Script-Name /radicale;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Remote-User $remote_user;
- proxy_set_header Host $http_host;
- auth_basic "Radicale - Password Required";
- auth_basic_user_file /etc/nginx/htpasswd;
- }Example Apache configuration:
RewriteEngine On
- RewriteRule ^/radicale$ /radicale/ [R,L]
-
- <Location "/radicale/">
- AuthType Basic
- AuthName "Radicale - Password Required"
- AuthUserFile "/etc/radicale/htpasswd"
- Require valid-user
-
- ProxyPass http://localhost:5232/ retry=0
- ProxyPassReverse http://localhost:5232/
- RequestHeader set X-Script-Name /radicale
- RequestHeader set X-Remote-User expr=%{REMOTE_USER}
- </Location>Example Apache .htaccess configuration:
DirectoryIndex disabled
- RewriteEngine On
- RewriteRule ^(.*)$ http://localhost:5232/$1 [P,L]
-
- AuthType Basic
- AuthName "Radicale - Password Required"
- AuthUserFile "/etc/radicale/htpasswd"
- Require valid-user
-
- # Set to directory of .htaccess file:
- RequestHeader set X-Script-Name /radicale
- RequestHeader set X-Remote-User expr=%{REMOTE_USER}@@ -521,22 +521,22 @@Security: Untrusted clients should not be able to access the Radicale server directly. Otherwise, they can authenticate as any user.
SSL certificates can be used to encrypt and authenticate the connection between Radicale and the reverse proxy. First you have to generate a certificate for Radicale and a certificate for the reverse proxy. The following commands generate self-signed certificates. You will be asked to enter additional information about the certificate, the values don't matter and you can keep the defaults.
$ openssl req -x509 -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem -nodes -days 9999
- $ openssl req -x509 -newkey rsa:4096 -keyout client_key.pem -out client_cert.pem -nodes -days 9999Use the following configuration for Radicale:
[server]
- ssl = True
- certificate = /path/to/server_cert.pem
- key = /path/to/server_key.pem
- certificate_authority = /path/to/client_cert.pemExample nginx configuration:
location /radicale/ {
- proxy_pass https://localhost:5232/;
- ...
- # Place the files somewhere nginx is allowed to access (e.g. /etc/nginx/...).
- proxy_ssl_certificate /path/to/client_cert.pem;
- proxy_ssl_certificate_key /path/to/client_key.pem;
- proxy_ssl_trusted_certificate /path/to/server_cert.pem;
- }A configuration file can be set with the RADICALE_CONFIG environment variable, otherwise no configuration file is loaded and the default configuration is used.
Example uWSGI configuration:
[uwsgi]
- http-socket = 127.0.0.1:5232
- processes = 8
- plugin = python3
- module = radicale
- env = RADICALE_CONFIG=/etc/radicale/configExample Gunicorn configuration:
gunicorn --bind '127.0.0.1:5232' --workers 8 --env 'RADICALE_CONFIG=/etc/radicale/config' radicaleThis tutorial describes how to keep track of all changes to calendars and address books with git (or any other version control system).
The repository must be initialized by running git init in the file system folder. Internal files of Radicale can be excluded by creating the file .gitignore with the following content:
.Radicale.cache
- .Radicale.lock
- .Radicale.tmp-*The configuration option hook in the storage section must be set to the following command:
git add -A && (git diff --cached --quiet || git commit -m "Changes by "%(user)s)The command gets executed after every change to the storage and commits the changes into the git repository.
@@ -576,16 +576,16 @@Radicale can be configured with a configuration file or with command line arguments.
An example configuration file looks like:
[server]
- # Bind all addresses
- hosts = 0.0.0.0:5232, [::]:5232
-
- [auth]
- type = htpasswd
- htpasswd_filename = ~/.config/radicale/users
- htpasswd_encryption = md5
-
- [storage]
- filesystem_folder = ~/.var/lib/radicale/collectionsRadicale tries to load configuration files from /etc/radicale/config and ~/.config/radicale/config. Custom paths can be specified with the --config /path/to/config command line argument or the RADICALE_CONFIG environment variable. Multiple configuration files can be separated by : (resp. ; on Windows). Paths that start with ? are optional.
The same example configuration via command line arguments looks like:
python3 -m radicale --server-hosts 0.0.0.0:5232,[::]:5232 --auth-type htpasswd --htpasswd-filename ~/.config/radicale/users --htpasswd-encryption md5Available methods:
plain : Passwords are stored in plaintext. This is obviously not secure! The htpasswd file for this can be created by hand and looks like:
user1:password1
- user2:password2bcrypt : This uses a modified version of the Blowfish stream cipher. It's very secure. The installation of radicale[bcrypt] is required for this.
md5 : This uses an iterated md5 digest of the password with a salt.
Default: md5
This is not the recommended way of creating and managing your calendars and address books. Use Radicale's web interface or a client with support for it (e.g. DAVx⁵).
To create a new calendar run something like:
$ curl -u user -X MKCOL 'http://localhost:5232/user/calendar' --data \
- '<?xml version="1.0" encoding="UTF-8" ?>
- <create xmlns="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:I="http://apple.com/ns/ical/">
- <set>
- <prop>
- <resourcetype>
- <collection />
- <C:calendar />
- </resourcetype>
- <C:supported-calendar-component-set>
- <C:comp name="VEVENT" />
- <C:comp name="VJOURNAL" />
- <C:comp name="VTODO" />
- </C:supported-calendar-component-set>
- <displayname>Calendar</displayname>
- <C:calendar-description>Example calendar</C:calendar-description>
- <I:calendar-color>#ff0000ff</I:calendar-color>
- </prop>
- </set>
- </create>'To create a new address book run something like:
$ curl -u user -X MKCOL 'http://localhost:5232/user/addressbook' --data \
- '<?xml version="1.0" encoding="UTF-8" ?>
- <create xmlns="DAV:" xmlns:CR="urn:ietf:params:xml:ns:carddav">
- <set>
- <prop>
- <resourcetype>
- <collection />
- <CR:addressbook />
- </resourcetype>
- <displayname>Address book</displayname>
- <CR:addressbook-description>Example address book</CR:addressbook-description>
- </prop>
- </set>
- </create>'The collection /USERNAME will be created automatically, when the user authenticates to Radicale for the first time. Clients with automatic discovery of collections will only show calendars and address books that are direct children of the path /USERNAME/.
Delete the collections by running something like:
$ curl -u user -X DELETE 'http://localhost:5232/user/calendar'The recommended rights method is owner_only. If access to calendars and address books outside the home directory of users (that's /USERNAME/) is granted, clients won't detect these collections and will not show them to the user. This is only useful if you access calendars and address books directly via URL.
An example rights file:
# Allow reading root collection for authenticated users
- [root]
- user: .+
- collection:
- permissions: R
-
- # Allow reading and writing principal collection (same as user name)
- [principal]
- user: .+
- collection: {user}
- permissions: RW
-
- # Allow reading and writing calendars and address books that are direct
- # children of the principal collection
- [calendars]
- user: .+
- collection: {user}/[^/]+
- permissions: rwThe titles of the sections are ignored (but must be unique). The keys user and collection contain regular expressions, that are matched against the user name and the path of the collection. Permissions from the first matching section are used. If no section matches, access gets denied.
The user name is empty for anonymous users. Therefore, the regex .+ only matches authenticated users and .* matches everyone (including anonymous users).
The path of the collection is separated by / and has no leading or trailing /. Therefore, the path of the root collection is empty.
Use the flock utility.
# Exclusive
- $ flock --exclusive /path/to/storage/.Radicale.lock COMMAND
- # Shared
- $ flock --shared /path/to/storage/.Radicale.lock COMMANDTo get started we walk through the creation of a simple authentication plugin, that accepts login attempts with a static password.
The easiest way to develop and install python modules is Distutils. For a minimal setup create the file setup.py with the following content in an empty folder:
#!/usr/bin/env python3
-
- from distutils.core import setup
-
- setup(name="radicale_static_password_auth",
- packages=["radicale_static_password_auth"])In the same folder create the sub-folder radicale_static_password_auth. The folder must have the same name as specified in packages above.
Create the file __init__.py in the radicale_static_password_auth folder with the following content:
from radicale.auth import BaseAuth
- from radicale.log import logger
-
- PLUGIN_CONFIG_SCHEMA = {"auth": {
- "password": {"value": "", "type": str}}}
-
-
- class Auth(BaseAuth):
- def __init__(self, configuration):
- super().__init__(configuration.copy(PLUGIN_CONFIG_SCHEMA))
-
- def login(self, login, password):
- # Get password from configuration option
- static_password = self.configuration.get("auth", "password")
- # Check authentication
- logger.info("Login attempt by %r with password %r",
- login, password)
- if password == static_password:
- return login
- return ""Install the python module by running the following command in the same folder as setup.py:
python3 -m pip install .To make use this great creation in Radicale, set the configuration option type in the auth section to radicale_static_password_auth:
[auth]
- type = radicale_static_password_auth
- password = secretYou can uninstall the module with:
python3 -m pip uninstall radicale_static_password_auth