From ecafa1d32bfc322bea46afdd62a657c42ce7dd8e Mon Sep 17 00:00:00 2001
From: Peter Bieringer <pb@bieringer.de>
Date: Sun, 30 Apr 2023 08:56:46 +0200
Subject: [PATCH 1/3] update Apache reverse proxy documentation to be aligned
 with destination check of MOVE request

---
 DOCUMENTATION.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md
index 663ffef1..5f14fa87 100644
--- a/DOCUMENTATION.md
+++ b/DOCUMENTATION.md
@@ -354,6 +354,10 @@ RewriteRule ^/radicale$ /radicale/ [R,L]
     ProxyPass        http://localhost:5232/ retry=0
     ProxyPassReverse http://localhost:5232/
     RequestHeader    set X-Script-Name /radicale
+    RequestHeader    set X-Forwarded-Port "%{SERVER_PORT}s"
+    <If "%{HTTPS} =~ /on/">
+    RequestHeader    set X-Forwarded-Proto "https"
+    </If>
 </Location>
 ```
 
@@ -366,6 +370,10 @@ RewriteRule ^(.*)$ http://localhost:5232/$1 [P,L]
 
 # Set to directory of .htaccess file:
 RequestHeader set X-Script-Name /radicale
+RequestHeader set X-Forwarded-Port "%{SERVER_PORT}s"
+<If "%{HTTPS} =~ /on/">
+RequestHeader set X-Forwarded-Proto "https"
+</If>
 ```
 
 Be reminded that Radicale's default configuration enforces limits on the

From a3aa0ce7d9e39e00842331a8b7737f8c8fba5ffb Mon Sep 17 00:00:00 2001
From: Peter Bieringer <pb@bieringer.de>
Date: Sun, 30 Apr 2023 08:58:50 +0200
Subject: [PATCH 2/3] add support for non-standard server ports

---
 radicale/app/move.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/radicale/app/move.py b/radicale/app/move.py
index 0c38eed5..5bd8a579 100644
--- a/radicale/app/move.py
+++ b/radicale/app/move.py
@@ -32,6 +32,7 @@ def get_server_netloc(environ: types.WSGIEnviron, force_port: bool = False):
         host = environ["HTTP_X_FORWARDED_HOST"]
         proto = environ.get("HTTP_X_FORWARDED_PROTO") or "http"
         port = "443" if proto == "https" else "80"
+        port = environ["HTTP_X_FORWARDED_PORT"] or port
     else:
         host = environ.get("HTTP_HOST") or environ["SERVER_NAME"]
         proto = environ["wsgi.url_scheme"]

From fadf281734a9925eb9c36c534a6d3da523aceb2d Mon Sep 17 00:00:00 2001
From: Peter Bieringer <pb@bieringer.de>
Date: Sun, 30 Apr 2023 09:01:26 +0200
Subject: [PATCH 3/3] don't trust headers from external

---
 DOCUMENTATION.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md
index 5f14fa87..8d59d958 100644
--- a/DOCUMENTATION.md
+++ b/DOCUMENTATION.md
@@ -355,6 +355,7 @@ RewriteRule ^/radicale$ /radicale/ [R,L]
     ProxyPassReverse http://localhost:5232/
     RequestHeader    set X-Script-Name /radicale
     RequestHeader    set X-Forwarded-Port "%{SERVER_PORT}s"
+    RequestHeader    unset X-Forwarded-Proto
     <If "%{HTTPS} =~ /on/">
     RequestHeader    set X-Forwarded-Proto "https"
     </If>
@@ -371,6 +372,7 @@ RewriteRule ^(.*)$ http://localhost:5232/$1 [P,L]
 # Set to directory of .htaccess file:
 RequestHeader set X-Script-Name /radicale
 RequestHeader set X-Forwarded-Port "%{SERVER_PORT}s"
+RequestHeader unset X-Forwarded-Proto
 <If "%{HTTPS} =~ /on/">
 RequestHeader set X-Forwarded-Proto "https"
 </If>