Please follow this link.
+Please follow this link.
@@ -94,11 +94,11 @@When a reverse proxy is used, and Radicale should be made available
-at a path below the root (such as /radicale/), then this
-path must be provided via the X-Script-Name header (without
-a trailing /). The proxy must remove the location from the
-URL path that is forwarded to Radicale. If Radicale should be made
-available at the root of the web server (in the nginx case using
-location /), then the setting of the
-X-Script-Name header should be removed from the example
-below.
When a reverse proxy is used, the path at which Radicale is available
+must be provided via the X-Script-Name header. The proxy
+must remove the location from the URL path that is forwarded to
+Radicale.
Example nginx configuration:
location /radicale/ { # The trailing / is important!
proxy_pass http://localhost:5232/; # The / is important!
@@ -559,56 +554,22 @@ Reverse Proxy ¶
proxy_set_header Host $http_host;
proxy_pass_header Authorization;
}Example Caddy configuration with basicauth from -Caddy:
-handle_path /radicale* {
- basicauth {
- user hash
- }
- reverse_proxy localhost:5232 {
- header_up +X-Script-Name "/radicale"
- header_up +X-remote-user "{http.auth.user.id}"
- }
-}Example Apache configuration:
-RewriteEngine On
-RewriteRule ^/radicale$ /radicale/ [R,L]
-
-<Location "/radicale/">
- ProxyPass http://localhost:5232/ retry=0
- ProxyPassReverse http://localhost:5232/
- RequestHeader set X-Script-Name /radicale
- RequestHeader set X-Forwarded-Port "%{SERVER_PORT}s"
- RequestHeader unset X-Forwarded-Proto
- <If "%{HTTPS} =~ /on/">
- RequestHeader set X-Forwarded-Proto "https"
- </If>
-</Location>RewriteEngine On
+RewriteRule ^/radicale$ /radicale/ [R,L]
+
+<Location "/radicale/">
+ ProxyPass http://localhost:5232/ retry=0
+ ProxyPassReverse http://localhost:5232/
+ RequestHeader set X-Script-Name /radicale
+</Location>Example Apache .htaccess configuration:
-DirectoryIndex disabled
-RewriteEngine On
-RewriteRule ^(.*)$ http://localhost:5232/$1 [P,L]
-
-# Set to directory of .htaccess file:
-RequestHeader set X-Script-Name /radicale
-RequestHeader set X-Forwarded-Port "%{SERVER_PORT}s"
-RequestHeader unset X-Forwarded-Proto
-<If "%{HTTPS} =~ /on/">
-RequestHeader set X-Forwarded-Proto "https"
-</If>Example lighttpd configuration:
-server.modules += ( "mod_proxy" , "mod_setenv", "mod_rewrite" )
-
-$HTTP["url"] =~ "^/radicale/" {
- proxy.server = ( "" => (( "host" => "127.0.0.1", "port" => "5232" )) )
- proxy.header = ( "map-urlpath" => ( "/radicale/" => "/" ))
-
- setenv.add-request-header = (
- "X-Script-Name" => "/radicale",
- "Script-Name" => "/radicale",
- )
- url.rewrite-once = ( "^/radicale/radicale/(.*)" => "/radicale/$1" )
-}DirectoryIndex disabled
+RewriteEngine On
+RewriteRule ^(.*)$ http://localhost:5232/$1 [P,L]
+
+# Set to directory of .htaccess file:
+RequestHeader set X-Script-Name /radicaleBe reminded that Radicale's default configuration enforces limits on the maximum number of parallel connections, the maximum file size and the rate of incorrect authentication attempts. Connections are @@ -630,33 +591,33 @@
RewriteEngine On
-RewriteRule ^/radicale$ /radicale/ [R,L]
-
-<Location "/radicale/">
- AuthType Basic
- AuthName "Radicale - Password Required"
- AuthUserFile "/etc/radicale/htpasswd"
- Require valid-user
-
- ProxyPass http://localhost:5232/ retry=0
- ProxyPassReverse http://localhost:5232/
- RequestHeader set X-Script-Name /radicale
- RequestHeader set X-Remote-User expr=%{REMOTE_USER}
-</Location>RewriteEngine On
+RewriteRule ^/radicale$ /radicale/ [R,L]
+
+<Location "/radicale/">
+ AuthType Basic
+ AuthName "Radicale - Password Required"
+ AuthUserFile "/etc/radicale/htpasswd"
+ Require valid-user
+
+ ProxyPass http://localhost:5232/ retry=0
+ ProxyPassReverse http://localhost:5232/
+ RequestHeader set X-Script-Name /radicale
+ RequestHeader set X-Remote-User expr=%{REMOTE_USER}
+</Location>Example Apache .htaccess configuration:
-DirectoryIndex disabled
-RewriteEngine On
-RewriteRule ^(.*)$ http://localhost:5232/$1 [P,L]
-
-AuthType Basic
-AuthName "Radicale - Password Required"
-AuthUserFile "/etc/radicale/htpasswd"
-Require valid-user
-
-# Set to directory of .htaccess file:
-RequestHeader set X-Script-Name /radicale
-RequestHeader set X-Remote-User expr=%{REMOTE_USER}DirectoryIndex disabled
+RewriteEngine On
+RewriteRule ^(.*)$ http://localhost:5232/$1 [P,L]
+
+AuthType Basic
+AuthName "Radicale - Password Required"
+AuthUserFile "/etc/radicale/htpasswd"
+Require valid-user
+
+# Set to directory of .htaccess file:
+RequestHeader set X-Script-Name /radicale
+RequestHeader set X-Remote-User expr=%{REMOTE_USER}Security: Untrusted clients should not be able to access the Radicale server directly. Otherwise, they can authenticate as @@ -671,16 +632,16 @@
Secure connection between Radicale and the reverse proxy
+openssl req -x509 -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem \ - -nodes -days 9999 -openssl req -x509 -newkey rsa:4096 -keyout client_key.pem -out client_cert.pem \ - -nodes -days 9999openssl req -x509 -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem \ + -nodes -days 9999 +openssl req -x509 -newkey rsa:4096 -keyout client_key.pem -out client_cert.pem \ + -nodes -days 9999Use the following configuration for Radicale:
-+[server] -ssl = True -certificate = /path/to/server_cert.pem -key = /path/to/server_key.pem -certificate_authority = /path/to/client_cert.pem[server] +ssl = True +certificate = /path/to/server_cert.pem +key = /path/to/server_key.pem +certificate_authority = /path/to/client_cert.pemExample nginx configuration:
location /radicale/ { proxy_pass https://localhost:5232/; @@ -699,15 +660,15 @@WSGI Server ¶
environment variable, otherwise no configuration file is loaded and the default configuration is used.Example uWSGI configuration:
-+[uwsgi] -http-socket = 127.0.0.1:5232 -processes = 8 -plugin = python3 -module = radicale -env = RADICALE_CONFIG=/etc/radicale/config[uwsgi] +http-socket = 127.0.0.1:5232 +processes = 8 +plugin = python3 +module = radicale +env = RADICALE_CONFIG=/etc/radicale/configExample Gunicorn configuration:
-+gunicorn --bind '127.0.0.1:5232' --env 'RADICALE_CONFIG=/etc/radicale/config' \ - --workers 8 radicalegunicorn --bind '127.0.0.1:5232' --env 'RADICALE_CONFIG=/etc/radicale/config' \ + --workers 8 radicaleManage user accounts with the WSGI server ¶
Set the configuration option
typein the @@ -730,18 +691,9 @@Versioning with Git ¶ .Radicale.tmp-*
The configuration option
-hookin thestoragesection must be set to the following command:+git add -A && (git diff --cached --quiet || git commit -m "Changes by "%(user)s)git add -A && (git diff --cached --quiet || git commit -m "Changes by "%(user)s)The command gets executed after every change to the storage and commits the changes into the git repository.
-For the hook to not cause errors either git user -details need to be set and match the owner of the collections directory -or the repository needs to be marked as safe.
-When using the systemd unit file from the Running as a service section this -cannot be done via a
-.gitconfigfile in -the users home directory, as Radicale won't have read permissions!In
-/var/lib/radicale/collections/.gitrun:git config user.name "radicale" -git config user.email "radicale@example.com"
Radicale can be configured with a configuration file or with command line arguments.
An example configuration file looks like:
-[server]
-# Bind all addresses
-hosts = 0.0.0.0:5232, [::]:5232
-
-[auth]
-type = htpasswd
-htpasswd_filename = ~/.config/radicale/users
-htpasswd_encryption = md5
-
-[storage]
-filesystem_folder = ~/.var/lib/radicale/collections[server]
+# Bind all addresses
+hosts = 0.0.0.0:5232, [::]:5232
+
+[auth]
+type = htpasswd
+htpasswd_filename = ~/.config/radicale/users
+htpasswd_encryption = md5
+
+[storage]
+filesystem_folder = ~/.var/lib/radicale/collectionsRadicale tries to load configuration files from
/etc/radicale/config and
~/.config/radicale/config. Custom paths can be specified
@@ -772,9 +724,9 @@
The same example configuration via command line arguments looks like:
-python3 -m radicale --server-hosts 0.0.0.0:5232,[::]:5232 \
- --auth-type htpasswd --auth-htpasswd-filename ~/.config/radicale/users \
- --auth-htpasswd-encryption md5python3 -m radicale --server-hosts 0.0.0.0:5232,[::]:5232 \
+ --auth-type htpasswd --auth-htpasswd-filename ~/.config/radicale/users \
+ --auth-htpasswd-encryption md5Add the argument --config "" to stop Radicale from
loading the default configuration files. Run
python3 -m radicale --help for more information.
In this section additional HTTP headers that are sent to clients can be specified.
An example to relax the same-origin policy:
-Access-Control-Allow-Origin = *Access-Control-Allow-Origin = *To create a new calendar run something like:
-$ curl -u user -X MKCOL 'http://localhost:5232/user/calendar' --data \
-'<?xml version="1.0" encoding="UTF-8" ?>
-<create xmlns="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:I="http://apple.com/ns/ical/">
- <set>
- <prop>
- <resourcetype>
- <collection />
- <C:calendar />
- </resourcetype>
- <C:supported-calendar-component-set>
- <C:comp name="VEVENT" />
- <C:comp name="VJOURNAL" />
- <C:comp name="VTODO" />
- </C:supported-calendar-component-set>
- <displayname>Calendar</displayname>
- <C:calendar-description>Example calendar</C:calendar-description>
- <I:calendar-color>#ff0000ff</I:calendar-color>
- </prop>
- </set>
-</create>'$ curl -u user -X MKCOL 'http://localhost:5232/user/calendar' --data \
+'<?xml version="1.0" encoding="UTF-8" ?>
+<create xmlns="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:I="http://apple.com/ns/ical/">
+ <set>
+ <prop>
+ <resourcetype>
+ <collection />
+ <C:calendar />
+ </resourcetype>
+ <C:supported-calendar-component-set>
+ <C:comp name="VEVENT" />
+ <C:comp name="VJOURNAL" />
+ <C:comp name="VTODO" />
+ </C:supported-calendar-component-set>
+ <displayname>Calendar</displayname>
+ <C:calendar-description>Example calendar</C:calendar-description>
+ <I:calendar-color>#ff0000ff</I:calendar-color>
+ </prop>
+ </set>
+</create>'To create a new address book run something like:
-$ curl -u user -X MKCOL 'http://localhost:5232/user/addressbook' --data \
-'<?xml version="1.0" encoding="UTF-8" ?>
-<create xmlns="DAV:" xmlns:CR="urn:ietf:params:xml:ns:carddav">
- <set>
- <prop>
- <resourcetype>
- <collection />
- <CR:addressbook />
- </resourcetype>
- <displayname>Address book</displayname>
- <CR:addressbook-description>Example address book</CR:addressbook-description>
- </prop>
- </set>
-</create>'$ curl -u user -X MKCOL 'http://localhost:5232/user/addressbook' --data \
+'<?xml version="1.0" encoding="UTF-8" ?>
+<create xmlns="DAV:" xmlns:CR="urn:ietf:params:xml:ns:carddav">
+ <set>
+ <prop>
+ <resourcetype>
+ <collection />
+ <CR:addressbook />
+ </resourcetype>
+ <displayname>Address book</displayname>
+ <CR:addressbook-description>Example address book</CR:addressbook-description>
+ </prop>
+ </set>
+</create>'The collection /USERNAME will be created automatically,
when the user authenticates to Radicale for the first time. Clients with
automatic discovery of collections will only show calendars and address
books that are direct children of the path /USERNAME/.
Delete the collections by running something like:
-curl -u user -X DELETE 'http://localhost:5232/user/calendar'curl -u user -X DELETE 'http://localhost:5232/user/calendar'# Allow reading root collection for authenticated users
-[root]
-user: .+
-collection:
-permissions: r
-
-# Allow reading and writing principal collection (same as username)
-[principal]
-user: .+
-collection: {user}
-permissions: RW
-
-# Allow reading and writing calendars and address books that are direct
-# children of the principal collection
-[calendars]
-user: .+
-collection: {user}/[^/]+
-permissions: rw# Allow reading root collection for authenticated users
+[root]
+user: .+
+collection:
+permissions: R
+
+# Allow reading and writing principal collection (same as username)
+[principal]
+user: .+
+collection: {user}
+permissions: RW
+
+# Allow reading and writing calendars and address books that are direct
+# children of the principal collection
+[calendars]
+user: .+
+collection: {user}/[^/]+
+permissions: rwThe titles of the sections are ignored (but must be unique). The keys
user and collection contain regular
expressions, that are matched against the username and the path of the
@@ -1207,10 +1159,10 @@
Use the flock utility.
-# Exclusive
-$ flock --exclusive /path/to/storage/.Radicale.lock COMMAND
-# Shared
-$ flock --shared /path/to/storage/.Radicale.lock COMMAND# Exclusive
+$ flock --exclusive /path/to/storage/.Radicale.lock COMMAND
+# Shared
+$ flock --shared /path/to/storage/.Radicale.lock COMMAND{"tag": "VCALENDAR"}{"tag": "VCALENDAR"}The calendar is now available at the URL path
/user/calendar. For address books the file must
contain:
{"tag": "VADDRESSBOOK"}{"tag": "VADDRESSBOOK"}Calendar and address book collections must not have any child collections. Clients with automatic discovery of collections will only show calendars and address books that are direct children of the path @@ -1370,49 +1322,49 @@
setup.py with the
following content in an empty folder:
-#!/usr/bin/env python3
-
-from distutils.core import setup
-
-setup(name="radicale_static_password_auth",
- packages=["radicale_static_password_auth"])#!/usr/bin/env python3
+
+from distutils.core import setup
+
+setup(name="radicale_static_password_auth",
+ packages=["radicale_static_password_auth"])In the same folder create the sub-folder
radicale_static_password_auth. The folder must have the
same name as specified in packages above.
Create the file __init__.py in the
radicale_static_password_auth folder with the following
content:
from radicale.auth import BaseAuth
-from radicale.log import logger
-
-PLUGIN_CONFIG_SCHEMA = {"auth": {
- "password": {"value": "", "type": str}}}
-
-
-class Auth(BaseAuth):
- def __init__(self, configuration):
- super().__init__(configuration.copy(PLUGIN_CONFIG_SCHEMA))
-
- def login(self, login, password):
- # Get password from configuration option
- static_password = self.configuration.get("auth", "password")
- # Check authentication
- logger.info("Login attempt by %r with password %r",
- login, password)
- if password == static_password:
- return login
- return ""from radicale.auth import BaseAuth
+from radicale.log import logger
+
+PLUGIN_CONFIG_SCHEMA = {"auth": {
+ "password": {"value": "", "type": str}}}
+
+
+class Auth(BaseAuth):
+ def __init__(self, configuration):
+ super().__init__(configuration.copy(PLUGIN_CONFIG_SCHEMA))
+
+ def login(self, login, password):
+ # Get password from configuration option
+ static_password = self.configuration.get("auth", "password")
+ # Check authentication
+ logger.info("Login attempt by %r with password %r",
+ login, password)
+ if password == static_password:
+ return login
+ return ""Install the python module by running the following command in the
same folder as setup.py:
python3 -m pip install .python3 -m pip install .To make use this great creation in Radicale, set the configuration
option type in the auth section to
radicale_static_password_auth:
[auth]
-type = radicale_static_password_auth
-password = secret[auth]
+type = radicale_static_password_auth
+password = secretYou can uninstall the module with:
-python3 -m pip uninstall radicale_static_password_authpython3 -m pip uninstall radicale_static_password_authRadicale is available on PyPI. To install, just type as superuser:
-python3 -m pip install --upgrade radicalepython3 -m pip install --upgrade radicaleIf you want the development version of Radicale, take a look at the git repository on GitHub, or install it directly with:
-python3 -m pip install --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gzpython3 -m pip install --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gzYou can also download the content of the repository as an archive.