search

tomsquest / docker-radicale

Docker image for Radicale calendar and contact server :calendar: + security :closed_lock_with_key: + addons :rocket:
GNU General Public License v3.0
591 stars 82 forks source link

Reverse Proxy Authentication #138

Closed Jab2870 closed 7 months ago

Jab2870 commented 10 months ago

Hi, thanks for making this. For some reason, I'm having difficulty setting up radicale to use user accounts with a reverse proxy, and wondering if you can shed some light on it.

It's set up, as per these docs: https://radicale.org/v3.html#manage-user-accounts-with-the-reverse-proxy

Here is my nginx config:

server {
    listen       443 ssl;
    listen  [::]:443 ssl;

    ssl_certificate     /etc/nginx/certs/fullchain1.pem;
    ssl_certificate_key /etc/nginx/certs/privkey1.pem;

    server_name         radicale.mydomain.com;

    location / {
        proxy_set_header Host $host;
        proxy_set_header  X-Script-Name "";
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://radicale:5232/;

        ##############################
        # authentik-specific config
        ##############################
        auth_request     /outpost.goauthentik.io/auth/nginx;
        error_page       401 = @goauthentik_proxy_signin;
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header       Set-Cookie $auth_cookie;

        # translate headers from the outposts back to the actual upstream
        auth_request_set $authentik_username $upstream_http_x_authentik_username;

        proxy_set_header X-Remote-User $authentik_username;
    }
# A bunch of authentik stuff I've removed here
}

My radicale config includes:

[auth]

# Authentication method
# Value: none | htpasswd | remote_user | http_x_remote_user
type = http_x_remote_user

This appears to be working as radicale docker logs show:

 [INFO] Successful login: 'jonathan'

But I am still presented with the radicale login page. Any ideas?

image

tomsquest commented 10 months ago

Hi @Jab2870 ,

No clue at all :/ I don't know the internal of Radicale auth. Best idea is to enable all possible logging Radicale side.

strauss115 commented 10 months ago

Hi, I got the same behaviour when trying to access the Web UI. So, you need to authenticate twice i.e. one time against the OAuth Idendity provider and another time against the Radicale web interface. However, when using the actual clients (Thunderbird, DAVx5, ...) it works. Did you already setup a user?

Jab2870 commented 9 months ago

I do have a user set up, yes. Clients aren't working though unfortunaetly

Hi, I got the same behaviour when trying to access the Web UI. So, you need to authenticate twice i.e. one time against the OAuth Idendity provider and another time against the Radicale web interface. However, when using the actual clients (Thunderbird, DAVx5, ...) it works. Did you already setup a user?

tomsquest commented 7 months ago

Closing. Problem seems related to Radicale itself, than this particular image