From 258b1024b3ee209ef88defb57f7923703512add1 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Jun 2024 22:55:00 +0200 Subject: [PATCH] Apache example configuration from Fedora 41 --- contrib/apache/radicale.conf | 246 +++++++++++++++++++++++++++++++++++ 1 file changed, 246 insertions(+) create mode 100644 contrib/apache/radicale.conf diff --git a/contrib/apache/radicale.conf b/contrib/apache/radicale.conf new file mode 100644 index 000000000..7499be617 --- /dev/null +++ b/contrib/apache/radicale.conf @@ -0,0 +1,246 @@ +### Define how Apache should serve "radicale" +## !!! Do not enable both at the same time !!! + +## Apache acting as reverse proxy and forward requests via ProxyPass to a running "radicale" server +# SELinux WARNING: To use this correctly, you will need to set: +# setsebool -P httpd_can_network_connect=1 +#Define RADICALE_SERVER_REVERSE_PROXY + + +## Apache starting WSGI server running with "radicale" application +# MAY CONFLICT with other WSG servers on same system -> use then inside a VirtualHost +# SELinux WARNING: To use this correctly, you will need to set: +# setsebool -P httpd_can_read_write_radicale=1 +#Define RADICALE_SERVER_WSGI + + +### Extra options +## Apache starting a dedicated VHOST with SSL +#Define RADICALE_SERVER_VHOST_SSL + + +### permit public access to "radicale" +#Define RADICALE_PERMIT_PUBLIC_ACCESS + + +### enforce SSL on default host +#Define RADICALE_ENFORCE_SSL + + +### Particular configuration EXAMPLES, adjust/extend/override to your needs + +########################## +### default host +########################## + + +## RADICALE_SERVER_REVERSE_PROXY + + RewriteEngine On + RewriteRule ^/radicale$ /radicale/ [R,L] + + + RequestHeader set X-Script-Name /radicale + + RequestHeader set X-Forwarded-Port "%{SERVER_PORT}s" + RequestHeader unset X-Forwarded-Proto + + RequestHeader set X-Forwarded-Proto "https" + + + ProxyPass http://localhost:5232/ retry=0 + ProxyPassReverse http://localhost:5232/ + + ## User authentication handled by "radicale" + Require local + + Require all granted + + + ## You may want to use apache's authentication (config: [auth] type = remote_user) + #AuthBasicProvider file + #AuthType Basic + #AuthName "Enter your credentials" + #AuthUserFile /path/to/httpdfile/ + #AuthGroupFile /dev/null + #Require valid-user + + + + Error "RADICALE_ENFORCE_SSL selected but ssl module not loaded/enabled" + + SSLRequireSSL + + + + + +## RADICALE_SERVER_WSGI +# For more information, visit: +# http://radicale.org/user_documentation/#idapache-and-mod-wsgi + + + + + SetHandler wsgi-script + + Require local + + Require all granted + + + + WSGIDaemonProcess radicale user=radicale group=radicale threads=1 umask=0027 + WSGIProcessGroup radicale + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + + WSGIScriptAlias /radicale /usr/share/radicale/radicale.wsgi + + + RequestHeader set X-Script-Name /radicale + + ## User authentication handled by "radicale" + Require local + + Require all granted + + + ## You may want to use apache's authentication (config: [auth] type = remote_user) + #AuthBasicProvider file + #AuthType Basic + #AuthName "Enter your credentials" + #AuthUserFile /path/to/httpdfile/ + #AuthGroupFile /dev/null + #Require valid-user + + + + Error "RADICALE_ENFORCE_SSL selected but ssl module not loaded/enabled" + + SSLRequireSSL + + + + + Error "RADICALE_SERVER_WSGI selected but wsgi module not loaded/enabled" + + + + + + +########################## +### VHOST with SSL +########################## + + + +Listen 8443 https + + +## taken from ssl.conf + +#ServerName www.example.com:443 +ErrorLog logs/ssl_error_log +TransferLog logs/ssl_access_log +LogLevel warn +SSLEngine on +SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 +SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1 +SSLHonorCipherOrder on +SSLCipherSuite PROFILE=SYSTEM +SSLProxyCipherSuite PROFILE=SYSTEM +SSLCertificateFile /etc/pki/tls/certs/localhost.crt +SSLCertificateKeyFile /etc/pki/tls/private/localhost.key +#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt +#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt +#SSLVerifyClient require +#SSLVerifyDepth 10 +#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire +BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 +CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + +## RADICALE_SERVER_REVERSE_PROXY + + + RequestHeader set X-Script-Name / + + RequestHeader set X-Forwarded-Port "%{SERVER_PORT}s" + RequestHeader set X-Forwarded-Proto "https" + + ProxyPass http://localhost:5232/ retry=0 + ProxyPassReverse http://localhost:5232/ + + ## User authentication handled by "radicale" + Require local + + Require all granted + + + ## You may want to use apache's authentication (config: [auth] type = remote_user) + #AuthBasicProvider file + #AuthType Basic + #AuthName "Enter your credentials" + #AuthUserFile /path/to/httpdfile/ + #AuthGroupFile /dev/null + #Require valid-user + + + + +## RADICALE_SERVER_WSGI +# For more information, visit: +# http://radicale.org/user_documentation/#idapache-and-mod-wsgi + + + + + SetHandler wsgi-script + + Require local + + Require all granted + + + + WSGIDaemonProcess radicale user=radicale group=radicale threads=1 umask=0027 + WSGIProcessGroup radicale + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + + WSGIScriptAlias / /usr/share/radicale/radicale.wsgi + + + RequestHeader set X-Script-Name / + + ## User authentication handled by "radicale" + Require local + + Require all granted + + + ## You may want to use apache's authentication (config: [auth] type = remote_user) + #AuthBasicProvider file + #AuthType Basic + #AuthName "Enter your credentials" + #AuthUserFile /path/to/httpdfile/ + #AuthGroupFile /dev/null + #Require valid-user + + + + Error "RADICALE_SERVER_WSGI selected but wsgi module not loaded/enabled" + + + + + + + + + Error "RADICALE_SERVER_VHOST_SSL selected but ssl module not loaded/enabled" + + +