Kozea · pbiering · Jun 11, 2024 · Jun 11, 2024
diff --git a/contrib/apache/radicale.conf b/contrib/apache/radicale.conf
@@ -0,0 +1,246 @@
+### Define how Apache should serve "radicale"
+## !!! Do not enable both at the same time !!!
+
+## Apache acting as reverse proxy and forward requests via ProxyPass to a running "radicale" server
+# SELinux WARNING: To use this correctly, you will need to set:
+#    setsebool -P httpd_can_network_connect=1
+#Define RADICALE_SERVER_REVERSE_PROXY
+
+
+## Apache starting WSGI server running with "radicale" application
+# MAY CONFLICT with other WSG servers on same system -> use then inside a VirtualHost
+# SELinux WARNING: To use this correctly, you will need to set:
+#    setsebool -P httpd_can_read_write_radicale=1
+#Define RADICALE_SERVER_WSGI
+
+
+### Extra options
+## Apache starting a dedicated VHOST with SSL
+#Define RADICALE_SERVER_VHOST_SSL
+
+
+### permit public access to "radicale"
+#Define RADICALE_PERMIT_PUBLIC_ACCESS
+
+
+### enforce SSL on default host
+#Define RADICALE_ENFORCE_SSL
+
+
+### Particular configuration EXAMPLES, adjust/extend/override to your needs
+
+##########################
+### default host
+##########################
+<IfDefine !RADICALE_SERVER_VHOST_SSL>
+
+## RADICALE_SERVER_REVERSE_PROXY
+<IfDefine RADICALE_SERVER_REVERSE_PROXY>
+	RewriteEngine On
+	RewriteRule ^/radicale$ /radicale/ [R,L]
+
+	<Location /radicale>
+		RequestHeader    set X-Script-Name /radicale
+
+		RequestHeader    set X-Forwarded-Port "%{SERVER_PORT}s"
+		RequestHeader    unset X-Forwarded-Proto
+		<If "%{HTTPS} =~ /on/">
+			RequestHeader    set X-Forwarded-Proto "https"
+		</If>
+
+		ProxyPass        http://localhost:5232/ retry=0
+		ProxyPassReverse http://localhost:5232/
+
+		## User authentication handled by "radicale"
+		Require local
+		<IfDefine RADICALE_PERMIT_PUBLIC_ACCESS>
+		Require all granted
+		</IfDefine>
+
+		## You may want to use apache's authentication (config: [auth] type = remote_user)
+		#AuthBasicProvider file
+		#AuthType Basic
+		#AuthName "Enter your credentials"
+		#AuthUserFile /path/to/httpdfile/
+		#AuthGroupFile /dev/null
+		#Require valid-user
+
+		<IfDefine RADICALE_ENFORCE_SSL>
+			<IfModule !ssl_module>
+				Error "RADICALE_ENFORCE_SSL selected but ssl module not loaded/enabled"
+			</IfModule>
+			SSLRequireSSL
+		</IfDefine>
+	</Location>
+</IfDefine>
+
+
+## RADICALE_SERVER_WSGI
+# For more information, visit:
+# http://radicale.org/user_documentation/#idapache-and-mod-wsgi
+<IfDefine RADICALE_SERVER_WSGI>
+<IfModule wsgi_module>
+
+	<Files /usr/share/radicale/radicale.wsgi>
+		SetHandler wsgi-script
+
+		Require local
+		<IfDefine RADICALE_PERMIT_PUBLIC_ACCESS>
+		Require all granted
+		</IfDefine>
+	</Files>
+
+	WSGIDaemonProcess radicale user=radicale group=radicale threads=1 umask=0027
+	WSGIProcessGroup radicale
+	WSGIApplicationGroup %{GLOBAL}
+	WSGIPassAuthorization On
+
+	WSGIScriptAlias /radicale /usr/share/radicale/radicale.wsgi
+
+	<Location /radicale>
+		RequestHeader    set X-Script-Name /radicale
+
+		## User authentication handled by "radicale"
+		Require local
+		<IfDefine RADICALE_PERMIT_PUBLIC_ACCESS>
+		Require all granted
+		</IfDefine>
+
+		## You may want to use apache's authentication (config: [auth] type = remote_user)
+		#AuthBasicProvider file
+		#AuthType Basic
+		#AuthName "Enter your credentials"
+		#AuthUserFile /path/to/httpdfile/
+		#AuthGroupFile /dev/null
+		#Require valid-user
+
+		<IfDefine RADICALE_ENFORCE_SSL>
+			<IfModule !ssl_module>
+				Error "RADICALE_ENFORCE_SSL selected but ssl module not loaded/enabled"
+			</IfModule>
+			SSLRequireSSL
+		</IfDefine>
+	</Location>
+</IfModule>
+<IfModule !wsgi_module>
+	Error "RADICALE_SERVER_WSGI selected but wsgi module not loaded/enabled"
+</IfModule>
+</IfDefine>
+
+</IfDefine>
+
+
+##########################
+### VHOST with SSL
+##########################
+<IfDefine RADICALE_SERVER_VHOST_SSL>
+
+<IfModule ssl_module>
+Listen 8443 https
+
+<VirtualHost _default_:8443>
+## taken from ssl.conf
+
+#ServerName www.example.com:443
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+SSLEngine on
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
+SSLHonorCipherOrder on
+SSLCipherSuite PROFILE=SYSTEM
+SSLProxyCipherSuite PROFILE=SYSTEM
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+#SSLVerifyClient require
+#SSLVerifyDepth  10
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0
+CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+
+## RADICALE_SERVER_REVERSE_PROXY
+<IfDefine RADICALE_SERVER_REVERSE_PROXY>
+	<Location />
+		RequestHeader    set X-Script-Name /
+
+		RequestHeader    set X-Forwarded-Port "%{SERVER_PORT}s"
+		RequestHeader    set X-Forwarded-Proto "https"
+
+		ProxyPass        http://localhost:5232/ retry=0
+		ProxyPassReverse http://localhost:5232/
+
+		## User authentication handled by "radicale"
+		Require local
+		<IfDefine RADICALE_PERMIT_PUBLIC_ACCESS>
+		Require all granted
+		</IfDefine>
+
+		## You may want to use apache's authentication (config: [auth] type = remote_user)
+		#AuthBasicProvider file
+		#AuthType Basic
+		#AuthName "Enter your credentials"
+		#AuthUserFile /path/to/httpdfile/
+		#AuthGroupFile /dev/null
+		#Require valid-user
+	</Location>
+</IfDefine>
+
+
+## RADICALE_SERVER_WSGI
+# For more information, visit:
+# http://radicale.org/user_documentation/#idapache-and-mod-wsgi
+<IfDefine RADICALE_SERVER_WSGI>
+<IfModule wsgi_module>
+
+	<Files /usr/share/radicale/radicale.wsgi>
+		SetHandler wsgi-script
+
+		Require local
+		<IfDefine RADICALE_PERMIT_PUBLIC_ACCESS>
+		Require all granted
+		</IfDefine>
+	</Files>
+
+	WSGIDaemonProcess radicale user=radicale group=radicale threads=1 umask=0027
+	WSGIProcessGroup radicale
+	WSGIApplicationGroup %{GLOBAL}
+	WSGIPassAuthorization On
+
+	WSGIScriptAlias / /usr/share/radicale/radicale.wsgi
+
+	<Location />
+		RequestHeader    set X-Script-Name /
+
+		## User authentication handled by "radicale"
+		Require local
+		<IfDefine RADICALE_PERMIT_PUBLIC_ACCESS>
+		Require all granted
+		</IfDefine>
+
+		## You may want to use apache's authentication (config: [auth] type = remote_user)
+		#AuthBasicProvider file
+		#AuthType Basic
+		#AuthName "Enter your credentials"
+		#AuthUserFile /path/to/httpdfile/
+		#AuthGroupFile /dev/null
+		#Require valid-user
+	</Location>
+</IfModule>
+<IfModule !wsgi_module>
+	Error "RADICALE_SERVER_WSGI selected but wsgi module not loaded/enabled"
+</IfModule>
+</IfDefine>
+
+
+</VirtualHost>
+</IfModule>
+
+<IfModule !ssl_module>
+	Error "RADICALE_SERVER_VHOST_SSL selected but ssl module not loaded/enabled"
+</IfModule>
+
+</IfDefine>