- Requires mod_authn_dovecot for Apache 2.2 and 2.4, which can authenticate against Dovecot using email address or just username (depending on Dovecot configuration)
- Requires auth_basic, authn_alias, authn_default, authz_default, authz_host and authz_user to be enabled for authentication.
- For the reverse proxy: proxy, and proxy_http must be enabled in Apache.
- Optional AppArmor changehat support provided (and accompanied AppArmor profiles for the web component in Apache and radicale itself.)
Apache configuration (/etc/apache2/conf.d/radicale.conf or equivalent)
ProxyPassMatch ((\.(ics|vcf))|((\.well-known\/)?(cal|card)dav)/)$ http://localhost:5232
<LocationMatch ((\.(ics|vcf))|((\.well-known\/)?(cal|card)dav)/)$>
AuthType basic
AuthName "Dovecot Authentication"
AuthBasicProvider dovecot
AuthDovecotAuthSocket /var/run/dovecot/auth-client
AuthDovecotTimeout 5
AuthDovecotAuthoritative On
Require valid-user
RewriteEngine On
RewriteCond %{REMOTE_USER}%{REQUEST_URI} !^([^/]+/)\1
RewriteCond %{REQUEST_URI} !^/.well-known/.+
RewriteRule .* - [Forbidden]
<IfModule security2_module>
SecRuleEngine On
</IfModule>
<IfModule apparmor_module>
AAHatName radicale
</IfModule>
</LocationMatch>
Radicale configuration, relevant sections only (/etc/radicale/config)
[server]
hosts = 127.0.0.1:5232
[auth]
type = remote_user
[rights]
type = None
[storage]
filesystem_folder = /var/lib/radicale/collections
/etc/apparmor.d/usr.bin.radicale
/usr/bin/radicale {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/python>
/bin/dash rix,
/etc/radicale/* r,
/proc/*/mounts r,
/run/radicale/* w,
/sbin/ldconfig rix,
/sbin/ldconfig.real rix,
/usr/bin/python2.7 ix,
/usr/bin/radicale r,
/var/lib/radicale/** rw,
/var/log/radicale/* w,
}
/etc/apparmor.d/apache2/radicale
^radicale {
#include <abstractions/apache2-common>
#include <abstractions/base>
#include <abstractions/nameservice>
# for log writing (could be abstracted)
/var/log/apache2/*.log w,
}