docker-radicale icon indicating copy to clipboard operation
docker-radicale copied to clipboard

Published 20 hours ago verified publisher icon tomsquest

Reverse Proxy Authentication

Open Jab2870 opened this issue 1 year ago • 3 comments

Hi, thanks for making this. For some reason, I'm having difficulty setting up radicale to use user accounts with a reverse proxy, and wondering if you can shed some light on it.

It's set up, as per these docs: https://radicale.org/v3.html#manage-user-accounts-with-the-reverse-proxy

Here is my nginx config:

server {
    listen       443 ssl;
    listen  [::]:443 ssl;

    ssl_certificate     /etc/nginx/certs/fullchain1.pem;
    ssl_certificate_key /etc/nginx/certs/privkey1.pem;

    server_name         radicale.mydomain.com;

    location / {
        proxy_set_header Host $host;
        proxy_set_header  X-Script-Name "";
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://radicale:5232/;

        ##############################
        # authentik-specific config
        ##############################
        auth_request     /outpost.goauthentik.io/auth/nginx;
        error_page       401 = @goauthentik_proxy_signin;
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header       Set-Cookie $auth_cookie;

        # translate headers from the outposts back to the actual upstream
        auth_request_set $authentik_username $upstream_http_x_authentik_username;

        proxy_set_header X-Remote-User $authentik_username;
    }
# A bunch of authentik stuff I've removed here
}

My radicale config includes:

[auth]

# Authentication method
# Value: none | htpasswd | remote_user | http_x_remote_user
type = http_x_remote_user

This appears to be working as radicale docker logs show:

 [INFO] Successful login: 'jonathan'

But I am still presented with the radicale login page. Any ideas?

image

Jab2870 avatar Jan 10 '24 17:01 Jab2870

Hi @Jab2870 ,

No clue at all :/ I don't know the internal of Radicale auth. Best idea is to enable all possible logging Radicale side.

tomsquest avatar Jan 11 '24 08:01 tomsquest

Hi, I got the same behaviour when trying to access the Web UI. So, you need to authenticate twice i.e. one time against the OAuth Idendity provider and another time against the Radicale web interface. However, when using the actual clients (Thunderbird, DAVx5, ...) it works. Did you already setup a user?

strauss115 avatar Jan 12 '24 18:01 strauss115

I do have a user set up, yes. Clients aren't working though unfortunaetly

Hi, I got the same behaviour when trying to access the Web UI. So, you need to authenticate twice i.e. one time against the OAuth Idendity provider and another time against the Radicale web interface. However, when using the actual clients (Thunderbird, DAVx5, ...) it works. Did you already setup a user?

Jab2870 avatar Jan 20 '24 11:01 Jab2870

Closing. Problem seems related to Radicale itself, than this particular image

tomsquest avatar Mar 18 '24 12:03 tomsquest