Virtualhost issue in proxmox configuration

[thefaboss]

Hello there :)
I'm a bit lost to properly configure apache virtualhost file.

Radicale is running on docker image, installed on a VM (private IP 192.168.10.12), hosted by a Proxmox 8 server running on Debian 12 (private IP 192.168.10.1).
Apache2 runs directly on the Debian 12 host, so the virtualhost conf is on the same server.

After few days and a lot of tests, while I tried to import ics files Radicale IHM kept saying this :

Log file tells me this :
[INFO] Access to '/titi/toto-contacts/' denied for anonymous user
or
[INFO] PUT response status for '/radicale/titi/toto-contacts/' in 0.001 seconds: 401 Unauthorized

I've done all my tests with Vivaldi and other chromium browsers, but surprisingly, when I use Firefox, IHM is OK to import my file, but logs keep telling me that I'm unauthorized.

Today, I finally understood that Radicale needs http_x_remote_user authentication behind a reverse proxy 🥇

So my Radicale config file is now like this :

[server]
hosts = 0.0.0.0:5232
script_name = /radicale

[auth]
type = http_x_remote_user

[storage]
filesystem_folder = /data/collections

And my vhost is like this :

<VirtualHost *:443>
        ServerName mydomain
		...
		SSL stuf
		...
        ServerSignature Off
        RewriteEngine On
        RewriteRule ^/radicale$ /radicale/ [R,L]

        <Location "/radicale/">
            AuthType     Basic
            AuthName     "Radicale - Password Required"
            AuthUserFile "/radicale/users"
            Require      valid-user
        
            ProxyPass http://192.168.10.12:5232/ retry=0
            ProxyPassReverse http://192.168.10.12:5232/
            RequestHeader    set X-Script-Name /radicale
            RequestHeader    set X-Remote-User expr=%{REMOTE_USER}
        </Location>
</VirtualHost>

192.168.10.12 is my VM ip address where Radicale docker is installed.
With this configuration, i'm unable to access authentication page :

I've updated my vhost config like this :

<VirtualHost *:443>
        ServerName mydomain
		...
		SSL stuf
		...
        ServerSignature Off
        RewriteEngine On
        RewriteRule ^/radicale$ /radicale/ [R,L]

        <Proxy *>
            AuthType     Basic
            AuthName     "Radicale - Password Required"
            AuthUserFile "/radicale/users"
            Require      valid-user
        </Proxy>
        ProxyPass "/" "http://192.168.10.12:5232/" retry=0
        ProxyPassReverse "/" "http://192.168.10.12:5232/"
        RequestHeader    set X-Script-Name /
        RequestHeader    set X-Remote-User expr=%{REMOTE_USER}
</VirtualHost>

And now, Apache is asking for user/password \o/ But after a successful authentication, Radicale asks me to authenticate too...
Well finally, with Vivaldi browser, I can import ics files like a charm !

Now in Radicale logs, I've got this :
[WARNING] Base prefix (from HTTP_X_SCRIPT_NAME) must not end with '/': '/'

So my questions now...

1. Is it normal to have 2 authentication prompts ?
2. What am I doing wrong on the vhost conf ?
3. How bad is "warning base prefix" ?
4. Why Firefox seems to don't care about vhost conf instead of Chromium browsers ?

Thx for the reading.

[pbiering]

Should be the reverse proxy responsible for user authentication and radicale simply trusts the authenticated username or radicale itself verifying the user?

[thefaboss]

Yeah I'd like that Radicale trusts reverse proxy :)
But I've red the issue #1119 and I understand that WebUI will always ask for authentication because of Javascript.

But in my case, after apache authentication, Radicale WebUI authentication page fields are empty :

[pbiering]

you have to exclude /.web from reverse proxy authentication, see reference configs in /contrib

[thefaboss]

I've tried many things following the contrib/apache file, but It has been written for standard Radicale installation.

I can't find how to adapt it forRadicale docker image :\

[pbiering]

Imho the radicale docker image exposes the radicale server port only and your Apache reverse proxy is outside...therefore you should only have to adjust the destination somehow from the contrib config:

		ProxyPass        http://localhost:5232/ retry=0
		ProxyPassReverse http://localhost:5232/

replace localhost:5232 by <container-ip>:<container-radicale-port>

[thefaboss]

Already done in my vhost conf :

        ProxyPass "/" "http://192.168.10.12:5232/" retry=0
        ProxyPassReverse "/" "http://192.168.10.12:5232/"

[pbiering]

For serving .web with authentication terminating in Apache, from contrib the example is very important:

<LocationMatch "^/radicale/\.web.*>
... -> ProxyPass without authentication

<LocationMatch "^/radicale(?!/\.web)">
... -> ProxyPass post authentication

Looks like Wiki need some extension, will check next days
https://github.com/Kozea/Radicale/wiki/Reverse-Proxy-Diagnostics-Troubleshooting

[thefaboss]

I'll give a look soon.
Thx :)

[thefaboss]

Well... I really don't understand the philosophy of the apache configuration given in the exemple, so I'm not able to adapt it on proxmox and my VM.

For now, I'll keep this virtualhost :

<VirtualHost *:443>
        ServerName mydomain
		...
		SSL stuf
		...
        ServerSignature Off

        <Proxy *>
            AuthType     Basic
            AuthName     "Radicale - Password Required"
            AuthUserFile "/radicale/users"
            Require      valid-user
        </Proxy>
        ProxyPass "/" "http://192.168.10.12:5232/" retry=0
        ProxyPassReverse "/" "http://192.168.10.12:5232/"
        RequestHeader    set X-Script-Name /
        RequestHeader    set X-Remote-User expr=%{REMOTE_USER}
</VirtualHost>

Like I said, it permits to get apache login, then I have to relog in Radicale WebUI homepage and after that, I can upload vcf or ics files like a charm.

Maybe I'll try another Reverse Proxy someday.

Thx again for your help @pbiering

[pbiering]

The example in contrib covers all cases and have toggles to activate, your related part is starting from here

Radicale/contrib/apache/radicale.conf

Line 179 in e4b337d

##########################

Your config above is too simple for terminating authentication on Apache and using the Javascript client from .web

You have to pass requests to .web without enforcing user auth

	<LocationMatch "^/\.web.*>
		RequestHeader    set X-Forwarded-Port "%{SERVER_PORT}s"
		RequestHeader    set X-Forwarded-Proto expr=%{REQUEST_SCHEME}

               ProxyPass "/" "http://192.168.10.12:5232/" retry=0
               ProxyPassReverse "/" "http://192.168.10.12:5232/"
	</LocationMatch>

while only enforcing authentication for requests outside .web:

	<LocationMatch "^(?!/\.web)">
		RequestHeader    set X-Forwarded-Port "%{SERVER_PORT}s"
		RequestHeader    set X-Forwarded-Proto expr=%{REQUEST_SCHEME}

               ProxyPass "/" "http://192.168.10.12:5232/" retry=0
               ProxyPassReverse "/" "http://192.168.10.12:5232/"

               AuthType     Basic
               AuthName     "Radicale - Password Required"
               AuthUserFile "/radicale/users"
               Require      valid-user
               RequestHeader    set X-Remote-User expr=%{REMOTE_USER}
	</LocationMatch>

Will update reference doc next.

[thefaboss]

Well, I've tried without "/" in ProxyPass and ProxyPassReverse lines because Apache doesn't start :

<VirtualHost *:443>
        ServerName mydomain
        ...
        SSL stuf
        ...
        Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"

        ProxyRequests Off
        ProxyPreserveHost Off
        ServerSignature Off
        <LocationMatch "^/\.web.*>
                RequestHeader    set X-Forwarded-Port "%{SERVER_PORT}s"
                RequestHeader    set X-Forwarded-Proto expr=%{REQUEST_SCHEME}

               ProxyPass http://192.168.10.12:5232/ retry=0
               ProxyPassReverse http://192.168.10.12:5232/
        </LocationMatch>
        <LocationMatch "^(?!/\.web)">
                RequestHeader    set X-Forwarded-Port "%{SERVER_PORT}s"
                RequestHeader    set X-Forwarded-Proto expr=%{REQUEST_SCHEME}

               ProxyPass http://192.168.10.12:5232/ retry=0
               ProxyPassReverse http://192.168.10.12:5232/

               AuthType     Basic
               AuthName     "Radicale - Password Required"
               AuthUserFile "/data/vrac/radicale/users/userlist"
               Require      valid-user
               RequestHeader    set X-Remote-User expr=%{REMOTE_USER}
        </LocationMatch>
</VirtualHost>

=> apache login popup still appears and after successful authentication... Radicale WebUI is still asking for my credentials :(

[pbiering]

Something strange, please test

curl -k  -I https://localhost:443/.web/

It should return 200 and not 401.

[thefaboss]

Seems OK :

curl -k -I https://mydomain/.web/
HTTP/1.1 200 OK
Date: Thu, 14 Aug 2025 16:55:24 GMT
Server: WSGIServer/0.2 CPython/3.12.11
Strict-Transport-Security: max-age=15768000; includeSubDomains
Content-Type: text/html
Last-Modified: Sun, 10 Aug 2025 01:42:40 GMT
Content-Length: 9397

[pbiering]

So please confirm

• Loading the Javascript WebUI by browsing to /.web does not trigger any user authentication by Apache reverse proxy
• after providing user+pass in Javascript WebUI and push "Next" the browser receives a box for putting credentials for HTTP authentication?

If so, still strange, have you tested another browser, e.g. Firefox? Because this should not happen as the Javascript client sends the provided user/pass directly to reverse proxy and therefore no 401 should be returned.

BTW: if you take the reference config, enable on the top

Define RADICALE_SERVER_REVERSE_PROXY
Define RADICALE_SERVER_VHOST_SSL
Define RADICALE_PERMIT_PUBLIC_ACCESS
Define RADICALE_SERVER_USER_AUTHENTICATION

Then

• adapt the ProxyPass* entries to your local configuration
• Store user/pass in /etc/httpd/conf/htpasswd-radicale (or adjust the file)
• Adjust TLS certs and listen port if needed
• Start Radicale with --auth-type=http_x_remote_use

Then it should work, at least here, Apache log entries are e.g. (no 401 responded):

# load of WebUI
192.168.*.* - - [17/Aug/2025:09:12:24 +0200] "PROPFIND /testmd5/ HTTP/1.1" 207 712
192.168.*.* - - [17/Aug/2025:09:12:49 +0200] "GET /.web/ HTTP/1.1" 200 2155
192.168.*.* - - [17/Aug/2025:09:12:50 +0200] "GET /.web/fn.js HTTP/1.1" 200 9201
192.168.*.* - - [17/Aug/2025:09:12:50 +0200] "GET /.web/css/icon.png HTTP/1.1" 200 1092
# After providing credentials:
192.168.*.* - testuser [17/Aug/2025:09:12:56 +0200] "PROPFIND / HTTP/1.1" 207 212
192.168.*.* - testuser [17/Aug/2025:09:12:57 +0200] "PROPFIND /testuser/ HTTP/1.1" 207 712

Also check browser debug log what happens if still not working.

[thefaboss]

• Loading the Javascript WebUI by browsing to /.web does not trigger any user authentication by Apache reverse proxy

=> With my previous Vhost config, if I load https://mydomain/.web, then Apache authent pop up doesn't show up, I only get Javascript WebUI authent page.

• after providing user+pass in Javascript WebUI and push "Next" the browser receives a box for putting credentials for HTTP authentication?

=> No HTTP/Apache authent appears, I'm logged in Radicale's WebUI and I can upload vcs/ics files juste fine.

Now, here is the new version of my Vhost conf :

<VirtualHost *:443>
        ServerName mydomain

        Define RADICALE_SERVER_REVERSE_PROXY
        Define RADICALE_SERVER_VHOST_SSL
        Define RADICALE_PERMIT_PUBLIC_ACCESS
        Define RADICALE_SERVER_USER_AUTHENTICATION

        <IfDefine RADICALE_SERVER_VHOST_SSL>

                [...]
                SSL stuf...
                [...]

                <IfDefine RADICALE_SERVER_REVERSE_PROXY>
                         RewriteEngine On
                         RewriteCond %{REQUEST_METHOD} GET
                         RewriteRule ^/$ /.web/ [R,L]
                         ServerSignature Off
                         <LocationMatch "^/\.web.*>
                                RequestHeader    set X-Forwarded-Port "%{SERVER_PORT}s"
                                RequestHeader    set X-Forwarded-Proto expr=%{REQUEST_SCHEME}

                                ProxyPass http://192.168.10.12:5232/ retry=0
                                ProxyPassReverse http://192.168.10.12:5232/
                                Require local
                                <IfDefine RADICALE_PERMIT_PUBLIC_ACCESS>
                                        Require all granted
                                </IfDefine>
                         </LocationMatch>
                         <LocationMatch "^(?!/\.web)">
                                RequestHeader    set X-Forwarded-Port "%{SERVER_PORT}s"
                                RequestHeader    set X-Forwarded-Proto expr=%{REQUEST_SCHEME}

                                ProxyPass http://192.168.10.12:5232/ retry=0
                                ProxyPassReverse http://192.168.10.12:5232/
                                <IfDefine !RADICALE_SERVER_USER_AUTHENTICATION>
                                        Require local
                                        <IfDefine RADICALE_PERMIT_PUBLIC_ACCESS>
                                                Require all granted
                                        </IfDefine>
                                </IfDefine>
                                <IfDefine RADICALE_SERVER_USER_AUTHENTICATION>
                                        AuthBasicProvider file
                                        AuthType     Basic
                                        AuthName     "Radicale - Password Required"
                                        AuthUserFile "/radicale/users/userlist"
                                        Require      valid-user
                                        RequestHeader    set X-Remote-User expr=%{REMOTE_USER}
                                </IfDefine>
                         </LocationMatch>
                </IfDefine>
        </IfDefine>
</VirtualHost>

=> Now, when I try to access https://mydomain (without explicit /.web), then :

• Apache vhost rewrite the url to add /.web
• Apache doesn't show popup authent
• Radicale's Javascript WebUI asks for authent and I can log in
• I still can upload vcs/ics files without error

In Apache's logs, I can see some 401 :

mydomain:443 PublicIP - - [17/Aug/2025:13:47:02 +0200] "GET / HTTP/1.1" 302 3072 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
mydomain:443 PublicIP - - [17/Aug/2025:13:47:02 +0200] "GET /.web/ HTTP/1.1" 200 2463 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
mydomain:443 PublicIP - - [17/Aug/2025:13:47:02 +0200] "GET /.web/css/main.css HTTP/1.1" 200 2128 "https://mydomain/.web/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
mydomain:443 PublicIP - - [17/Aug/2025:13:47:02 +0200] "GET /.web/fn.js HTTP/1.1" 200 9547 "https://mydomain/.web/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
mydomain:443 PublicIP - - [17/Aug/2025:13:47:02 +0200] "GET /.web/css/loading.svg HTTP/1.1" 200 1547 "https://mydomain/.web/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
mydomain:443 PublicIP - - [17/Aug/2025:13:47:02 +0200] "GET /.web/css/logo.svg HTTP/1.1" 200 990 "https://mydomain/.web/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
mydomain:443 PublicIP - - [17/Aug/2025:13:47:02 +0200] "GET /.web/css/icons/new.svg HTTP/1.1" 200 536 "https://mydomain/.web/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
mydomain:443 PublicIP - - [17/Aug/2025:13:47:02 +0200] "GET /.web/css/icons/upload.svg HTTP/1.1" 200 3129 "https://mydomain/.web/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
mydomain:443 PublicIP - - [17/Aug/2025:13:47:02 +0200] "GET /.web/css/icons/download.svg HTTP/1.1" 200 543 "https://mydomain/.web/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
mydomain:443 PublicIP - - [17/Aug/2025:13:47:02 +0200] "GET /.web/css/icons/edit.svg HTTP/1.1" 200 599 "https://mydomain/.web/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
mydomain:443 PublicIP - - [17/Aug/2025:13:47:02 +0200] "GET /.web/css/icons/delete.svg HTTP/1.1" 200 577 "https://mydomain/.web/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
mydomain:443 PublicIP - - [17/Aug/2025:13:47:02 +0200] "GET /.web/css/icon.png HTTP/1.1" 200 3966 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
mydomain:443 PublicIP - - [17/Aug/2025:13:47:02 +0200] "GET /.web/css/icon.png HTTP/1.1" 200 1404 "https://mydomain/.web/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
mydomain:443 PublicIP - - [17/Aug/2025:13:47:04 +0200] "PROPFIND / HTTP/1.1" 401 684 "https://mydomain/.web/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
mydomain:443 PublicIP - titi [17/Aug/2025:13:47:04 +0200] "PROPFIND / HTTP/1.1" 207 556 "https://mydomain/.web/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
mydomain:443 PublicIP - - [17/Aug/2025:13:47:04 +0200] "PROPFIND /titi/ HTTP/1.1" 401 684 "https://mydomain/.web/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
mydomain:443 PublicIP - titi [17/Aug/2025:13:47:04 +0200] "PROPFIND /titi/ HTTP/1.1" 207 907 "https://mydomain/.web/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"

And I tried some curls :

curl -k -I https://mydomain/
HTTP/1.1 401 Unauthorized
Date: Sun, 17 Aug 2025 12:12:22 GMT
Server: Apache/2.4.62 (Debian)
WWW-Authenticate: Basic realm="Radicale - Password Required"
Content-Type: text/html; charset=iso-8859-1

curl -k -I https://mydomain/.web
HTTP/1.1 302 Found
Date: Sun, 17 Aug 2025 12:12:31 GMT
Server: WSGIServer/0.2 CPython/3.12.11
Location: /.web/
Content-Type: text/plain; charset=utf-8
Content-Length: 20

[pbiering]

I was not completly right, the 401 are also seen here, but hidden by Javascript client, which is instantly sending then a request with proper user:pass.

So issue solved now?

[thefaboss]

I think so :)
But wow, I've never created a vhost such complicated as this one ^^

Thx a lot

[pbiering]

one can serve files from .web or Infcloud outside Radicale directly, then it would be simpler...