Radicale reverse proxy (Caddy 2.0)

1. Caddy version (caddy version): 2.0

2. How I run Caddy:

a. System environment:

raspbian+systemd, caddy installed from script

b. Command:

systemctl start caddy

3. The problem I’m having:

I get Access to the requested resource forbidden. , similar to Setup reverse proxy for radicale

5. What I already tried:

I am currently using

:80/radicale/ {
      reverse_proxy  localhost:5232 {
                        header_up X-Script-Name /radicale/
             }
}

or

:80/radicale {
  reverse_proxy localhost:5232 {
    header_up X-Script-Name /radicale
  }
}

In Caddy v2, path matching is exact. This means that only the path /radicale/ will be matched, and not /radicale/foo. You need to specify a * to tell it to match anything following it.

I’d recommend avoiding path matching on the site block entirely and doing the path matching on the directives themselves.

:80 {
  reverse_proxy /radicale* localhost:5232 {
    header_up X-Script-Name /radicale
  }
}

Nice to know, in any case I am still getting the same error…

I’m pretty certain that error is coming from your upstream service, not from Caddy. I don’t have enough information here to help much more. I’ve never heard of Radicale before now.

It sounds to me like you haven’t authenticated to the service, so it’s returning an authorization error.

Oh, I see.

https://radicale.org/3.0.html#tutorials/reverse-proxy

Their docs say:

The proxy must remove the location from the URL path that is forwarded to Radicale.

That’s something that Nginx does implicitly, but in Caddy you need to do explicitly.

:80 {
	handle /radicale* {
		uri strip_prefix /radicale
		reverse_proxy localhost:5232 {
			header_up X-Script-Name /radicale
		}
	}
}

FYI in Caddy v2.1 (first beta is about to release today), this can be shortened to:

:80 {
	handle_path /radicale* {
		reverse_proxy localhost:5232 {
			header_up X-Script-Name /radicale
		}
	}
}

Many thanks, that worked. For future reference, I used

:80 {
    # ...
    handle /radicale* {
        uri strip_prefix /radicale
        reverse_proxy localhost:5232 {
        header_up X-Script-Name /radicale
            }
    }

    redir /radicale /radicale/

	basicauth /radicale* {
		'USER' 'HASH'
	}
}
1 Like

Minor tweaks, but I’d write it like this:

:80 {
	redir /radicale /radicale/
	handle /radicale/* {
		uri strip_prefix /radicale
		basicauth {
			'USER' 'HASH'
		}
		reverse_proxy localhost:5232 {
			header_up X-Script-Name /radicale
		}
	}
}

This way, it won’t handle /radicalefoo anymore which doesn’t make sense, and you can avoid repeating yourself with the basicauth matcher.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.