Reverse Proxy Diagnostics Troubleshooting - Kozea/Radicale GitHub Wiki
See also:
Precondition "radicale" server is running fine and accessable
- Wiki: https://github.com/Kozea/Radicale/wiki/Server-Diagnostics---Troubleshooting
- Q&A: https://github.com/Kozea/Radicale/discussions/categories/q-a-server
Check whether "reverse proxy" is proper running
Example
netstat -nlpt | grep -E ":(80|443) "
tcp6 0 0 :::443 :::* LISTEN 1427/httpd
tcp6 0 0 :::80 :::* LISTEN 1427/httpd
Example (no TLS configured so far)
netstat -nlpt | grep -E ":(80|443) "
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1667/nginx: master
tcp6 0 0 :::80 :::* LISTEN 1667/nginx: master
In case of SELinux is active and and in "enforcing" mode, SELinux may block connection from "reverse proxy" to "radicale"
sestatus | grep -E "(SELinux status|Current mode)"
SELinux status: enabled
Current mode: enforcing
At least supported on Enterprise & Fedora Linux
Example for prohibited connection from "reverse proxy" to other servers ("radicale" or any other)
getsebool httpd_can_network_connect
httpd_can_network_connect --> off
Systems not having extra SELinux policy for "radicale"
setsebool -P httpd_can_network_connect=1
getsebool httpd_can_network_connect
httpd_can_network_connect --> on
If reverse proxy configuration for "radicale" is configured in the default web server, URI must be extended to avoid any overlap conflicts
Example config excerpt
# Apache
<Location /radicale>
ProxyPass http://localhost:5232/ retry=0
ProxyPassReverse http://localhost:5232/
...
</Location>
Example URLs to request
Radicale direct : http://localhost:5232/.web/
via reverse proxy : http://localhost:80/radicale/.web/
via reverse proxy (SSL): https://localhost:443/radicale/.web/
Only in case a dedicated virtual host (dedicated port or FQDN) is configured, the URI extension can be left-out in the reverse proxy configuration
Example config excerpt for dedicated port, for FQDN configure name-based virtual hosting.
# Apache
Listen 8080
<VirtualHost _default_:8080>
...
<Location />
ProxyPass http://localhost:5232/ retry=0
ProxyPassReverse http://localhost:5232/
...
</Location>
</VirtualHost>
Listen 8443 https
<VirtualHost _default_:8443>
...
<Location />
ProxyPass http://localhost:5232/ retry=0
ProxyPassReverse http://localhost:5232/
...
</Location>
</VirtualHost>
Example URLs to request
Radicale direct : http://localhost:5232/.web/
via reverse proxy : http://localhost:8080/.web/
via reverse proxy (SSL): https://localhost:8443/.web/
Example for unsuccessful request blocked by SELinux
curl -I http://localhost:80/radicale/.web/
HTTP/1.1 503 Service Unavailable
Date: Sat, 16 Mar 2024 15:41:29 GMT
Server: Apache/2.4.57 (AlmaLinux) OpenSSL/3.0.7 mod_fcgid/2.3.9 mod_qos/11.74 mod_wsgi/4.7.1 Python/3.9
Connection: close
Content-Type: text/html; charset=iso-8859-1
Example for successful request
curl -I http://localhost:80/radicale/.web/
HTTP/1.1 200 OK
Date: Sat, 16 Mar 2024 15:42:01 GMT
Server: WSGIServer/0.2 CPython/3.9.18
Content-Type: text/html; charset=UTF-8
Last-Modified: Wed, 13 Mar 2024 05:36:47 GMT
Content-Length: 8091
Example for unsuccessful request blocked by SELinux
curl -I http://localhost:80/radicale/.web/
HTTP/1.1 502 Bad Gateway
Server: nginx/1.20.1
Date: Sat, 16 Mar 2024 15:30:51 GMT
Content-Type: text/html
Content-Length: 3854
Connection: keep-alive
ETag: "652d1e3f-f0e"
Example for successful request
curl -I http://localhost:80/radicale/.web/
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Sat, 16 Mar 2024 15:32:56 GMT
Content-Type: text/html
Content-Length: 8091
Connection: keep-alive
Last-Modified: Wed, 13 Mar 2024 05:36:47 GMT
One can use ngrep to watch traffic between reverse proxy and "radicale" (example) - but only senseful if this connection has no encryption active.
ngrep -d lo port 5232