Running behind a reverse proxy#
By default, Xandikos does not provide any authentication support. Instead, it is recommended that it is run behind a reverse HTTP proxy that does.
The author has used both nginx and Apache in front of Xandikos, but any reverse HTTP proxy should do.
If you expose Xandikos at the root of a domain, no further configuration is
necessary. When exposing it on a different path prefix, make sure to set the
--route-prefix argument to Xandikos appropriately.
.well-known#
When serving Xandikos on a prefix, you may still want to provide
the appropriate .well-known files at the root so that clients
can find the DAV server without having to specify the subprefix.
For this to work, reverse proxy the .well-known/carddav and
.well-known/caldav files to Xandikos.
Example: Kubernetes ingress#
Here is an example configuring Xandikos to listen on /dav using the
Kubernetes nginx ingress controller. Note that this relies on the
appropriate server being set up in kubernetes (see getting-started) and
the my-htpasswd secret being present and having a htpasswd like file in it.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: xandikos
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: my-htpasswd
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - mysite'
spec:
ingressClassName: nginx
rules:
- host: example.com
http:
paths:
- backend:
service:
name: xandikos
port:
name: web
path: /dav(/|$)(.*)
pathType: Prefix
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: xandikos-wellknown
spec:
ingressClassName: nginx
rules:
- host: example.com
http:
paths:
- backend:
service:
name: xandikos
port:
name: web
path: /.well-known/carddav
pathType: Exact
- backend:
service:
name: xandikos
port:
name: web
path: /.well-known/caldav
pathType: Exact