# Set type = http_x_remote_user in the [auth] section of /etc/radicale/config
# to determine the authenticated user from the X-Remote-User
# Security: Untrusted clients should not be able to access the Radicale server directly. Otherwise, they can authenticate as any user.
location /radicale/ {
    proxy_pass           http://localhost:5232/;
    proxy_set_header     X-Script-Name /radicale;
    proxy_set_header     X-Forwarded-Port $server_port;
    if ($scheme != "http") {
        proxy_set_header     X-Forwarded-Proto $scheme;
    }
    proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header     X-Remote-User $remote_user;
    proxy_set_header     Host $http_host;
    auth_basic           "Radicale - Password Required";
    auth_basic_user_file /etc/nginx/htpasswd;
}
