from A_norny_mousse@feddit.org to selfhosted@lemmy.world on 05 Jun 10:52
https://feddit.org/post/13659179
After my previous server got hacked (presumably), I am now looking for new solutions to my needs. CalDAV/CardDAV is a big one.
So far I switched from a content management system (PHP) to a static site generator for my blog, and I’m not looking back.
I wonder if it makes sense to also step away from PHP wrt CalDAV/CardDAV.
As ever so often, this list has some nice info.
I’d like to keep dependencies low. Python would be a good choice because it’s already installed on my Debian Stable system. But would it be safer?
Back when I started this compatibility with clients was an issue; but I don’t use Android anymore. In any case, is this still an issue?
edit: no, I don’t use a web based app; and I’d prefer the server doesn’t require admin via web UI either.
Thanks for all your replies! I chose Radicale, already set it up. Only what is needed, simple config files. Very nice. It runs under an nginx reverse proxy and they communicate encrypted (and of course the outside is also encrypted and password-protected). And the web UI can be disabled.
The documentation is very tutorial-like and security conscious.
#selfhosted
threaded - newest
Um… How are we supposed to tell you if your unnamed DAV client will have problems with your unnamed new DAV server? Works fine for me.
There used to be a mismatch between the spec and Google’s implementation of it.
If you’re self hosting, why use anything Google?
I don’t use Google apps, my calendar apps aren’t even on Play, and don’t use any Google processes.
Compatibility with Android usually means running DAVx⁵
f-droid.org/packages/at.bitfire.davdroid/
A larger package than just CalDAV and CardDAV would be to look into Gromox with Grommunio-DAV.
It’s on my “I should check this out” list, so no personal experience.
github.com/grommunio/gromox
github.com/grommunio/grommunio-dav
They also have support for Exchange ActiveSync through another optional addon
github.com/grommunio/grommunio-sync
Security in software is about implementation, not different programming languages. Security as a whole is also not something you can achieve just by installing “secure” software - every software has bugs and vulnerabilities. Some of them are known, others are unknown and not every one of them automatically poses a security risk to you, this depends on the bug, your usage and environment. You can try to harden your system, but you need to do this in layers and the application code is just one of them.
For example, you could geoblock IP addresses so their requests never even reach your application. This does not mean that you’re automatically safe from attackers from e.g. Russia, but you make yourself a less easy target.
There are many other defense mechanisms like request limiting, dynamically blocking malicious requests with something like Fail2Ban, strong authentication, frequent patching, network segregation, virtualization, and so on. I hope you see where I’m going. Security is complex and depends a lot on your personal threat model.
That being said, if you need to know how secure the code of a given software is, you need to find something that has recently been audited or audit it yourself.
I’ve never had any issues with Radicale, which is dead simple and lightweight. If you end up with Android again, DAVx5 has also never given me any trouble, and it also allows calendars to be cached offline. I’m not sure how you’re having compatibility issues as I would think CalDAV is a standard protocol?
If you’re concerned about dependencies and security, why not use Docker or Podman? It makes most of self-hosting in general much simpler, and it’s much easier to secure since it’s containerized. With containers, even if a hacker somehow hacks your CalDAV server, they can only access the minimal resources that you’ve given the container. I use this repo for Radicale on Docker.
There used to be a mismatch between the spec and Google’s implementation of it.
I use radicale. Safe and solid. Zero php.
You need to install a separate app if you want a web based calendar ui, or you can just use dav5x on android or any other caldav client.
Radicale is indeed excellent. Light and safe. I use it for an association!
Thanks for the tip. Already set it up. I like it - does just what I need and not much more. And the web UI can be disabled.
I think Radicale, Baikal, SabreDAV or NextCloud are the most common choices. I read those names a lot.
But I believe only one of those isn't written in PHP.
I'd really recommend digging into the "hacking" though. Unless you learn from your specific mistakes and avoid that in the future, you might run in to the exact same issue again. And I mean it could be a security flaw in the program code of the WebDAV server. But it could as well be a few dozen other reasons why your server wasn't secure... (Missing updates, insecure passwords, missing fail2ban, a webserver or reverse proxy, unrelated other software... There are a lot of moving gears in a webserver and lots of things to consider.)
I’ve been using Nextcloud for almost a decade (started with Owncloud), publicly exposed to the internet with no VPN, and I’ve had no issues with security or with DAV. I do nothing special besides keeping it up to date (And using strong passwords, I guess)
I’ve been using NC for about the same amount of time and I will say I’m no longer as happy with it as I once was, primarily because it’s a mess of PHP, gum and popsicle sticks held together by me going in there every 3 upgrades to fix ‘occ missing indices’, add a sql table or some such error.
The caldav integration did allow me to break free from google some more, and it works well, but I’ve since moved file sync to syncthing and I’m looking for a standalone caldav solution.
I personally don’t like their kitchen sink approach.
Stalwart recently released CalDAV & CardDAV support, and it’s what I use for mail. It’s pretty secure by default too.
Good choice. I’ve been running Radicale for years, reverse proxied behind Caddy, and it’s been solid.