ponysearch-docker/Caddyfile

{
  admin off
}

{$SEARXNG_HOSTNAME} {
  log {
        output discard
  }

  tls {$SEARXNG_TLS}

  @api {
        path /config
        path /healthz
        path /stats/errors
        path /stats/checker
  }

  @static {
        path /static/*
  }

  @notstatic {
        not path /static/*
  }

  @imageproxy {
        path /image_proxy
  }

  @notimageproxy {
        not path /image_proxy
  }

  header {
        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

        # Enable cross-site filter (XSS) and tell browser to block detected attacks
        X-XSS-Protection "1; mode=block"

        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        X-Content-Type-Options "nosniff"

        # Disable some features
        Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"

        # Disable some features (legacy)
        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"

        # Referer
        Referrer-Policy "no-referrer"

        # X-Robots-Tag
        X-Robots-Tag "noindex, noarchive, nofollow"

        # Remove Server header
        -Server
  }

  header @api {
        Access-Control-Allow-Methods "GET, OPTIONS"
        Access-Control-Allow-Origin  "*"
  }

  # Cache
  header @static {
        # Cache
        Cache-Control "public, max-age=31536000"
        defer
  }

  header @notstatic {
        # No Cache
        Cache-Control "no-cache, no-store"
        Pragma "no-cache"
  }

  # CSP (see http://content-security-policy.com/ )
  header @imageproxy {
        Content-Security-Policy "default-src 'none'; img-src 'self' data:"
  }

  header @notimageproxy {
        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
  }

  # SearXNG
  handle {
        encode zstd gzip

        reverse_proxy localhost:8080 {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
        }
  }

}
[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 08:12:32 +02:00			`{`
			`admin off`
			`}`

SearXNG 2021-10-01 09:42:00 +02:00			`{$SEARXNG_HOSTNAME} {`
[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 08:12:32 +02:00			`log {`
			`output discard`
			`}`

SearXNG 2021-10-01 09:42:00 +02:00			`tls {$SEARXNG_TLS}`
[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 08:12:32 +02:00
			`@api {`
			`path /config`
Rely on searxng/settings.yml 2022-03-19 20:16:38 +01:00			`path /healthz`
			`path /stats/errors`
			`path /stats/checker`
Add filtron (configuration not done / checked) Drop capabilities 2019-07-06 14:54:05 +02:00			`}`
Initial commit 2019-07-01 16:26:12 +02:00
[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 08:12:32 +02:00			`@static {`
			`path /static/*`
Update Caddyfile - Access-Control-Allow-Origin "*" only for /status, /config - Add Strict-Transport-Security - Modify Content-Security-Policy to allow https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com - Limit request header/body to 10kb 2019-07-13 10:59:07 +02:00			`}`
Initial commit 2019-07-01 16:26:12 +02:00
Rely on searxng/settings.yml 2022-03-19 20:16:38 +01:00			`@notstatic {`
			`not path /static/*`
			`}`

Replace morty & filtron by redis & the limiter plugin 2022-02-25 22:43:05 +01:00			`@imageproxy {`
			`path /image_proxy`
[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 08:12:32 +02:00			`}`

Replace morty & filtron by redis & the limiter plugin 2022-02-25 22:43:05 +01:00			`@notimageproxy {`
			`not path /image_proxy`
Update Caddyfile - Access-Control-Allow-Origin "*" only for /status, /config - Add Strict-Transport-Security - Modify Content-Security-Policy to allow https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com - Limit request header/body to 10kb 2019-07-13 10:59:07 +02:00			`}`

[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 08:12:32 +02:00			`header {`
Update Caddyfile - Access-Control-Allow-Origin "*" only for /status, /config - Add Strict-Transport-Security - Modify Content-Security-Policy to allow https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com - Limit request header/body to 10kb 2019-07-13 10:59:07 +02:00			`# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS`
			`Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
Initial commit 2019-07-01 16:26:12 +02:00
Update Caddyfile - Access-Control-Allow-Origin "*" only for /status, /config - Add Strict-Transport-Security - Modify Content-Security-Policy to allow https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com - Limit request header/body to 10kb 2019-07-13 10:59:07 +02:00			`# Enable cross-site filter (XSS) and tell browser to block detected attacks`
			`X-XSS-Protection "1; mode=block"`
Initial commit 2019-07-01 16:26:12 +02:00
Update Caddyfile - Access-Control-Allow-Origin "*" only for /status, /config - Add Strict-Transport-Security - Modify Content-Security-Policy to allow https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com - Limit request header/body to 10kb 2019-07-13 10:59:07 +02:00			`# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type`
			`X-Content-Type-Options "nosniff"`
Initial commit 2019-07-01 16:26:12 +02:00
Update Caddyfile - Access-Control-Allow-Origin "*" only for /status, /config - Add Strict-Transport-Security - Modify Content-Security-Policy to allow https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com - Limit request header/body to 10kb 2019-07-13 10:59:07 +02:00			`# Disable some features`
Rely on searxng/settings.yml 2022-03-19 20:16:38 +01:00			`Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"`
Add Permissions-Policy HTTP header to Caddyfile 2021-05-26 16:00:29 +02:00
			`# Disable some features (legacy)`
[mod] allow fullscreen for videos 2019-08-06 12:44:08 +02:00			`Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"`
Initial commit 2019-07-01 16:26:12 +02:00
Update Caddyfile - Access-Control-Allow-Origin "*" only for /status, /config - Add Strict-Transport-Security - Modify Content-Security-Policy to allow https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com - Limit request header/body to 10kb 2019-07-13 10:59:07 +02:00			`# Referer`
			`Referrer-Policy "no-referrer"`
Initial commit 2019-07-01 16:26:12 +02:00
Update Caddyfile - Access-Control-Allow-Origin "*" only for /status, /config - Add Strict-Transport-Security - Modify Content-Security-Policy to allow https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com - Limit request header/body to 10kb 2019-07-13 10:59:07 +02:00			`# X-Robots-Tag`
			`X-Robots-Tag "noindex, noarchive, nofollow"`
Add filtron (configuration not done / checked) Drop capabilities 2019-07-06 14:54:05 +02:00
Update Caddyfile - Access-Control-Allow-Origin "*" only for /status, /config - Add Strict-Transport-Security - Modify Content-Security-Policy to allow https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com - Limit request header/body to 10kb 2019-07-13 10:59:07 +02:00			`# Remove Server header`
			`-Server`
Initial commit 2019-07-01 16:26:12 +02:00			`}`

[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 08:12:32 +02:00			`header @api {`
			`Access-Control-Allow-Methods "GET, OPTIONS"`
			`Access-Control-Allow-Origin "*"`
Update Content-Security-Policy header 2019-07-11 17:15:49 +02:00			`}`

[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 08:12:32 +02:00			`# Cache`
			`header @static {`
			`# Cache`
Replace morty & filtron by redis & the limiter plugin 2022-02-25 22:43:05 +01:00			`Cache-Control "public, max-age=31536000"`
			`defer`
Mainly add searx/searx-checker - Add searx/searx-checker image with automatic check everyday. Result https://${HOSTNAME}/status - Cache /static files - Add start.sh, stop.sh, update.sh 2019-07-09 18:05:05 +02:00			`}`

[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 08:12:32 +02:00			`header @notstatic {`
			`# No Cache`
			`Cache-Control "no-cache, no-store"`
			`Pragma "no-cache"`
Update Content-Security-Policy header 2019-07-11 17:15:49 +02:00			`}`
Mainly add searx/searx-checker - Add searx/searx-checker image with automatic check everyday. Result https://${HOSTNAME}/status - Cache /static files - Add start.sh, stop.sh, update.sh 2019-07-09 18:05:05 +02:00
[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 08:12:32 +02:00			`# CSP (see http://content-security-policy.com/ )`
Replace morty & filtron by redis & the limiter plugin 2022-02-25 22:43:05 +01:00			`header @imageproxy {`
			`Content-Security-Policy "default-src 'none'; img-src 'self' data:"`
[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 08:12:32 +02:00			`}`
Update Caddyfile - Access-Control-Allow-Origin "*" only for /status, /config - Add Strict-Transport-Security - Modify Content-Security-Policy to allow https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com - Limit request header/body to 10kb 2019-07-13 10:59:07 +02:00
Replace morty & filtron by redis & the limiter plugin 2022-02-25 22:43:05 +01:00			`header @notimageproxy {`
Add github new issue to CSP form-action Make "Submit a new issue on Github including the above information" works 2022-05-18 10:55:18 +02:00			Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
Initial commit 2019-07-01 16:26:12 +02:00			`}`

Rely on searxng/settings.yml 2022-03-19 20:16:38 +01:00			`# SearXNG`
[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 08:12:32 +02:00			`handle {`
			`encode zstd gzip`

Replace morty & filtron by redis & the limiter plugin 2022-02-25 22:43:05 +01:00			`reverse_proxy localhost:8080 {`
[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 08:12:32 +02:00			`header_up X-Forwarded-Port {http.request.port}`
			`header_up X-Forwarded-Proto {http.request.scheme}`
			`}`
			`}`
Mainly add searx/searx-checker - Add searx/searx-checker image with automatic check everyday. Result https://${HOSTNAME}/status - Cache /static files - Add start.sh, stop.sh, update.sh 2019-07-09 18:05:05 +02:00
Initial commit 2019-07-01 16:26:12 +02:00			`}`