Rely on searxng/settings.yml

This commit is contained in:
Alexandre Flament 2022-03-19 20:16:38 +01:00
parent 8952fad37e
commit 0a1db38e21
6 changed files with 27 additions and 34 deletions

7
.env
View file

@ -5,10 +5,3 @@
# SEARXNG_HOSTNAME=<host> # SEARXNG_HOSTNAME=<host>
# LETSENCRYPT_EMAIL=<email> # LETSENCRYPT_EMAIL=<email>
# automatically update settings to the new version
# comment this line if you made / will make some modifications to the settings
SEARXNG_COMMAND=-f
# use openssl rand -base64 33
SEARXNG_SECRET=ultrasecretkey

2
.gitignore vendored
View file

@ -3,4 +3,4 @@
searxng-docker.service searxng-docker.service
caddy caddy
srv srv
searx searxng/uwsgi.ini

View file

@ -11,13 +11,19 @@
@api { @api {
path /config path /config
path /status path /healthz
path /stats/errors
path /stats/checker
} }
@static { @static {
path /static/* path /static/*
} }
@notstatic {
not path /static/*
}
@imageproxy { @imageproxy {
path /image_proxy path /image_proxy
} }
@ -26,11 +32,6 @@
not path /image_proxy not path /image_proxy
} }
@notstatic {
not path /static/*
}
header { header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
@ -41,11 +42,8 @@
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff" X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "SAMEORIGIN"
# Disable some features # Disable some features
Permissions-Policy "accelerometer=();ambient-light-sensor=(); autoplay=();camera=();encrypted-media=();focus-without-user-activation=(); geolocation=();gyroscope=();magnetometer=();microphone=();midi=();payment=();picture-in-picture=(); speaker=();sync-xhr=();usb=();vr=()" Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
# Disable some features (legacy) # Disable some features (legacy)
Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
@ -87,16 +85,13 @@
Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com" Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
} }
# Searx # SearXNG
handle { handle {
encode zstd gzip encode zstd gzip
reverse_proxy localhost:8080 { reverse_proxy localhost:8080 {
header_up X-Forwarded-Port {http.request.port} header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
} }
} }

View file

@ -20,8 +20,9 @@ Create a new SearXNG instance in five minutes using Docker
git clone https://github.com/searxng/searxng-docker.git git clone https://github.com/searxng/searxng-docker.git
cd searxng-docker cd searxng-docker
``` ```
- Generate the secret key ```sed -i "s|ultrasecretkey|$(openssl rand -hex 32)|g" .env``` - Edit the [.env](https://github.com/searxng/searxng-docker/blob/master/.env) file to set the hostname and an email
- Edit the other settings in [.env](https://github.com/searxng/searxng-docker/blob/master/.env) file according to your need - Generate the secret key ```sed -i "s|ultrasecretkey|$(openssl rand -hex 32)|g" searxng/settings.yml```
- Edit the [searxng/settings.yml](https://github.com/searxng/searxng-docker/blob/master/searxng/settings.yml) file according to your need
- Check everything is working: ```./start.sh``` - Check everything is working: ```./start.sh```
- ```cp searxng-docker.service.template searxng-docker.service``` - ```cp searxng-docker.service.template searxng-docker.service```
- edit the content of ```WorkingDirectory``` in the ```searxng-docker.service``` file (only if the installation path is different from /usr/local/searxng-docker) - edit the content of ```WorkingDirectory``` in the ```searxng-docker.service``` file (only if the installation path is different from /usr/local/searxng-docker)

View file

@ -34,21 +34,18 @@ services:
- SETUID - SETUID
- DAC_OVERRIDE - DAC_OVERRIDE
searx: searxng:
container_name: searx container_name: searxng
image: searxng/searxng image: searxng/searxng:latest
restart: always restart: always
networks: networks:
- searxng - searxng
command: ${SEARX_COMMAND:-}
ports: ports:
- "127.0.0.1:8080:8080" - "127.0.0.1:8080:8080"
volumes: volumes:
- ./searxng:/etc/searx:rw - ./searxng:/etc/searxng:rw
environment: environment:
- BIND_ADDRESS=0.0.0.0:8080 - SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
- BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
- SEARXNG_SECRET=${SEARXNG_SECRET}
cap_drop: cap_drop:
- ALL - ALL
cap_add: cap_add:
@ -56,7 +53,11 @@ services:
- SETGID - SETGID
- SETUID - SETUID
- DAC_OVERRIDE - DAC_OVERRIDE
logging:
driver: "json-file"
options:
max-size: "1m"
max-file: "1"
networks: networks:
searxng: searxng:
ipam: ipam:

View file

@ -1,6 +1,9 @@
# see https://docs.searxng.org/admin/engines/settings.html#use-default-settings
use_default_settings: true use_default_settings: true
server: server:
limiter: true # base_url is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml
secret_key: "ultrasecretkey" # change this!
limiter: true # can be disabled for a private instance
image_proxy: true image_proxy: true
redis: redis:
url: redis://redis:6379/0 url: redis://redis:6379/0