From 6dea64a9dcf1c16938beeac4c656b1e9a56f5993 Mon Sep 17 00:00:00 2001 From: Dalf Date: Sat, 6 Jul 2019 14:54:05 +0200 Subject: [PATCH] Add filtron (configuration not done / checked) Drop capabilities --- .env | 18 ++++++++++++-- Caddyfile | 34 +++++++++++++++++++++------ docker-compose.yaml | 57 ++++++++++++++++++++++++++++++++++----------- 3 files changed, 87 insertions(+), 22 deletions(-) diff --git a/.env b/.env index 67f879b..7ffd335 100644 --- a/.env +++ b/.env @@ -1,4 +1,18 @@ -LETSENCRYPT_EMAIL=email@example.com +# hostname and protocol SEARX_HOSTNAME=localhost + +# empty unless SEARX_HOSTNAME is localhost in this case "https://" +SEARX_PROTOCOL=https:// + +# Let's Encrypt : email provided +LETSENCRYPT_EMAIL=email@example.com + +# Do you agree Let's Encrypt TOS https://letsencrypt.org/repository/ +LETSENCRYPT_AGREE=false + # use openssl rand -base64 33 -MORTY_KEY=RemplaceThisBase64KeySharedBetweenMortyAndSearxByARealKey +MORTY_KEY=RemplaceWithARealKey! + +# filtron ( /filtron/rules ), use for example "tr -cd '[:alnum:]' < /dev/urandom | fold -w12 | head -n1" +FILTRON_USER=filtron +FILTRON_PASSWORD=SetARealPassword diff --git a/Caddyfile b/Caddyfile index 8b82aa8..d1fe36d 100644 --- a/Caddyfile +++ b/Caddyfile @@ -1,6 +1,8 @@ -{$SEARX_HOSTNAME} { +{$SEARX_PROTOCOL}{$SEARX_HOSTNAME} { tls self_signed - gzip + gzip { + not /morty + } root /srv header / { @@ -28,22 +30,40 @@ Feature-Policy "accelerometer 'none';autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';notifications 'none';payment 'none';push 'none';speaker 'none';sync-xhr 'none';usb 'none';vibrate 'none';vr 'none'" # Cache - Cache-Control "private, no-store" + Cache-Control "no-cache, no-store, must-revalidate" Pragma "no-cache" # Referer Referrer-Policy "no-referrer" + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + # Remove Server header -Server } - proxy / searx:8080 { - except /morty + header /static { + Cache-Control "public, max-age=31536000" + -Pragma } - proxy /morty morty:3000 { - transparent + proxy / 127.0.0.1:4040 { + transparent + } + + basicauth /filtron {$FILTRON_USER} {$FILTRON_PASSWORD} + proxy /filtron/rules 127.0.0.1:4041 { + without /filtron + } + + + proxy /morty 127.0.0.1:3000 + + limits { + header 100KB + body / 100KB + body /morty 5MB } } diff --git a/docker-compose.yaml b/docker-compose.yaml index 6aeb8f9..f34a3e7 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -3,29 +3,45 @@ version: '3.7' services: caddy: - image: abiosoft/caddy:no-stats + container_name: caddy + image: abiosoft/caddy:1.0.1-no-stats ports: - 80:80 - 443:443 - networks: - searx: - ipv4_address: 10.10.10.2 - command: -email ${LETSENCRYPT_EMAIL} -agree=true -log stdout -host ${SEARX_HOSTNAME} -conf /etc/Caddyfile + network_mode: host + command: -email ${LETSENCRYPT_EMAIL} -agree=${LETSENCRYPT_AGREE} -log stdout -host ${SEARX_HOSTNAME} -conf /etc/Caddyfile volumes: - ./Caddyfile:/etc/Caddyfile - ./caddy:/root/.caddy + - ./srv:/srv environment: - SEARX_HOSTNAME=${SEARX_HOSTNAME} + - SEARX_PROTOCOL=${SEARX_PROTOCOL} + - FILTRON_USER=${FILTRON_USER} + - FILTRON_PASSWORD=${FILTRON_PASSWORD} + cap_drop: + - ALL + cap_add: + - NET_BIND_SERVICE -# filtron: -# image: filtron -# hostname: filtron -# restart: always -# networks: -# searx: -# ipv4_address: 10.10.10.3 + filtron: + container_name: filtron + image: filtron + hostname: filtron + restart: always + ports: + - 127.0.0.1:4040:4040 + - 127.0.0.1:4041:4041 + networks: + searx: + ipv4_address: 10.10.10.3 + command: -listen 10.10.10.3:4040 -api 10.10.10.3:4041 -target 10.10.10.4:8080 + read_only: true + cap_drop: + - ALL searx: + container_name: searx image: searx hostname: searx restart: always @@ -35,20 +51,35 @@ services: volumes: - ./searx:/etc/searx environment: + - BIND_ADDRESS=10.10.10.4:8080 - BASE_URL=https://${SEARX_HOSTNAME}/ - MORTY_URL=https://${SEARX_HOSTNAME}/morty/ - MORTY_KEY=${MORTY_KEY} + cap_drop: + - ALL + cap_add: + - CHOWN + - SETGID + - SETUID morty: + container_name: morty image: morty hostname: morty restart: always + ports: + - 127.0.0.1:3000:3000 networks: searx: ipv4_address: 10.10.10.5 - command: -listen 10.10.10.5:3000 + command: -listen 10.10.10.5:3000 -timeout 3 -ipv6 environment: - MORTY_KEY=${MORTY_KEY} + logging: + driver: none + read_only: true + cap_drop: + - ALL networks: searx: