Add filtron (configuration not done / checked)

Drop capabilities
This commit is contained in:
Dalf 2019-07-06 14:54:05 +02:00
parent 40b14b1d52
commit 6dea64a9dc
3 changed files with 87 additions and 22 deletions

18
.env
View file

@ -1,4 +1,18 @@
LETSENCRYPT_EMAIL=email@example.com # hostname and protocol
SEARX_HOSTNAME=localhost SEARX_HOSTNAME=localhost
# empty unless SEARX_HOSTNAME is localhost in this case "https://"
SEARX_PROTOCOL=https://
# Let's Encrypt : email provided
LETSENCRYPT_EMAIL=email@example.com
# Do you agree Let's Encrypt TOS https://letsencrypt.org/repository/
LETSENCRYPT_AGREE=false
# use openssl rand -base64 33 # use openssl rand -base64 33
MORTY_KEY=RemplaceThisBase64KeySharedBetweenMortyAndSearxByARealKey MORTY_KEY=RemplaceWithARealKey!
# filtron ( /filtron/rules ), use for example "tr -cd '[:alnum:]' < /dev/urandom | fold -w12 | head -n1"
FILTRON_USER=filtron
FILTRON_PASSWORD=SetARealPassword

View file

@ -1,6 +1,8 @@
{$SEARX_HOSTNAME} { {$SEARX_PROTOCOL}{$SEARX_HOSTNAME} {
tls self_signed tls self_signed
gzip gzip {
not /morty
}
root /srv root /srv
header / { header / {
@ -28,22 +30,40 @@
Feature-Policy "accelerometer 'none';autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';notifications 'none';payment 'none';push 'none';speaker 'none';sync-xhr 'none';usb 'none';vibrate 'none';vr 'none'" Feature-Policy "accelerometer 'none';autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';notifications 'none';payment 'none';push 'none';speaker 'none';sync-xhr 'none';usb 'none';vibrate 'none';vr 'none'"
# Cache # Cache
Cache-Control "private, no-store" Cache-Control "no-cache, no-store, must-revalidate"
Pragma "no-cache" Pragma "no-cache"
# Referer # Referer
Referrer-Policy "no-referrer" Referrer-Policy "no-referrer"
# X-Robots-Tag
X-Robots-Tag "noindex, noarchive, nofollow"
# Remove Server header # Remove Server header
-Server -Server
} }
proxy / searx:8080 { header /static {
except /morty Cache-Control "public, max-age=31536000"
-Pragma
} }
proxy /morty morty:3000 { proxy / 127.0.0.1:4040 {
transparent transparent
} }
basicauth /filtron {$FILTRON_USER} {$FILTRON_PASSWORD}
proxy /filtron/rules 127.0.0.1:4041 {
without /filtron
}
proxy /morty 127.0.0.1:3000
limits {
header 100KB
body / 100KB
body /morty 5MB
}
} }

View file

@ -3,29 +3,45 @@ version: '3.7'
services: services:
caddy: caddy:
image: abiosoft/caddy:no-stats container_name: caddy
image: abiosoft/caddy:1.0.1-no-stats
ports: ports:
- 80:80 - 80:80
- 443:443 - 443:443
networks: network_mode: host
searx: command: -email ${LETSENCRYPT_EMAIL} -agree=${LETSENCRYPT_AGREE} -log stdout -host ${SEARX_HOSTNAME} -conf /etc/Caddyfile
ipv4_address: 10.10.10.2
command: -email ${LETSENCRYPT_EMAIL} -agree=true -log stdout -host ${SEARX_HOSTNAME} -conf /etc/Caddyfile
volumes: volumes:
- ./Caddyfile:/etc/Caddyfile - ./Caddyfile:/etc/Caddyfile
- ./caddy:/root/.caddy - ./caddy:/root/.caddy
- ./srv:/srv
environment: environment:
- SEARX_HOSTNAME=${SEARX_HOSTNAME} - SEARX_HOSTNAME=${SEARX_HOSTNAME}
- SEARX_PROTOCOL=${SEARX_PROTOCOL}
- FILTRON_USER=${FILTRON_USER}
- FILTRON_PASSWORD=${FILTRON_PASSWORD}
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
# filtron: filtron:
# image: filtron container_name: filtron
# hostname: filtron image: filtron
# restart: always hostname: filtron
# networks: restart: always
# searx: ports:
# ipv4_address: 10.10.10.3 - 127.0.0.1:4040:4040
- 127.0.0.1:4041:4041
networks:
searx:
ipv4_address: 10.10.10.3
command: -listen 10.10.10.3:4040 -api 10.10.10.3:4041 -target 10.10.10.4:8080
read_only: true
cap_drop:
- ALL
searx: searx:
container_name: searx
image: searx image: searx
hostname: searx hostname: searx
restart: always restart: always
@ -35,20 +51,35 @@ services:
volumes: volumes:
- ./searx:/etc/searx - ./searx:/etc/searx
environment: environment:
- BIND_ADDRESS=10.10.10.4:8080
- BASE_URL=https://${SEARX_HOSTNAME}/ - BASE_URL=https://${SEARX_HOSTNAME}/
- MORTY_URL=https://${SEARX_HOSTNAME}/morty/ - MORTY_URL=https://${SEARX_HOSTNAME}/morty/
- MORTY_KEY=${MORTY_KEY} - MORTY_KEY=${MORTY_KEY}
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
morty: morty:
container_name: morty
image: morty image: morty
hostname: morty hostname: morty
restart: always restart: always
ports:
- 127.0.0.1:3000:3000
networks: networks:
searx: searx:
ipv4_address: 10.10.10.5 ipv4_address: 10.10.10.5
command: -listen 10.10.10.5:3000 command: -listen 10.10.10.5:3000 -timeout 3 -ipv6
environment: environment:
- MORTY_KEY=${MORTY_KEY} - MORTY_KEY=${MORTY_KEY}
logging:
driver: none
read_only: true
cap_drop:
- ALL
networks: networks:
searx: searx: