Add filtron (configuration not done / checked)
Drop capabilities
This commit is contained in:
parent
40b14b1d52
commit
6dea64a9dc
3 changed files with 87 additions and 22 deletions
18
.env
18
.env
|
@ -1,4 +1,18 @@
|
||||||
LETSENCRYPT_EMAIL=email@example.com
|
# hostname and protocol
|
||||||
SEARX_HOSTNAME=localhost
|
SEARX_HOSTNAME=localhost
|
||||||
|
|
||||||
|
# empty unless SEARX_HOSTNAME is localhost in this case "https://"
|
||||||
|
SEARX_PROTOCOL=https://
|
||||||
|
|
||||||
|
# Let's Encrypt : email provided
|
||||||
|
LETSENCRYPT_EMAIL=email@example.com
|
||||||
|
|
||||||
|
# Do you agree Let's Encrypt TOS https://letsencrypt.org/repository/
|
||||||
|
LETSENCRYPT_AGREE=false
|
||||||
|
|
||||||
# use openssl rand -base64 33
|
# use openssl rand -base64 33
|
||||||
MORTY_KEY=RemplaceThisBase64KeySharedBetweenMortyAndSearxByARealKey
|
MORTY_KEY=RemplaceWithARealKey!
|
||||||
|
|
||||||
|
# filtron ( /filtron/rules ), use for example "tr -cd '[:alnum:]' < /dev/urandom | fold -w12 | head -n1"
|
||||||
|
FILTRON_USER=filtron
|
||||||
|
FILTRON_PASSWORD=SetARealPassword
|
||||||
|
|
32
Caddyfile
32
Caddyfile
|
@ -1,6 +1,8 @@
|
||||||
{$SEARX_HOSTNAME} {
|
{$SEARX_PROTOCOL}{$SEARX_HOSTNAME} {
|
||||||
tls self_signed
|
tls self_signed
|
||||||
gzip
|
gzip {
|
||||||
|
not /morty
|
||||||
|
}
|
||||||
root /srv
|
root /srv
|
||||||
|
|
||||||
header / {
|
header / {
|
||||||
|
@ -28,22 +30,40 @@
|
||||||
Feature-Policy "accelerometer 'none';autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';notifications 'none';payment 'none';push 'none';speaker 'none';sync-xhr 'none';usb 'none';vibrate 'none';vr 'none'"
|
Feature-Policy "accelerometer 'none';autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';notifications 'none';payment 'none';push 'none';speaker 'none';sync-xhr 'none';usb 'none';vibrate 'none';vr 'none'"
|
||||||
|
|
||||||
# Cache
|
# Cache
|
||||||
Cache-Control "private, no-store"
|
Cache-Control "no-cache, no-store, must-revalidate"
|
||||||
Pragma "no-cache"
|
Pragma "no-cache"
|
||||||
|
|
||||||
# Referer
|
# Referer
|
||||||
Referrer-Policy "no-referrer"
|
Referrer-Policy "no-referrer"
|
||||||
|
|
||||||
|
# X-Robots-Tag
|
||||||
|
X-Robots-Tag "noindex, noarchive, nofollow"
|
||||||
|
|
||||||
# Remove Server header
|
# Remove Server header
|
||||||
-Server
|
-Server
|
||||||
}
|
}
|
||||||
|
|
||||||
proxy / searx:8080 {
|
header /static {
|
||||||
except /morty
|
Cache-Control "public, max-age=31536000"
|
||||||
|
-Pragma
|
||||||
}
|
}
|
||||||
|
|
||||||
proxy /morty morty:3000 {
|
proxy / 127.0.0.1:4040 {
|
||||||
transparent
|
transparent
|
||||||
}
|
}
|
||||||
|
|
||||||
|
basicauth /filtron {$FILTRON_USER} {$FILTRON_PASSWORD}
|
||||||
|
proxy /filtron/rules 127.0.0.1:4041 {
|
||||||
|
without /filtron
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
proxy /morty 127.0.0.1:3000
|
||||||
|
|
||||||
|
limits {
|
||||||
|
header 100KB
|
||||||
|
body / 100KB
|
||||||
|
body /morty 5MB
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,29 +3,45 @@ version: '3.7'
|
||||||
services:
|
services:
|
||||||
|
|
||||||
caddy:
|
caddy:
|
||||||
image: abiosoft/caddy:no-stats
|
container_name: caddy
|
||||||
|
image: abiosoft/caddy:1.0.1-no-stats
|
||||||
ports:
|
ports:
|
||||||
- 80:80
|
- 80:80
|
||||||
- 443:443
|
- 443:443
|
||||||
networks:
|
network_mode: host
|
||||||
searx:
|
command: -email ${LETSENCRYPT_EMAIL} -agree=${LETSENCRYPT_AGREE} -log stdout -host ${SEARX_HOSTNAME} -conf /etc/Caddyfile
|
||||||
ipv4_address: 10.10.10.2
|
|
||||||
command: -email ${LETSENCRYPT_EMAIL} -agree=true -log stdout -host ${SEARX_HOSTNAME} -conf /etc/Caddyfile
|
|
||||||
volumes:
|
volumes:
|
||||||
- ./Caddyfile:/etc/Caddyfile
|
- ./Caddyfile:/etc/Caddyfile
|
||||||
- ./caddy:/root/.caddy
|
- ./caddy:/root/.caddy
|
||||||
|
- ./srv:/srv
|
||||||
environment:
|
environment:
|
||||||
- SEARX_HOSTNAME=${SEARX_HOSTNAME}
|
- SEARX_HOSTNAME=${SEARX_HOSTNAME}
|
||||||
|
- SEARX_PROTOCOL=${SEARX_PROTOCOL}
|
||||||
|
- FILTRON_USER=${FILTRON_USER}
|
||||||
|
- FILTRON_PASSWORD=${FILTRON_PASSWORD}
|
||||||
|
cap_drop:
|
||||||
|
- ALL
|
||||||
|
cap_add:
|
||||||
|
- NET_BIND_SERVICE
|
||||||
|
|
||||||
# filtron:
|
filtron:
|
||||||
# image: filtron
|
container_name: filtron
|
||||||
# hostname: filtron
|
image: filtron
|
||||||
# restart: always
|
hostname: filtron
|
||||||
# networks:
|
restart: always
|
||||||
# searx:
|
ports:
|
||||||
# ipv4_address: 10.10.10.3
|
- 127.0.0.1:4040:4040
|
||||||
|
- 127.0.0.1:4041:4041
|
||||||
|
networks:
|
||||||
|
searx:
|
||||||
|
ipv4_address: 10.10.10.3
|
||||||
|
command: -listen 10.10.10.3:4040 -api 10.10.10.3:4041 -target 10.10.10.4:8080
|
||||||
|
read_only: true
|
||||||
|
cap_drop:
|
||||||
|
- ALL
|
||||||
|
|
||||||
searx:
|
searx:
|
||||||
|
container_name: searx
|
||||||
image: searx
|
image: searx
|
||||||
hostname: searx
|
hostname: searx
|
||||||
restart: always
|
restart: always
|
||||||
|
@ -35,20 +51,35 @@ services:
|
||||||
volumes:
|
volumes:
|
||||||
- ./searx:/etc/searx
|
- ./searx:/etc/searx
|
||||||
environment:
|
environment:
|
||||||
|
- BIND_ADDRESS=10.10.10.4:8080
|
||||||
- BASE_URL=https://${SEARX_HOSTNAME}/
|
- BASE_URL=https://${SEARX_HOSTNAME}/
|
||||||
- MORTY_URL=https://${SEARX_HOSTNAME}/morty/
|
- MORTY_URL=https://${SEARX_HOSTNAME}/morty/
|
||||||
- MORTY_KEY=${MORTY_KEY}
|
- MORTY_KEY=${MORTY_KEY}
|
||||||
|
cap_drop:
|
||||||
|
- ALL
|
||||||
|
cap_add:
|
||||||
|
- CHOWN
|
||||||
|
- SETGID
|
||||||
|
- SETUID
|
||||||
|
|
||||||
morty:
|
morty:
|
||||||
|
container_name: morty
|
||||||
image: morty
|
image: morty
|
||||||
hostname: morty
|
hostname: morty
|
||||||
restart: always
|
restart: always
|
||||||
|
ports:
|
||||||
|
- 127.0.0.1:3000:3000
|
||||||
networks:
|
networks:
|
||||||
searx:
|
searx:
|
||||||
ipv4_address: 10.10.10.5
|
ipv4_address: 10.10.10.5
|
||||||
command: -listen 10.10.10.5:3000
|
command: -listen 10.10.10.5:3000 -timeout 3 -ipv6
|
||||||
environment:
|
environment:
|
||||||
- MORTY_KEY=${MORTY_KEY}
|
- MORTY_KEY=${MORTY_KEY}
|
||||||
|
logging:
|
||||||
|
driver: none
|
||||||
|
read_only: true
|
||||||
|
cap_drop:
|
||||||
|
- ALL
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
searx:
|
searx:
|
||||||
|
|
Loading…
Reference in a new issue