From bdf5619765ac9457eb0bb4107dba2db10eddd724 Mon Sep 17 00:00:00 2001
From: Alexandre Flament <alex@al-f.net>
Date: Mon, 13 Jul 2020 08:12:32 +0200
Subject: [PATCH] [mod] upgrade to Caddy v2 (#44)

* Use docker image caddy:2-alpine
* Caddyfile: remove "limits 10KB"
* Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules )
* caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes.
* .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables.
* docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38)

* Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection)
---
 .env                |  21 +++------
 Caddyfile           | 106 ++++++++++++++++++++++++++++----------------
 README.md           |  13 ++++--
 docker-compose.yaml |  31 ++++++-------
 start.sh            |   2 +-
 stop.sh             |   2 +-
 6 files changed, 98 insertions(+), 77 deletions(-)

diff --git a/.env b/.env
index ede4f36..a539a3f 100644
--- a/.env
+++ b/.env
@@ -1,23 +1,14 @@
-# hostname
-SEARX_HOSTNAME=localhost
+# By default listen on https://localhost
+# To change this:
+# * uncomment SEARX_HOSTNAME, and replace <host> by the searx hostname
+# * uncomment LETSENCRYPT_EMAIL, and replace <email> by your email (require to create a Let's Encrypt certificate)
 
-# comment both if SEARX_HOSTNAME is NOT localhost
-SEARX_PROTOCOL=https://
-SEARX_TLS=self_signed
+# SEARX_HOSTNAME=<host>
+# LETSENCRYPT_EMAIL=<email>
 
 # automatically update settings to the new version
 # comment this line if you made / will make some modifications to the settings
 SEARX_COMMAND=-f
 
-# Let's encrypt contact information
-LETSENCRYPT_EMAIL=email@example.com
-
-# Do you agree Let's Encrypt TOS https://letsencrypt.org/repository/
-LETSENCRYPT_AGREE=false
-
 # use openssl rand -base64 33
 MORTY_KEY=ReplaceWithARealKey!
-
-# filtron ( /filtron/rules ), use for example "tr -cd '[:alnum:]' < /dev/urandom | fold -w12 | head -n1"
-FILTRON_USER=filtron
-FILTRON_PASSWORD=SetARealPassword
diff --git a/Caddyfile b/Caddyfile
index f231d37..6625ddf 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -1,21 +1,36 @@
-{$SEARX_PROTOCOL}{$SEARX_HOSTNAME} {
+{
+  admin off
+}
+
+{$SEARX_HOSTNAME} {
+  log {
+        output discard
+  }
+
   tls {$SEARX_TLS}
-  gzip {
-        not /morty
-  }
-  root /srv
 
-  header /config {
-        Access-Control-Allow-Methods "GET, OPTIONS"
-        Access-Control-Allow-Origin  "*"
+  @api {
+        path /config
+	path /status
   }
 
-  header /status {
-        Access-Control-Allow-Methods "GET, OPTIONS"
-        Access-Control-Allow-Origin  "*"
+  @static {
+        path /static/*
   }
 
-  header / {
+  @notstatic {
+        not path /static/*
+  }
+
+  @morty {
+        path /morty/*
+  }
+
+  @notmorty {
+        not path /morty/*
+  }
+
+  header {
         # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
         Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 
@@ -28,16 +43,9 @@
         # Disallow the site to be rendered within a frame (clickjacking protection)
         X-Frame-Options "SAMEORIGIN"
 
-        # CSP (see http://content-security-policy.com/ )
-        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
-
         # Disable some features
         Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
 
-        # Cache
-        Cache-Control "no-cache, no-store"
-        Pragma "no-cache"
-
         # Referer
         Referrer-Policy "no-referrer"
 
@@ -48,36 +56,56 @@
         -Server
   }
 
-  header /morty {
-        Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'"
+  header @api {
+        Access-Control-Allow-Methods "GET, OPTIONS"
+        Access-Control-Allow-Origin  "*"
   }
 
-  header /static {
-        Cache-Control "public, max-age=31536000"
-        -Pragma
+  # Cache
+  header @static {
+        # Cache
+	Cache-Control "public, max-age=31536000"
+	defer
   }
 
-  rewrite / {
-        regexp ^/status$
-        to /searx-checker/status.json
+  header @notstatic {
+        # No Cache
+        Cache-Control "no-cache, no-store"
+        Pragma "no-cache"
   }
 
-  proxy / localhost:4040 {
-        transparent
-        header_upstream X-Forwarded-TlsProto {tls_protocol}
-        header_upstream X-Forwarded-TlsCipher {tls_cipher}
-        header_upstream X-Forwarded-HttpsProto {proto}
-
-        except /searx-checker/status.json
+  # CSP (see http://content-security-policy.com/ )
+  header @morty {
+	Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'"
   }
 
-  basicauth /filtron {$FILTRON_USER} {$FILTRON_PASSWORD}
-  proxy /filtron/rules localhost:4041 {
-        without /filtron
+  header @notmorty {
+        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
   }
 
-  proxy /morty localhost:3000
+  # Searx-Checker
+  uri replace /status /searx-checker/status.json
+  handle /searx-checker/status.json {
+        root * /srv
+        file_server
+  }
 
-  limits 10KB
+  # Morty
+  handle @morty {
+        reverse_proxy localhost:3000
+  }
+
+  # Filtron
+  handle {
+        encode zstd gzip
+
+        reverse_proxy localhost:4040 {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+  }
 
 }
diff --git a/README.md b/README.md
index b324ee3..e1b9322 100644
--- a/README.md
+++ b/README.md
@@ -2,13 +2,11 @@
 
 Create a new searx instance in five minutes using Docker (see https://github.com/asciimoo/searx/issues/1561 )
 
-This is a work in progress, the bot protection is basic and not battle tested, and later on, may [change](https://github.com/unixfox/antibot-proxy).
-
 ## What is included ?
 
 | Name | Description | Docker image | Dockerfile |
 | -- | -- | -- | -- |
-| [Caddy](https://github.com/caddyserver/caddy) | Reverse proxy (create a LetsEncrypt certificate automatically) | [abiosoft/caddy:1.0.3-no-stats](https://hub.docker.com/r/abiosoft/caddy) | [Dockerfile](https://github.com/abiosoft/caddy-docker/blob/master/Dockerfile-no-stats) |
+| [Caddy](https://github.com/caddy/caddy) | Reverse proxy (create a LetsEncrypt certificate automatically) | [caddy/caddy:2-alpine](https://hub.docker.com/_/caddy) | [Dockerfile](https://github.com/caddyserver/caddy-docker) |
 | [Filtron](https://github.com/asciimoo/filtron) |  Filtering reverse HTTP proxy, bot and abuse protection | [dalf/filtron:latest](https://hub.docker.com/r/dalf/filtron) | See [asciimoo/filtron#4](https://github.com/asciimoo/filtron/pull/4) |
 | [Searx](https://github.com/asciimoo/searx) | searx by itself | [searx/searx:latest](https://hub.docker.com/r/searx/searx) | [Dockerfile](https://github.com/searx/searx/blob/master/Dockerfile) |
 | [Morty](https://github.com/asciimoo/morty) | Privacy aware web content sanitizer proxy as a service. | [dalf/morty:latest](https://hub.docker.com/r/dalf/morty) | [Dockerfile](https://github.com/dalf/morty/blob/master/Dockerfile) |
@@ -58,3 +56,12 @@ For now only the amd64 platform is supported.
 ## How to update ?
 
 Check the content of [```update.sh```](https://github.com/searx/searx-docker/blob/master/update.sh)
+
+## Access to the Filtron API
+
+The [Filtron API](https://github.com/asciimoo/filtron#api) is available on ```http://localhost:4041```
+
+For example, to display the loaded rules:
+```
+curl http://localhost:4041/rules | jq
+```
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 3dc6476..3fb37ea 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -4,23 +4,16 @@ services:
 
   caddy:
     container_name: caddy
-    image: abiosoft/caddy:1.0.3-no-stats
-    ports:
-      - 80:80
-      - 443:443
+    image: caddy:2-alpine
     network_mode: host
-    command: -email ${LETSENCRYPT_EMAIL} -agree=${LETSENCRYPT_AGREE} -log stdout -host ${SEARX_HOSTNAME} -conf /etc/Caddyfile
     volumes:
-      - ./Caddyfile:/etc/Caddyfile:rw
-      - ./caddy:/root/.caddy:rw
-      - ./srv:/srv:rw
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
       - searx-checker:/srv/searx-checker:rw
+      - caddy-data:/data:rw
+      - caddy-config:/config:rw
     environment:
-      - SEARX_HOSTNAME=${SEARX_HOSTNAME}
-      - SEARX_PROTOCOL=${SEARX_PROTOCOL:-}
-      - SEARX_TLS=${SEARX_TLS:-}
-      - FILTRON_USER=${FILTRON_USER}
-      - FILTRON_PASSWORD=${FILTRON_PASSWORD}
+      - SEARX_HOSTNAME=${SEARX_HOSTNAME:-localhost}
+      - SEARX_TLS=${LETSENCRYPT_EMAIL:-internal}
     cap_drop:
       - ALL
     cap_add:
@@ -32,8 +25,8 @@ services:
     image: dalf/filtron
     restart: always
     ports:
-      - 4040:4040
-      - 4041:4041
+      - "127.0.0.1:4040:4040"
+      - "127.0.0.1:4041:4041"
     networks:
       - searx
     command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searx:8080
@@ -54,8 +47,8 @@ services:
       - ./searx:/etc/searx:rw
     environment:
       - BIND_ADDRESS=0.0.0.0:8080
-      - BASE_URL=https://${SEARX_HOSTNAME}/
-      - MORTY_URL=https://${SEARX_HOSTNAME}/morty/
+      - BASE_URL=https://${SEARX_HOSTNAME:-localhost}/
+      - MORTY_URL=https://${SEARX_HOSTNAME:-localhost}/morty/
       - MORTY_KEY=${MORTY_KEY}
     cap_drop:
       - ALL
@@ -70,7 +63,7 @@ services:
     image: dalf/morty
     restart: always
     ports:
-      - 3000:3000
+      - "127.0.0.1:3000:3000"
     networks:
       - searx
     command: -listen 0.0.0.0:3000 -timeout 6 -ipv6
@@ -99,3 +92,5 @@ networks:
 
 volumes:
   searx-checker:
+  caddy-data:
+  caddy-config:
diff --git a/start.sh b/start.sh
index ec974c3..fa12ffb 100755
--- a/start.sh
+++ b/start.sh
@@ -5,6 +5,6 @@ cd -- "$BASE_DIR"
 
 . ./util.sh
 
-$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down -v
+$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down
 $DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE rm -fv
 $DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE up
diff --git a/stop.sh b/stop.sh
index 3c18803..07f67f1 100755
--- a/stop.sh
+++ b/stop.sh
@@ -5,4 +5,4 @@ cd -- "$BASE_DIR"
 
 . ./util.sh
 
-$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down -v
+$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down