diff --git a/.env b/.env index ede4f36..a539a3f 100644 --- a/.env +++ b/.env @@ -1,23 +1,14 @@ -# hostname -SEARX_HOSTNAME=localhost +# By default listen on https://localhost +# To change this: +# * uncomment SEARX_HOSTNAME, and replace by the searx hostname +# * uncomment LETSENCRYPT_EMAIL, and replace by your email (require to create a Let's Encrypt certificate) -# comment both if SEARX_HOSTNAME is NOT localhost -SEARX_PROTOCOL=https:// -SEARX_TLS=self_signed +# SEARX_HOSTNAME= +# LETSENCRYPT_EMAIL= # automatically update settings to the new version # comment this line if you made / will make some modifications to the settings SEARX_COMMAND=-f -# Let's encrypt contact information -LETSENCRYPT_EMAIL=email@example.com - -# Do you agree Let's Encrypt TOS https://letsencrypt.org/repository/ -LETSENCRYPT_AGREE=false - # use openssl rand -base64 33 MORTY_KEY=ReplaceWithARealKey! - -# filtron ( /filtron/rules ), use for example "tr -cd '[:alnum:]' < /dev/urandom | fold -w12 | head -n1" -FILTRON_USER=filtron -FILTRON_PASSWORD=SetARealPassword diff --git a/Caddyfile b/Caddyfile index f231d37..6625ddf 100644 --- a/Caddyfile +++ b/Caddyfile @@ -1,21 +1,36 @@ -{$SEARX_PROTOCOL}{$SEARX_HOSTNAME} { +{ + admin off +} + +{$SEARX_HOSTNAME} { + log { + output discard + } + tls {$SEARX_TLS} - gzip { - not /morty - } - root /srv - header /config { - Access-Control-Allow-Methods "GET, OPTIONS" - Access-Control-Allow-Origin "*" + @api { + path /config + path /status } - header /status { - Access-Control-Allow-Methods "GET, OPTIONS" - Access-Control-Allow-Origin "*" + @static { + path /static/* } - header / { + @notstatic { + not path /static/* + } + + @morty { + path /morty/* + } + + @notmorty { + not path /morty/* + } + + header { # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" @@ -28,16 +43,9 @@ # Disallow the site to be rendered within a frame (clickjacking protection) X-Frame-Options "SAMEORIGIN" - # CSP (see http://content-security-policy.com/ ) - Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com" - # Disable some features Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" - # Cache - Cache-Control "no-cache, no-store" - Pragma "no-cache" - # Referer Referrer-Policy "no-referrer" @@ -48,36 +56,56 @@ -Server } - header /morty { - Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'" + header @api { + Access-Control-Allow-Methods "GET, OPTIONS" + Access-Control-Allow-Origin "*" } - header /static { - Cache-Control "public, max-age=31536000" - -Pragma + # Cache + header @static { + # Cache + Cache-Control "public, max-age=31536000" + defer } - rewrite / { - regexp ^/status$ - to /searx-checker/status.json + header @notstatic { + # No Cache + Cache-Control "no-cache, no-store" + Pragma "no-cache" } - proxy / localhost:4040 { - transparent - header_upstream X-Forwarded-TlsProto {tls_protocol} - header_upstream X-Forwarded-TlsCipher {tls_cipher} - header_upstream X-Forwarded-HttpsProto {proto} - - except /searx-checker/status.json + # CSP (see http://content-security-policy.com/ ) + header @morty { + Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'" } - basicauth /filtron {$FILTRON_USER} {$FILTRON_PASSWORD} - proxy /filtron/rules localhost:4041 { - without /filtron + header @notmorty { + Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com" } - proxy /morty localhost:3000 + # Searx-Checker + uri replace /status /searx-checker/status.json + handle /searx-checker/status.json { + root * /srv + file_server + } - limits 10KB + # Morty + handle @morty { + reverse_proxy localhost:3000 + } + + # Filtron + handle { + encode zstd gzip + + reverse_proxy localhost:4040 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + header_up X-Forwarded-TlsProto {tls_protocol} + header_up X-Forwarded-TlsCipher {tls_cipher} + header_up X-Forwarded-HttpsProto {proto} + } + } } diff --git a/README.md b/README.md index b324ee3..8dccad0 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ This is a work in progress, the bot protection is basic and not battle tested, a | Name | Description | Docker image | Dockerfile | | -- | -- | -- | -- | -| [Caddy](https://github.com/caddyserver/caddy) | Reverse proxy (create a LetsEncrypt certificate automatically) | [abiosoft/caddy:1.0.3-no-stats](https://hub.docker.com/r/abiosoft/caddy) | [Dockerfile](https://github.com/abiosoft/caddy-docker/blob/master/Dockerfile-no-stats) | +| [Caddy](https://github.com/caddy/caddy) | Reverse proxy (create a LetsEncrypt certificate automatically) | [caddy/caddy:2-alpine](https://hub.docker.com/r/caddy/caddy) | [Dockerfile](https://github.com/caddyserver/caddy-docker) | | [Filtron](https://github.com/asciimoo/filtron) | Filtering reverse HTTP proxy, bot and abuse protection | [dalf/filtron:latest](https://hub.docker.com/r/dalf/filtron) | See [asciimoo/filtron#4](https://github.com/asciimoo/filtron/pull/4) | | [Searx](https://github.com/asciimoo/searx) | searx by itself | [searx/searx:latest](https://hub.docker.com/r/searx/searx) | [Dockerfile](https://github.com/searx/searx/blob/master/Dockerfile) | | [Morty](https://github.com/asciimoo/morty) | Privacy aware web content sanitizer proxy as a service. | [dalf/morty:latest](https://hub.docker.com/r/dalf/morty) | [Dockerfile](https://github.com/dalf/morty/blob/master/Dockerfile) | diff --git a/docker-compose.yaml b/docker-compose.yaml index 3dc6476..8157ce8 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -4,23 +4,17 @@ services: caddy: container_name: caddy - image: abiosoft/caddy:1.0.3-no-stats - ports: - - 80:80 - - 443:443 + image: caddy/caddy:2-alpine network_mode: host - command: -email ${LETSENCRYPT_EMAIL} -agree=${LETSENCRYPT_AGREE} -log stdout -host ${SEARX_HOSTNAME} -conf /etc/Caddyfile + command: caddy run -config /etc/caddy/Caddyfile volumes: - - ./Caddyfile:/etc/Caddyfile:rw - - ./caddy:/root/.caddy:rw - - ./srv:/srv:rw + - ./Caddyfile:/etc/caddy/Caddyfile:rw - searx-checker:/srv/searx-checker:rw + - caddy-data:/data:rw + - caddy-config:/config:rw environment: - - SEARX_HOSTNAME=${SEARX_HOSTNAME} - - SEARX_PROTOCOL=${SEARX_PROTOCOL:-} - - SEARX_TLS=${SEARX_TLS:-} - - FILTRON_USER=${FILTRON_USER} - - FILTRON_PASSWORD=${FILTRON_PASSWORD} + - SEARX_HOSTNAME=${SEARX_HOSTNAME:-localhost} + - SEARX_TLS=${LETSENCRYPT_EMAIL:-internal} cap_drop: - ALL cap_add: @@ -32,8 +26,8 @@ services: image: dalf/filtron restart: always ports: - - 4040:4040 - - 4041:4041 + - "127.0.0.1:4040:4040" + - "127.0.0.1:4041:4041" networks: - searx command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searx:8080 @@ -54,8 +48,8 @@ services: - ./searx:/etc/searx:rw environment: - BIND_ADDRESS=0.0.0.0:8080 - - BASE_URL=https://${SEARX_HOSTNAME}/ - - MORTY_URL=https://${SEARX_HOSTNAME}/morty/ + - BASE_URL=https://${SEARX_HOSTNAME:-localhost}/ + - MORTY_URL=https://${SEARX_HOSTNAME:-localhost}/morty/ - MORTY_KEY=${MORTY_KEY} cap_drop: - ALL @@ -70,7 +64,7 @@ services: image: dalf/morty restart: always ports: - - 3000:3000 + - "127.0.0.1:3000:3000" networks: - searx command: -listen 0.0.0.0:3000 -timeout 6 -ipv6 @@ -99,3 +93,5 @@ networks: volumes: searx-checker: + caddy-data: + caddy-config: diff --git a/start.sh b/start.sh index ec974c3..fa12ffb 100755 --- a/start.sh +++ b/start.sh @@ -5,6 +5,6 @@ cd -- "$BASE_DIR" . ./util.sh -$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down -v +$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down $DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE rm -fv $DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE up diff --git a/stop.sh b/stop.sh index 3c18803..07f67f1 100755 --- a/stop.sh +++ b/stop.sh @@ -5,4 +5,4 @@ cd -- "$BASE_DIR" . ./util.sh -$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down -v +$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down