diff --git a/.env b/.env new file mode 100644 index 0000000..67f879b --- /dev/null +++ b/.env @@ -0,0 +1,4 @@ +LETSENCRYPT_EMAIL=email@example.com +SEARX_HOSTNAME=localhost +# use openssl rand -base64 33 +MORTY_KEY=RemplaceThisBase64KeySharedBetweenMortyAndSearxByARealKey diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b25c15b --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*~ diff --git a/Caddyfile b/Caddyfile new file mode 100644 index 0000000..1b19d87 --- /dev/null +++ b/Caddyfile @@ -0,0 +1,51 @@ +{$SEARX_HOSTNAME} { + tls self_signed + gzip + root /srv + + header / { + # Enable HTTP Strict Transport Security (HSTS) to force clients to always + # connect via HTTPS + # Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "SAMEORIGIN" + + # CSP + Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' overpass-api.de *.tile.openstreetmap.org www.youtube-nocookie.com player.vimeo.com www.dailymotion.com; object-src overpass-api.de *.tile.openstreetmap.org www.youtube-nocookie.com player.vimeo.com www.dailymotion.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: overpass-api.de *.tile.openstreetmap.org www.youtube-nocookie.com player.vimeo.com www.dailymotion.com; media-src overpass-api.de *.tile.openstreetmap.org www.youtube-nocookie.com player.vimeo.com www.dailymotion.com" + X-Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' overpass-api.de *.tile.openstreetmap.org www.youtube-nocookie.com player.vimeo.com www.dailymotion.com; object-src overpass-api.de *.tile.openstreetmap.org www.youtube-nocookie.com player.vimeo.com www.dailymotion.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: overpass-api.de *.tile.openstreetmap.org www.youtube-nocookie.com player.vimeo.com www.dailymotion.com; media-src overpass-api.de *.tile.openstreetmap.org www.youtube-nocookie.com player.vimeo.com www.dailymotion.com" + X-WebKit-CSP "default-src 'self'; script-src 'self' 'unsafe-inline' overpass-api.de *.tile.openstreetmap.org www.youtube-nocookie.com player.vimeo.com www.dailymotion.com; object-src overpass-api.de *.tile.openstreetmap.org www.youtube-nocookie.com player.vimeo.com www.dailymotion.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: overpass-api.de *.tile.openstreetmap.org www.youtube-nocookie.com player.vimeo.com www.dailymotion.com; media-src overpass-api.de *.tile.openstreetmap.org www.youtube-nocookie.com player.vimeo.com www.dailymotion.com" + + # + Access-Control-Allow-Methods "GET, POST, OPTIONS" + Access-Control-Allow-Origin "*" + + # Disable some features + Feature-Policy "accelerometer 'none';autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';notifications 'none';payment 'none';push 'none';speaker 'none';sync-xhr 'none';usb 'none';vibrate 'none';vr 'none'" + + # Cache + Cache-Control "private, no-store" + Pragma "no-cache" + + # Referer + Referrer-Policy "no-referrer" + + # Remove Server header + -Server + } + + proxy / searx:8080 { + except /morty + } + + proxy /morty morty:3000 { + transparent + } + +} diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 0000000..ebb4562 --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,55 @@ +version: '3.7' + +services: + + caddy: + image: abiosoft/caddy:no-stats + ports: + - 80:80 + - 443:443 + networks: + searx: + ipv4_address: 10.10.10.2 + command: -email ${LETSENCRYPT_EMAIL} -agree=true -log stdout -host ${SEARX_HOSTNAME} -conf /etc/Caddyfile + restart: always + # -quic=true -http2=true + volumes: + - ./Caddyfile:/etc/Caddyfile + - ./caddy:/root/.caddy + +# filtron: +# image: filtron +# hostname: filtron +# networks: +# searx: +# ipv4_address: 10.10.10.3 + + searx: + image: searx + hostname: searx + networks: + searx: + ipv4_address: 10.10.10.4 + volumes: + - ./searx:/etc/searx + environment: + - BASE_URL=http://${SEARX_HOSTNAME}/ + - MORTY_URL=http://${SEARX_HOSTNAME}/morty/ + - MORTY_KEY=${MORTY_KEY} + + morty: + image: morty + hostname: morty + networks: + searx: + ipv4_address: 10.10.10.5 + command: -listen 10.10.10.5:3000 -key ${MORTY_KEY} + environment: + - MORTY_KEY=${MORTY_KEY} + +networks: + searx: + ipam: + driver: default + config: + - subnet: 10.10.10.0/24