Replace morty & filtron by redis & the limiter plugin

2022-02-25 22:43:05 +01:00 · 2022-02-25 22:43:05 +01:00 · fe4a33a2bf
commit fe4a33a2bf
parent 2127795f63
4 changed files with 43 additions and 60 deletions
--- a/.env
+++ b/.env
@ -11,4 +11,4 @@
 SEARXNG_COMMAND=-f

 # use openssl rand -base64 33
-MORTY_KEY=ReplaceWithARealKey!
+SEARXNG_SECRET=ultrasecretkey
--- a/38
+++ b/38
@ -11,25 +11,26 @@

  @api {
        path /config
-	path /status
+        path /status
  }

  @static {
        path /static/*
  }

+  @imageproxy {
+        path /image_proxy
+  }
+
+  @notimageproxy {
+        not path /image_proxy
+  }
+
+
  @notstatic {
        not path /static/*
  }

-  @morty {
-        path /morty/*
-  }
-
-  @notmorty {
-        not path /morty/*
-  }
-
  header {
        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
@ -67,8 +68,8 @@
  # Cache
  header @static {
        # Cache
-	Cache-Control "public, max-age=31536000"
-	defer
+        Cache-Control "public, max-age=31536000"
+        defer
  }

  header @notstatic {
@ -78,24 +79,19 @@
  }

  # CSP (see http://content-security-policy.com/ )
-  header @morty {
-	Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'"
+  header @imageproxy {
+        Content-Security-Policy "default-src 'none'; img-src 'self' data:"
  }

-  header @notmorty {
+  header @notimageproxy {
        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
  }

-  # Morty
-  handle @morty {
-        reverse_proxy localhost:3000
-  }
-
-  # Filtron
+  # Searx
  handle {
        encode zstd gzip

-        reverse_proxy localhost:4040 {
+        reverse_proxy localhost:8080 {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -5,14 +5,13 @@ services:
  caddy:
    container_name: caddy
    image: caddy:2-alpine
-    restart: on-failure
    network_mode: host
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy-data:/data:rw
      - caddy-config:/config:rw
    environment:
-      - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-localhost}
+      - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80}
      - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
    cap_drop:
      - ALL
@ -20,36 +19,36 @@ services:
      - NET_BIND_SERVICE
      - DAC_OVERRIDE

-  filtron:
-    container_name: filtron
-    image: dalf/filtron
-    restart: always
-    ports:
-      - "127.0.0.1:4040:4040"
-      - "127.0.0.1:4041:4041"
+  redis:
+    container_name: redis
+    image: "redis:alpine"
+    command: redis-server --save "" --appendonly "no"
    networks:
      - searxng
-    command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searxng:8080
-    volumes:
-      - ./rules.json:/etc/filtron/rules.json:rw
-    read_only: true
+    tmpfs:
+      - /var/lib/redis
    cap_drop:
      - ALL
+    cap_add:
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE

-  searxng:
-    container_name: searxng
-    image: searxng/searxng:latest
+  searx:
+    container_name: searx
+    image: searxng/searxng
    restart: always
    networks:
      - searxng
-    command: ${SEARXNG_COMMAND:-}
+    command: ${SEARX_COMMAND:-}
+    ports:
+     - "127.0.0.1:8080:8080"
    volumes:
-      - ./searxng:/etc/searxng:rw
+      - ./searxng:/etc/searx:rw
    environment:
      - BIND_ADDRESS=0.0.0.0:8080
      - BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
-      - MORTY_URL=https://${SEARXNG_HOSTNAME:-localhost}/morty/
-      - MORTY_KEY=${MORTY_KEY}
+      - SEARXNG_SECRET=${SEARXNG_SECRET}
    cap_drop:
      - ALL
    cap_add:
@ -58,24 +57,6 @@ services:
      - SETUID
      - DAC_OVERRIDE

-  morty:
-    container_name: morty
-    image: dalf/morty
-    restart: always
-    ports:
-      - "127.0.0.1:3000:3000"
-    networks:
-      - searxng
-    command: -timeout 6 -ipv6
-    environment:
-      - MORTY_KEY=${MORTY_KEY}
-      - MORTY_ADDRESS=0.0.0.0:3000
-    logging:
-      driver: none
-    read_only: true
-    cap_drop:
-      - ALL
-
 networks:
  searxng:
    ipam:
--- a/searxng/settings.yml
+++ b/searxng/settings.yml
@ -0,0 +1,6 @@
+use_default_settings: true
+server:
+  limiter: true
+  image_proxy: true
+redis:
+  url: redis://redis:6379/0