From fe4a33a2bf1b11cd0b35dfdb1f3ad84929fffe06 Mon Sep 17 00:00:00 2001
From: Alexandre Flament <alex@al-f.net>
Date: Fri, 25 Feb 2022 22:43:05 +0100
Subject: [PATCH] Replace morty & filtron by redis & the limiter plugin

---
 .env                 |  2 +-
 Caddyfile            | 38 +++++++++++++----------------
 docker-compose.yaml  | 57 +++++++++++++++-----------------------------
 searxng/settings.yml |  6 +++++
 4 files changed, 43 insertions(+), 60 deletions(-)
 create mode 100644 searxng/settings.yml

diff --git a/.env b/.env
index befe5bd..bae61d2 100644
--- a/.env
+++ b/.env
@@ -11,4 +11,4 @@
 SEARXNG_COMMAND=-f
 
 # use openssl rand -base64 33
-MORTY_KEY=ReplaceWithARealKey!
+SEARXNG_SECRET=ultrasecretkey
diff --git a/Caddyfile b/Caddyfile
index 299e769..ab36456 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -11,25 +11,26 @@
 
   @api {
         path /config
-	path /status
+        path /status
   }
 
   @static {
         path /static/*
   }
 
+  @imageproxy {
+        path /image_proxy
+  }
+
+  @notimageproxy {
+        not path /image_proxy
+  }
+
+
   @notstatic {
         not path /static/*
   }
 
-  @morty {
-        path /morty/*
-  }
-
-  @notmorty {
-        not path /morty/*
-  }
-
   header {
         # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
         Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
@@ -67,8 +68,8 @@
   # Cache
   header @static {
         # Cache
-	Cache-Control "public, max-age=31536000"
-	defer
+        Cache-Control "public, max-age=31536000"
+        defer
   }
 
   header @notstatic {
@@ -78,24 +79,19 @@
   }
 
   # CSP (see http://content-security-policy.com/ )
-  header @morty {
-	Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'"
+  header @imageproxy {
+        Content-Security-Policy "default-src 'none'; img-src 'self' data:"
   }
 
-  header @notmorty {
+  header @notimageproxy {
         Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
   }
 
-  # Morty
-  handle @morty {
-        reverse_proxy localhost:3000
-  }
-
-  # Filtron
+  # Searx
   handle {
         encode zstd gzip
 
-        reverse_proxy localhost:4040 {
+        reverse_proxy localhost:8080 {
                header_up X-Forwarded-Port {http.request.port}
                header_up X-Forwarded-Proto {http.request.scheme}
                header_up X-Forwarded-TlsProto {tls_protocol}
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 46a77bb..6fe09cb 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -5,14 +5,13 @@ services:
   caddy:
     container_name: caddy
     image: caddy:2-alpine
-    restart: on-failure
     network_mode: host
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile:ro
       - caddy-data:/data:rw
       - caddy-config:/config:rw
     environment:
-      - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-localhost}
+      - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80}
       - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
     cap_drop:
       - ALL
@@ -20,36 +19,36 @@ services:
       - NET_BIND_SERVICE
       - DAC_OVERRIDE
 
-  filtron:
-    container_name: filtron
-    image: dalf/filtron
-    restart: always
-    ports:
-      - "127.0.0.1:4040:4040"
-      - "127.0.0.1:4041:4041"
+  redis:
+    container_name: redis
+    image: "redis:alpine"
+    command: redis-server --save "" --appendonly "no"
     networks:
       - searxng
-    command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searxng:8080
-    volumes:
-      - ./rules.json:/etc/filtron/rules.json:rw
-    read_only: true
+    tmpfs:
+      - /var/lib/redis
     cap_drop:
       - ALL
+    cap_add:
+      - SETGID
+      - SETUID
+      - DAC_OVERRIDE
 
-  searxng:
-    container_name: searxng
-    image: searxng/searxng:latest
+  searx:
+    container_name: searx
+    image: searxng/searxng
     restart: always
     networks:
       - searxng
-    command: ${SEARXNG_COMMAND:-}
+    command: ${SEARX_COMMAND:-}
+    ports:
+     - "127.0.0.1:8080:8080"
     volumes:
-      - ./searxng:/etc/searxng:rw
+      - ./searxng:/etc/searx:rw
     environment:
       - BIND_ADDRESS=0.0.0.0:8080
       - BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
-      - MORTY_URL=https://${SEARXNG_HOSTNAME:-localhost}/morty/
-      - MORTY_KEY=${MORTY_KEY}
+      - SEARXNG_SECRET=${SEARXNG_SECRET}
     cap_drop:
       - ALL
     cap_add:
@@ -58,24 +57,6 @@ services:
       - SETUID
       - DAC_OVERRIDE
 
-  morty:
-    container_name: morty
-    image: dalf/morty
-    restart: always
-    ports:
-      - "127.0.0.1:3000:3000"
-    networks:
-      - searxng
-    command: -timeout 6 -ipv6
-    environment:
-      - MORTY_KEY=${MORTY_KEY}
-      - MORTY_ADDRESS=0.0.0.0:3000
-    logging:
-      driver: none
-    read_only: true
-    cap_drop:
-      - ALL
-
 networks:
   searxng:
     ipam:
diff --git a/searxng/settings.yml b/searxng/settings.yml
new file mode 100644
index 0000000..0c087ad
--- /dev/null
+++ b/searxng/settings.yml
@@ -0,0 +1,6 @@
+use_default_settings: true
+server:
+  limiter: true
+  image_proxy: true
+redis:
+  url: redis://redis:6379/0