Replace morty & filtron by redis & the limiter plugin

This commit is contained in:
Alexandre Flament 2022-02-25 22:43:05 +01:00
parent 2127795f63
commit fe4a33a2bf
4 changed files with 43 additions and 60 deletions

2
.env
View file

@ -11,4 +11,4 @@
SEARXNG_COMMAND=-f
# use openssl rand -base64 33
MORTY_KEY=ReplaceWithARealKey!
SEARXNG_SECRET=ultrasecretkey

View file

@ -11,25 +11,26 @@
@api {
path /config
path /status
path /status
}
@static {
path /static/*
}
@imageproxy {
path /image_proxy
}
@notimageproxy {
not path /image_proxy
}
@notstatic {
not path /static/*
}
@morty {
path /morty/*
}
@notmorty {
not path /morty/*
}
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
@ -67,8 +68,8 @@
# Cache
header @static {
# Cache
Cache-Control "public, max-age=31536000"
defer
Cache-Control "public, max-age=31536000"
defer
}
header @notstatic {
@ -78,24 +79,19 @@
}
# CSP (see http://content-security-policy.com/ )
header @morty {
Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'"
header @imageproxy {
Content-Security-Policy "default-src 'none'; img-src 'self' data:"
}
header @notmorty {
header @notimageproxy {
Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
}
# Morty
handle @morty {
reverse_proxy localhost:3000
}
# Filtron
# Searx
handle {
encode zstd gzip
reverse_proxy localhost:4040 {
reverse_proxy localhost:8080 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}

View file

@ -5,14 +5,13 @@ services:
caddy:
container_name: caddy
image: caddy:2-alpine
restart: on-failure
network_mode: host
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- caddy-data:/data:rw
- caddy-config:/config:rw
environment:
- SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-localhost}
- SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80}
- SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
cap_drop:
- ALL
@ -20,36 +19,36 @@ services:
- NET_BIND_SERVICE
- DAC_OVERRIDE
filtron:
container_name: filtron
image: dalf/filtron
restart: always
ports:
- "127.0.0.1:4040:4040"
- "127.0.0.1:4041:4041"
redis:
container_name: redis
image: "redis:alpine"
command: redis-server --save "" --appendonly "no"
networks:
- searxng
command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searxng:8080
volumes:
- ./rules.json:/etc/filtron/rules.json:rw
read_only: true
tmpfs:
- /var/lib/redis
cap_drop:
- ALL
cap_add:
- SETGID
- SETUID
- DAC_OVERRIDE
searxng:
container_name: searxng
image: searxng/searxng:latest
searx:
container_name: searx
image: searxng/searxng
restart: always
networks:
- searxng
command: ${SEARXNG_COMMAND:-}
command: ${SEARX_COMMAND:-}
ports:
- "127.0.0.1:8080:8080"
volumes:
- ./searxng:/etc/searxng:rw
- ./searxng:/etc/searx:rw
environment:
- BIND_ADDRESS=0.0.0.0:8080
- BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
- MORTY_URL=https://${SEARXNG_HOSTNAME:-localhost}/morty/
- MORTY_KEY=${MORTY_KEY}
- SEARXNG_SECRET=${SEARXNG_SECRET}
cap_drop:
- ALL
cap_add:
@ -58,24 +57,6 @@ services:
- SETUID
- DAC_OVERRIDE
morty:
container_name: morty
image: dalf/morty
restart: always
ports:
- "127.0.0.1:3000:3000"
networks:
- searxng
command: -timeout 6 -ipv6
environment:
- MORTY_KEY=${MORTY_KEY}
- MORTY_ADDRESS=0.0.0.0:3000
logging:
driver: none
read_only: true
cap_drop:
- ALL
networks:
searxng:
ipam:

6
searxng/settings.yml Normal file
View file

@ -0,0 +1,6 @@
use_default_settings: true
server:
limiter: true
image_proxy: true
redis:
url: redis://redis:6379/0