Compare commits

...

63 commits

Author SHA1 Message Date
Sky Splash
26229fae45 Merge remote-tracking branch 'refs/remotes/upstream/master'
# Conflicts:
#	docker-compose.yaml
2024-05-30 09:37:13 +02:00
Émilien (perso)
8546bf599b
Add automatic restart of the services
close https://github.com/searxng/searxng-docker/pull/106
2024-05-13 15:43:18 +02:00
Ivan Gabaldon
a0e711191e
Replace Redis with Valkey + reduce logging for containers caddy and redis (#230)
* replace redis w/valkey

* cleanup

* apply changes

* revert volume reuse

* fix valkey container

* revert remove `CAP_DROP` `CAP_ADD`

* revert switch from `redis` to `valkey`

* revert revert volume reuse

* update README

* apply changes

* add back useful stuff from README + keep structure + keep compat old docker compose

---------

Co-authored-by: Emilien Devos <4016501+unixfox@users.noreply.github.com>
2024-05-13 15:39:28 +02:00
7677369eee this should make it work 2024-04-29 16:29:41 +02:00
Lemonade
83447b9435
Fixed searxng-docker.service.template issue (#225) 2024-04-17 14:02:09 +02:00
iacore
8e3220be09
Add docker.io prefix to container image names (#221)
Co-authored-by: iacore <noreply+gpg-stub@1a-insec.net>
2024-02-29 14:19:37 +01:00
Nicolas Bonduel
3ec746a2b4
Update README to use newer docker compose command (#205)
* Update README to use newer docker compose command

* Update README to add note about docker < 3.6.0 and docker-compose

* Update the docker compose install url
2024-01-08 21:45:10 +00:00
Ivan Gabaldon
6813aff4d4
allow persistent rdb (#198)
Signed-off-by: Inetol <igabaldon@inetol.net>
2023-11-28 18:35:40 +01:00
Émilien (perso)
47fad9cba6
remove duplicated limiter parameter 2023-10-25 10:44:24 +02:00
Émilien (perso)
d63d0c77a8
Simply the update process 2023-09-24 09:39:54 +00:00
Émilien (perso)
fa11493d8a
update instructions for update docker-compose 2023-09-24 09:38:50 +00:00
Alexandre Flament
41ca45c87f
Merge pull request #182 from dalf/enable_limiter
Enable limiter by default
2023-09-22 20:35:01 +02:00
Alexandre Flament
69eb81f031 Enable limiter by default
Related to https://github.com/searxng/searxng/pull/2832
2023-09-22 16:25:27 +00:00
Alexandre Flament
070b02e6da
fix URL to documentation in searxng/settings.yml
Close #173
2023-08-25 08:11:09 +02:00
Alexandre Flament
9e42027c31
Merge pull request #162 from ChillyKitty/patch-1
Update Caddyfile to Add X-Real-IP to fix bot detection
2023-08-25 07:54:53 +02:00
ChillyKitty
8b2d017136
Update Caddyfile to Add X-Real-IP to fix bot detection
Bot detection complains about not having X-Real-IP which is required https://docs.searxng.org/src/searx.botdetection.html#id4 this adds the header and fixes the problem for me.
2023-06-20 02:45:04 +00:00
Alexandre Flament
e76656a162
Merge pull request #110 from searxng/dac_override
docker-compose.yaml: remove CAP_DAC_OVERRIDE
2022-12-31 18:35:37 +01:00
Alexandre Flament
12d726f4ff docker-compose.yaml: remove CAP_DAC_OVERRIDE
Close #30
2022-12-31 00:28:19 +00:00
Alexandre Flament
d4f06df911
Merge pull request #77 from searxng/remove_security_yml
Delete security.yml
2022-09-01 18:48:52 +02:00
Alexandre Flament
09742281df
Delete security.yml
See https://github.com/searxng/searxng/pull/1730
2022-08-31 20:44:15 +02:00
Émilien Devos
f2f9e2ad08
Add explanation about how to access the logs 2022-07-12 08:36:14 +02:00
Alexandre Flament
b1b174a339
Merge pull request #22 from ononoki1/master
Add github new issue to CSP form-action
2022-05-21 20:35:19 +02:00
ononoki
f6fb825afd
Add github new issue to CSP form-action
Make "Submit a new issue on Github including the above information" works
2022-05-18 08:55:18 +00:00
Alexandre Flament
ba1569dafb
Merge pull request #17 from dalf/no_script
Remove scripts
2022-04-26 23:13:27 +02:00
mrpaulblack
2504dcbd57 Remove scripts 3/n 2022-04-26 14:27:30 +02:00
Alexandre Flament
d4ae67a468 Remove scripts 2/n 2022-04-22 09:45:47 +02:00
Alexandre Flament
914e6e3159 Remove scripts 2022-04-20 20:33:20 +02:00
Paul Braeuning
7f01f0d93d
Merge pull request #12 from dalf/remove_filtron_morty
Replace morty & filtron by redis & the limiter plugin
2022-04-20 01:25:46 +02:00
Alexandre Flament
6b0d7c591b static files: use hashes 2022-04-02 21:31:05 +02:00
Alexandre Flament
0a1db38e21 Rely on searxng/settings.yml 2022-03-20 10:36:48 +01:00
Alexandre Flament
8952fad37e Remove rules.json 2022-02-25 23:37:40 +01:00
Alexandre Flament
8a4db4caa0 Update README.md 2022-02-25 23:12:28 +01:00
Alexandre Flament
fe4a33a2bf Replace morty & filtron by redis & the limiter plugin 2022-02-25 23:11:13 +01:00
Alexandre Flament
2127795f63
Merge pull request #11 from maiki/patch-1
Change text and formatting for consistency
2022-02-18 22:14:17 +01:00
maiki
3f213b0902
Change text and formatting for consistency
Mostly punctuation, with a single missing word added
2022-02-17 12:00:26 -08:00
Alexandre Flament
91f45bd54d
Merge pull request #9 from k2s/patch-1
fix typo
2022-01-29 14:28:20 +01:00
Alexandre Flament
69590065df
Merge pull request #10 from searxng/trivy
[mod] add a nightly check of the docker images using Trivy
2022-01-29 14:24:01 +01:00
Alexandre Flament
f361945cf1 [mod] add a nightly check of the docker images using Trivy 2022-01-29 14:22:16 +01:00
k2s
9e7eed426f
fix typo 2022-01-10 01:11:44 +01:00
Alexandre Flament
c7b3f004eb
Merge pull request #7 from searxng/fix-6
Fix docker-compose.yml
2021-11-27 10:57:20 +01:00
Alexandre Flament
77cc397d40
Fix docker-compose.yml
Update searxng-docker with https://github.com/searxng/searxng/pull/383 changes.

Close https://github.com/searxng/searxng-docker/issues/6
2021-11-27 10:56:56 +01:00
Alexandre Flament
c9762306a8
Merge pull request #2 from searxng/searxng
SearXNG
2021-10-02 07:57:07 +02:00
Alexandre Flament
38377d53c9 SearXNG 2021-10-01 18:13:17 +02:00
Chebro
276f88394a
Replace sed separator with pipe (#96)
- base64 random key may contain the `/`  character, which conflicts with the sed separator, using `|` as the separator fixes it
2021-06-28 15:41:12 +00:00
Darrell King
d4e4f30de8
Added Generate MORTY_KEY step to README.md (#95) 2021-06-27 12:33:43 +00:00
Émilien Devos
abd5079b87
Merge pull request #94 from zevlee/master
Add Permissions-Policy HTTP header to Caddyfile
2021-06-04 20:38:17 +02:00
Zev Lee
da360b26b9
Add Permissions-Policy HTTP header to Caddyfile 2021-05-26 14:00:29 +00:00
Émilien Devos
4ad61d6499
Merge pull request #81 from puresick/patch-1
Update link to Caddy project repository
2021-04-10 22:28:57 +02:00
Daniel Henning
a3bab0ba2f
Update link to Caddy project repository 2021-04-10 21:26:16 +02:00
Émilien Devos
7886223c9d
Merge pull request #75 from stelas/master
Restart Caddy automatically
2021-03-29 12:27:18 +00:00
Steffen
83f465995f Restart caddy service on-failure 2021-03-29 14:22:43 +02:00
Alexandre Flament
f2736e1e19
Merge pull request #65 from dalf/remove-old-checker
Remove old searx-checker
2021-01-17 10:26:56 +01:00
Alexandre Flament
909201fef2 Remove old searx-checker
See https://github.com/searx/searx/pull/2419
2021-01-17 09:53:59 +01:00
Alexandre Flament
a7443cdc5f
Merge pull request #61 from searx/unixfox-patch-1
Fix Searx as a search engine on Firefox android
2020-11-10 22:08:32 +01:00
Émilien Devos
f48172e4de Fix Searx as a search engine on Firefox android
The user agent is now similar to "Mozilla/5.0 (Android 9; Mobile; rv:83.0) Gecko/83.0 Firefox/83.0".
2020-11-10 22:35:30 +02:00
Alexandre Flament
7ad4d4903d
Merge pull request #52 from searx/greadlink-support
[mod] try to use greadlink if readlink is not available
2020-08-28 09:50:27 +02:00
Dalf
4d7cbbab34 [mod] try to use greadlink if readlink is not available 2020-08-20 09:46:47 +02:00
Alexandre Flament
4f5c3b5ee0
Merge pull request #51 from raffieyeah/master
Fix morty not binding to 0.0.0.0 by changing docker-compose.yaml and using environment variable
2020-07-30 22:18:24 +02:00
Rafael
7a76a003a2 Fix morty not binding to 0.0.0.0 2020-07-30 13:42:47 -05:00
Alexandre Flament
337a4d2dd9
[fix] rules.json: allow Firefox Android to add searx (#49)
* [fix] rules.json: allow Firefox Android to add searx

fix #48

* [fix] rules.json: allow Firefox Android whatever the values of Accept and Accept-Language are.
2020-07-27 13:06:56 +02:00
Alexandre Flament
c3cf61f3b4
Merge pull request #46 from searx/nslookup
rules.json: allow nslookup(check.searx.space) instead of hard-coded IP
2020-07-21 08:16:41 +02:00
Dalf
5c8e7e8491 rules.json: allow nslookup(check.searx.space) instead of hard-coded IP
related to https://github.com/asciimoo/filtron/pull/13
2020-07-20 18:32:15 +02:00
Alexandre Flament
bdf5619765
[mod] upgrade to Caddy v2 (#44)
* Use docker image caddy:2-alpine
* Caddyfile: remove "limits 10KB"
* Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules )
* caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes.
* .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables.
* docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38)

* Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection)
2020-07-13 08:12:32 +02:00
14 changed files with 213 additions and 466 deletions

28
.env
View file

@ -1,23 +1,7 @@
# hostname # By default listen on https://localhost
SEARX_HOSTNAME=localhost # To change this:
# * uncomment SEARXNG_HOSTNAME, and replace <host> by the SearXNG hostname
# * uncomment LETSENCRYPT_EMAIL, and replace <email> by your email (require to create a Let's Encrypt certificate)
# comment both if SEARX_HOSTNAME is NOT localhost # SEARXNG_HOSTNAME=<host>
SEARX_PROTOCOL=https:// # LETSENCRYPT_EMAIL=<email>
SEARX_TLS=self_signed
# automatically update settings to the new version
# comment this line if you made / will make some modifications to the settings
SEARX_COMMAND=-f
# Let's encrypt contact information
LETSENCRYPT_EMAIL=email@example.com
# Do you agree Let's Encrypt TOS https://letsencrypt.org/repository/
LETSENCRYPT_AGREE=false
# use openssl rand -base64 33
MORTY_KEY=ReplaceWithARealKey!
# filtron ( /filtron/rules ), use for example "tr -cd '[:alnum:]' < /dev/urandom | fold -w12 | head -n1"
FILTRON_USER=filtron
FILTRON_PASSWORD=SetARealPassword

4
.gitignore vendored
View file

@ -1,6 +1,6 @@
*~ *~
searx-docker.service searxng-docker.service
caddy caddy
srv srv
searx searxng/uwsgi.ini

100
Caddyfile
View file

@ -1,21 +1,38 @@
{$SEARX_PROTOCOL}{$SEARX_HOSTNAME} { {
tls {$SEARX_TLS} admin off
gzip { }
not /morty
}
root /srv
header /config { {$SEARXNG_HOSTNAME} {
Access-Control-Allow-Methods "GET, OPTIONS" log {
Access-Control-Allow-Origin "*" output discard
} }
header /status { tls {$SEARXNG_TLS}
Access-Control-Allow-Methods "GET, OPTIONS"
Access-Control-Allow-Origin "*" @api {
path /config
path /healthz
path /stats/errors
path /stats/checker
} }
header / { @static {
path /static/*
}
@notstatic {
not path /static/*
}
@imageproxy {
path /image_proxy
}
@notimageproxy {
not path /image_proxy
}
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
@ -25,18 +42,11 @@
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff" X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "SAMEORIGIN"
# CSP (see http://content-security-policy.com/ )
Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
# Disable some features # Disable some features
Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
# Cache # Disable some features (legacy)
Cache-Control "no-cache, no-store" Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
Pragma "no-cache"
# Referer # Referer
Referrer-Policy "no-referrer" Referrer-Policy "no-referrer"
@ -48,36 +58,42 @@
-Server -Server
} }
header /morty { header @api {
Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'" Access-Control-Allow-Methods "GET, OPTIONS"
Access-Control-Allow-Origin "*"
} }
header /static { # Cache
header @static {
# Cache
Cache-Control "public, max-age=31536000" Cache-Control "public, max-age=31536000"
-Pragma defer
} }
rewrite / { header @notstatic {
regexp ^/status$ # No Cache
to /searx-checker/status.json Cache-Control "no-cache, no-store"
Pragma "no-cache"
} }
proxy / localhost:4040 { # CSP (see http://content-security-policy.com/ )
transparent header @imageproxy {
header_upstream X-Forwarded-TlsProto {tls_protocol} Content-Security-Policy "default-src 'none'; img-src 'self' data:"
header_upstream X-Forwarded-TlsCipher {tls_cipher}
header_upstream X-Forwarded-HttpsProto {proto}
except /searx-checker/status.json
} }
basicauth /filtron {$FILTRON_USER} {$FILTRON_PASSWORD} header @notimageproxy {
proxy /filtron/rules localhost:4041 { Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
without /filtron
} }
proxy /morty localhost:3000 # SearXNG
handle {
encode zstd gzip
limits 10KB reverse_proxy localhost:8080 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Real-IP {remote_host}
}
}
} }

108
README.md
View file

@ -1,60 +1,88 @@
# searx-docker # searxng-docker
Create a new searx instance in five minutes using Docker (see https://github.com/asciimoo/searx/issues/1561 ) Create a new SearXNG instance in five minutes using Docker
This is a work in progress, the bot protection is basic and not battle tested, and later on, may [change](https://github.com/unixfox/antibot-proxy).
## What is included ? ## What is included ?
| Name | Description | Docker image | Dockerfile | | Name | Description | Docker image | Dockerfile |
| -- | -- | -- | -- | | -- | -- | -- | -- |
| [Caddy](https://github.com/caddyserver/caddy) | Reverse proxy (create a LetsEncrypt certificate automatically) | [abiosoft/caddy:1.0.3-no-stats](https://hub.docker.com/r/abiosoft/caddy) | [Dockerfile](https://github.com/abiosoft/caddy-docker/blob/master/Dockerfile-no-stats) | | [Caddy](https://github.com/caddyserver/caddy) | Reverse proxy (create a LetsEncrypt certificate automatically) | [docker.io/library/caddy:2-alpine](https://hub.docker.com/_/caddy) | [Dockerfile](https://github.com/caddyserver/caddy-docker/blob/master/Dockerfile.tmpl) |
| [Filtron](https://github.com/asciimoo/filtron) | Filtering reverse HTTP proxy, bot and abuse protection | [dalf/filtron:latest](https://hub.docker.com/r/dalf/filtron) | See [asciimoo/filtron#4](https://github.com/asciimoo/filtron/pull/4) | | [SearXNG](https://github.com/searxng/searxng) | SearXNG by itself | [docker.io/searxng/searxng:latest](https://hub.docker.com/r/searxng/searxng) | [Dockerfile](https://github.com/searxng/searxng/blob/master/Dockerfile) |
| [Searx](https://github.com/asciimoo/searx) | searx by itself | [searx/searx:latest](https://hub.docker.com/r/searx/searx) | [Dockerfile](https://github.com/searx/searx/blob/master/Dockerfile) | | [Valkey](https://github.com/valkey-io/valkey) | In-memory database | [cgr.dev/chainguard/valkey:latest](https://cgr.dev/chainguard/valkey) | [Valkey-image](https://github.com/chainguard-images/images/tree/main/images/valkey) |
| [Morty](https://github.com/asciimoo/morty) | Privacy aware web content sanitizer proxy as a service. | [dalf/morty:latest](https://hub.docker.com/r/dalf/morty) | [Dockerfile](https://github.com/dalf/morty/blob/master/Dockerfile) |
| [Searx-checker](https://github.com/searx/searx-checker) | Check which engines return results of the instance.<br>JSON result available at<br>```https://{SEARX_HOSTNAME}/status```<br>Automatically updated every 24h | [searx/searx-checker:latest](https://hub.docker.com/r/searx/searx-checker) | [Dockerfile](https://github.com/searx/searx-checker/blob/master/Dockerfile) |
## How to use it ## How to use it
- [Install docker](https://docs.docker.com/install/) - [Install docker](https://docs.docker.com/install/)
- [Install docker-compose](https://docs.docker.com/compose/install/) (be sure that docker-compose version is at least 1.9.0). - Get searxng-docker
- Get searx-docker ```sh
```sh cd /usr/local
cd /usr/local git clone https://github.com/searxng/searxng-docker.git
git clone https://github.com/searx/searx-docker.git cd searxng-docker
cd searx-docker ```
``` - Edit the [.env](https://github.com/searxng/searxng-docker/blob/master/.env) file to set the hostname and an email
- Edit the [.env](https://github.com/searx/searx-docker/blob/master/.env) file according to your need - Generate the secret key `sed -i "s|ultrasecretkey|$(openssl rand -hex 32)|g" searxng/settings.yml`
- Check everything is working: ```./start.sh```, - Edit the [searxng/settings.yml](https://github.com/searxng/searxng-docker/blob/master/searxng/settings.yml) file according to your need
- ```cp searx-docker.service.template searx-docker.service``` - Check everything is working: `docker compose up`
- edit the content of ```WorkingDirectory``` in the ```searx-docker.service``` file (only if the installation path is different from /usr/local/searx-docker) - Run SearXNG in the background: `docker compose up -d`
- Install the systemd unit :
```sh > [!WARNING]
systemctl enable $(pwd)/searx-docker.service > If you use an older version of docker desktop (`< 3.6.0`), you may have to install Docker Compose v1.
systemctl start searx-docker.service > Accordingly, you should modify the commands in this documentation to suit Docker Compose v1. For instance, change 'docker compose up' to 'docker-compose up'.
``` >
> [Install the docker-compose plugin](https://docs.docker.com/compose/install/#scenario-two-install-the-compose-plugin) (be sure that docker-compose version is at least 1.9.0)
## How to access the logs
To access the logs from all the containers use: `docker compose logs -f`.
To access the logs of one specific container:
- Caddy: `docker compose logs -f caddy`
- SearXNG: `docker compose logs -f searxng`
- Valkey: `docker compose logs -f redis`
### Start SearXNG with systemd
You can skip this step if you don't use systemd.
- ```cp searxng-docker.service.template searxng-docker.service```
- edit the content of ```WorkingDirectory``` in the ```searxng-docker.service``` file (only if the installation path is different from /usr/local/searxng-docker)
- Install the systemd unit:
```sh
systemctl enable $(pwd)/searxng-docker.service
systemctl start searxng-docker.service
```
## Note on the image proxy feature ## Note on the image proxy feature
The searx image proxy is activated by default using [Morty](https://github.com/asciimoo/morty). The SearXNG image proxy is activated by default.
The default [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) allow the browser to access to {SEARX_HOSTNAME} and ```https://*.tile.openstreetmap.org;```. The default [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) allow the browser to access to ```${SEARXNG_HOSTNAME}``` and ```https://*.tile.openstreetmap.org;```.
If some users wants to disable the image proxy, you have to modify [./Caddyfile](https://github.com/searx/searx-docker/blob/master/Caddyfile). Replace the ```img-src 'self' data: https://*.tile.openstreetmap.org;``` by ```img-src * data:;``` If some users want to disable the image proxy, you have to modify [./Caddyfile](https://github.com/searxng/searxng-docker/blob/master/Caddyfile). Replace the ```img-src 'self' data: https://*.tile.openstreetmap.org;``` by ```img-src * data:;```.
## Custom docker-compose.yaml
Do not modify docker-compose.yaml otherwise you won't be able to update easily from the git repository.
It is possible to the [extend feature](https://docs.docker.com/compose/extends/) of docker-compose :
- stop the service : ```systemctl stop searx-docker.service```
- create a new docker-compose-extend.yaml, check with ```start.sh```
- update searx-docker.service (see SEARX_DOCKERCOMPOSEFILE)
- restart the servie : ```systemctl restart searx-docker.service```
## Multi Architecture Docker images ## Multi Architecture Docker images
For now only the amd64 platform is supported. Supported architecture:
- amd64
- arm64
- arm/v7
## How to update ? ## How to update ?
Check the content of [```update.sh```](https://github.com/searx/searx-docker/blob/master/update.sh) To update the SearXNG stack:
```sh
git pull
docker compose pull
docker compose up -d
```
Or the old way (with the old docker-compose version):
```sh
git pull
docker-compose pull
docker-compose up -d
```

View file

@ -1,101 +1,77 @@
version: '3.7' version: "3.7"
services: services:
caddy: caddy:
container_name: caddy container_name: caddy
image: abiosoft/caddy:1.0.3-no-stats image: docker.io/library/caddy:2-alpine
ports:
- 80:80
- 443:443
network_mode: host network_mode: host
command: -email ${LETSENCRYPT_EMAIL} -agree=${LETSENCRYPT_AGREE} -log stdout -host ${SEARX_HOSTNAME} -conf /etc/Caddyfile restart: unless-stopped
volumes: volumes:
- ./Caddyfile:/etc/Caddyfile:rw - ./Caddyfile:/etc/caddy/Caddyfile:ro
- ./caddy:/root/.caddy:rw - caddy-data:/data:rw
- ./srv:/srv:rw - caddy-config:/config:rw
- searx-checker:/srv/searx-checker:rw
environment: environment:
- SEARX_HOSTNAME=${SEARX_HOSTNAME} - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80}
- SEARX_PROTOCOL=${SEARX_PROTOCOL:-} - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
- SEARX_TLS=${SEARX_TLS:-}
- FILTRON_USER=${FILTRON_USER}
- FILTRON_PASSWORD=${FILTRON_PASSWORD}
cap_drop: cap_drop:
- ALL - ALL
cap_add: cap_add:
- NET_BIND_SERVICE - NET_BIND_SERVICE
- DAC_OVERRIDE logging:
driver: "json-file"
options:
max-size: "1m"
max-file: "1"
filtron: redis:
container_name: filtron container_name: redis
image: dalf/filtron image: cgr.dev/chainguard/valkey:latest
restart: always command: --save 30 1 --loglevel warning
ports: restart: unless-stopped
- 4040:4040
- 4041:4041
networks: networks:
- searx - searxng
command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searx:8080
volumes: volumes:
- ./rules.json:/etc/filtron/rules.json:rw - valkey-data:/data
read_only: true
cap_drop: cap_drop:
- ALL - ALL
cap_add:
- SETGID
- SETUID
- DAC_OVERRIDE
logging:
driver: "json-file"
options:
max-size: "1m"
max-file: "1"
searx: searxng:
container_name: searx container_name: searxng
image: searx/searx:latest image: docker.io/fauli1221/ponysearch:latest
restart: always restart: unless-stopped
networks: networks:
- searx - searxng
command: ${SEARX_COMMAND:-} ports:
- "127.0.0.1:8080:8080"
volumes: volumes:
- ./searx:/etc/searx:rw - ./searxng:/etc/searxng:rw
environment: environment:
- BIND_ADDRESS=0.0.0.0:8080 - SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
- BASE_URL=https://${SEARX_HOSTNAME}/
- MORTY_URL=https://${SEARX_HOSTNAME}/morty/
- MORTY_KEY=${MORTY_KEY}
cap_drop: cap_drop:
- ALL - ALL
cap_add: cap_add:
- CHOWN - CHOWN
- SETGID - SETGID
- SETUID - SETUID
- DAC_OVERRIDE
morty:
container_name: morty
image: dalf/morty
restart: always
ports:
- 3000:3000
networks:
- searx
command: -listen 0.0.0.0:3000 -timeout 6 -ipv6
environment:
- MORTY_KEY=${MORTY_KEY}
logging: logging:
driver: none driver: "json-file"
read_only: true options:
cap_drop: max-size: "1m"
- ALL max-file: "1"
searx-checker:
container_name: searx-checker
image: searx/searx-checker
restart: always
networks:
- searx
command: -cron -o html/data/status.json http://searx:8080
volumes:
- searx-checker:/usr/local/searx-checker/html/data:rw
networks: networks:
searx: searxng:
ipam:
driver: default
volumes: volumes:
searx-checker: caddy-data:
caddy-config:
valkey-data:

View file

@ -1,138 +0,0 @@
[
{
"name": "searx.space",
"filters": ["Header:X-Forwarded-For=(2001:41d0:8:de3::1|176.31.252.227)"],
"stop": true,
"actions": [{ "name": "log"}]
},
{
"name": "IP limit, all paths",
"interval": 3,
"limit": 25,
"aggregations": ["Header:X-Forwarded-For"],
"actions": [
{"name": "block",
"params": {"message": "Rate limit exceeded, try again later."}}
]
},
{
"name": "useragent limit, all paths",
"interval": 30,
"limit": 200,
"aggregations": ["Header:X-Forwarded-For", "Header:User-Agent"],
"stop": true,
"actions": [
{"name": "block",
"params": {"message": "Rate limit exceeded, try again later."}}
]
},
{
"name": "search request",
"filters": ["Param:q", "Path=^(/|/search)$"],
"subrules": [
{
"name": "robot agent forbidden",
"limit": 0,
"stop": true,
"filters": ["Header:User-Agent=([Cc][Uu][Rr][Ll]|[wW]get|Scrapy|splash|JavaFX|FeedFetcher|python-requests|Go-http-client|Java|Jakarta|okhttp|HttpClient|Jersey|Python|libwww-perl|Ruby|SynHttpClient|UniversalFeedParser)"],
"actions": [
{"name": "block",
"params": {"message": "Rate limit exceeded"}}
]
},
{
"name": "bot forbidden",
"limit": 0,
"stop": true,
"filters": ["Header:User-Agent=(Googlebot|GoogleImageProxy|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT|Sogou|Abonti|Pixray|Spinn3r|SemrushBot|Exabot|ZmEu|BLEXBot|bitlybot)"],
"actions": [
{"name": "block",
"params": {"message": "Rate limit exceeded"}}
]
},
{
"name": "block missing accept-language",
"filters": ["!Header:Accept-Language"],
"limit": 0,
"stop": true,
"actions": [
{"name": "block",
"params": {"message": "Rate limit exceeded"}}
]
},
{
"name": "block Connection:close",
"filters": ["Header:Connection=close"],
"limit": 0,
"stop": true,
"actions": [
{"name": "block",
"params": {"message": "Rate limit exceeded"}}
]
},
{
"name": "block no gzip support",
"filters": ["!Header:Accept-Encoding=(^gzip$|^gzip[;,]|[; ]gzip$|[; ]gzip[;,])"],
"limit": 0,
"stop": true,
"actions": [
{"name": "block",
"params": {"message": "Rate limit exceeded"}}
]
},
{
"name": "block no deflate support",
"filters": ["!Header:Accept-Encoding=(^deflate$|^deflate[;,]|[; ]deflate$|[; ]deflate[;,])"],
"limit": 0,
"stop": true,
"actions": [
{"name": "block",
"params": {"message": "Rate limit exceeded"}}
]
},
{
"name": "block accept everything",
"filters": ["!Header:Accept=text/html"],
"limit": 0,
"stop": true,
"actions": [
{"name": "block",
"params": {"message": "Rate limit exceeded"}}
]
},
{
"name": "rss/json limit",
"interval": 3600,
"limit": 4,
"stop": true,
"filters": ["Param:format=(csv|json|rss)"],
"aggregations": ["Header:X-Forwarded-For"],
"actions": [
{"name": "block",
"params": {"message": "Rate limit exceeded, try again later."}}
]
},
{
"name": "IP limit",
"interval": 3,
"limit": 3,
"aggregations": ["Header:X-Forwarded-For"],
"actions": [
{"name": "block",
"params": {"message": "Rate limit exceeded, try again later."}}
]
},
{
"name": "IP and useragent limit",
"interval": 600,
"limit": 60,
"stop": true,
"aggregations": ["Header:X-Forwarded-For", "Header:User-Agent"],
"actions": [
{"name": "block",
"params": {"message": "Rate limit exceeded, try again later."}}
]
}
]
}
]

View file

@ -1,16 +0,0 @@
[Unit]
Description=searx service
Requires=docker.service
After=docker.service
[Service]
Restart=always
Environment=SEARX_DIR=/usr/local/searx-docker
Environment=SEARX_DOCKERCOMPOSEFILE=docker-compose.yaml
ExecStart=/bin/sh -c "${SEARX_DIR}/start.sh"
ExecStop=/bin/sh -c "${SEARX_DIR}/stop.sh"
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,16 @@
[Unit]
Description=SearXNG service
Requires=docker.service
After=docker.service
[Service]
Restart=on-failure
Environment=SEARXNG_DOCKERCOMPOSEFILE=docker-compose.yaml
WorkingDirectory=/usr/local/searxng-docker
ExecStart=/usr/local/bin/docker compose -f ${SEARXNG_DOCKERCOMPOSEFILE} up --remove-orphans
ExecStop=/usr/local/bin/docker compose -f ${SEARXNG_DOCKERCOMPOSEFILE} down
[Install]
WantedBy=multi-user.target

6
searxng/limiter.toml Normal file
View file

@ -0,0 +1,6 @@
# This configuration file updates the default configuration file
# See https://github.com/searxng/searxng/blob/master/searx/botdetection/limiter.toml
[botdetection.ip_limit]
# activate link_token method in the ip_limit method
link_token = true

11
searxng/settings.yml Normal file
View file

@ -0,0 +1,11 @@
# see https://docs.searxng.org/admin/settings/settings.html#settings-use-default-settings
use_default_settings: true
server:
# base_url is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml
secret_key: "ultrasecretkey" # change this!
limiter: true # can be disabled for a private instance
image_proxy: true
ui:
static_use_hash: true
redis:
url: redis://redis:6379/0

View file

@ -1,10 +0,0 @@
#!/bin/sh
BASE_DIR="$(dirname -- "`readlink -f -- "$0"`")"
cd -- "$BASE_DIR"
. ./util.sh
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down -v
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE rm -fv
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE up

View file

@ -1,8 +0,0 @@
#!/bin/sh
BASE_DIR="$(dirname -- "`readlink -f -- "$0"`")"
cd -- "$BASE_DIR"
. ./util.sh
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down -v

View file

@ -1,92 +0,0 @@
#!/bin/sh
#
# Disclaimer: this is more a documentation than code to execute
#
# change if require
SERVICE_NAME="searx-docker.service"
# change if require :
# fastforward : only fast-forward
# rebase : rebase with autostash, at your own risk
UPDATE_TYPE="fastforward"
BASE_DIR="$(dirname -- "`readlink -f -- "$0"`")"
cd -- "$BASE_DIR"
# check if git presence
if [ ! -x "$(which git)" ]; then
echo "git not found" 1>&2
exit 1
fi
# check if the current user owns the local git repository
git_owner=$(stat -c '%U' .git)
if [ "$git_owner" != "$(whoami)" ]; then
echo "The .git repository is own by $git_owner" 1>&2
exit 1
fi
# warning if the current branch is not master
current_branch=$(git rev-parse --abbrev-ref HEAD)
if [ "$current_branch" != "master" ]; then
echo "Warning: master won't be updated, only $current_branch"
fi
# git fetch first
git fetch origin master
# is everything already up-to-date ?
current_commit=$(git rev-parse $current_branch)
origin_master_commit=$(git rev-parse origin/master)
if [ "$current_commit" = "$origin_master_commit" ]; then
echo "Already up-to-date, commit $current_commit"
exit 0
fi
# docker stuff
SEARX_DOCKERCOMPOSE=$(grep "Environment=SEARX_DOCKERCOMPOSEFILE=" "$SERVICE_NAME" | awk -F\= '{ print $3 }')
. ./util.sh
if [ ! -x "$(which systemctl)" ]; then
echo "systemctl not found" 1>&2
exit 1
fi
# stop the systemd service now, because after the update
# the code might be out of sync with the current running services
systemctl stop "${SERVICE_NAME}"
# update
case "$UPDATE_TYPE" in
"fastforward")
git pull --ff-only origin master
;;
"rebase")
git pull --rebase --autostash origin master
;;
esac
# Check conflicts
if [ $(git ls-files -u | wc -l) -gt 0 ]; then
echo "There are git conflicts"
else
# update docker images
docker-compose -f $DOCKERCOMPOSEFILE pull
# remove dangling images
docker rmi $(docker images -f "dangling=true" -q)
# display searx version
SEARX_IMAGE=$(cat $DOCKERCOMPOSEFILE | grep "searx/searx" | grep -v "searx-checker" | awk '{ print $2 }')
SEARX_VERSION=$(docker inspect -f '{{index .Config.Labels "org.label-schema.version"}}' $SEARX_IMAGE)
echo "Searx version: $SEARX_VERSION"
docker images --digests "searx/*:latest"
# update searx configuration
source ./.env
docker-compose -f $DOCKERCOMPOSEFILE run searx ${SEARX_COMMAND} -d
# let the user see
echo "Use\nsystemctl start \"${SERVICE_NAME}\"\nto restart searx"
fi

26
util.sh
View file

@ -1,26 +0,0 @@
set -e
DOCKERCOMPOSE=$(which docker-compose || echo "/usr/local/bin/docker-compose")
DOCKERCOMPOSEFILE="${DOCKERCOMPOSEFILE:-docker-compose.yaml}"
echo "use ${DOCKERCOMPOSEFILE}"
if [ ! -x "$(which docker)" ]; then
echo "docker not found" 1>&2
exit 1
fi
if ! docker version > /dev/null 2>&1; then
echo "can't execute docker (current user: $(whoami))" 1>&2
exit 1
fi
if [ ! -x "${DOCKERCOMPOSE}" ]; then
echo "docker-compose not found" 1>&2
exit 1
fi
if [ ! -f "${DOCKERCOMPOSEFILE}" ]; then
echo "${DOCKERCOMPOSEFILE} not found" 1>&2
exit 1
fi