Compare commits
No commits in common. "master" and "filtron-morty" have entirely different histories.
master
...
filtron-mo
14 changed files with 425 additions and 125 deletions
7
.env
7
.env
|
@ -5,3 +5,10 @@
|
||||||
|
|
||||||
# SEARXNG_HOSTNAME=<host>
|
# SEARXNG_HOSTNAME=<host>
|
||||||
# LETSENCRYPT_EMAIL=<email>
|
# LETSENCRYPT_EMAIL=<email>
|
||||||
|
|
||||||
|
# automatically update settings to the new version
|
||||||
|
# comment this line if you made / will make some modifications to the settings
|
||||||
|
SEARXNG_COMMAND=-f
|
||||||
|
|
||||||
|
# use openssl rand -base64 33
|
||||||
|
MORTY_KEY=ReplaceWithARealKey!
|
||||||
|
|
27
.github/workflows/security.yml
vendored
Normal file
27
.github/workflows/security.yml
vendored
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
name: "Security checks"
|
||||||
|
on:
|
||||||
|
schedule:
|
||||||
|
- cron: "05 06 * * *"
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
dockers:
|
||||||
|
name: Trivy ${{ matrix.image }}
|
||||||
|
runs-on: ubuntu-20.04
|
||||||
|
strategy:
|
||||||
|
fail-fast: false
|
||||||
|
matrix:
|
||||||
|
image: ["searxng/searxng", "dalf/filtron", "dalf/morty"]
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v2
|
||||||
|
|
||||||
|
- name: Run Trivy vulnerability scanner
|
||||||
|
uses: aquasecurity/trivy-action@master
|
||||||
|
with:
|
||||||
|
image-ref: '${{ matrix.image }}:latest'
|
||||||
|
format: 'table'
|
||||||
|
exit-code: '1'
|
||||||
|
ignore-unfixed: false
|
||||||
|
vuln-type: 'os,library'
|
||||||
|
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
|
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -3,4 +3,4 @@
|
||||||
searxng-docker.service
|
searxng-docker.service
|
||||||
caddy
|
caddy
|
||||||
srv
|
srv
|
||||||
searxng/uwsgi.ini
|
searx
|
||||||
|
|
38
Caddyfile
38
Caddyfile
|
@ -11,9 +11,7 @@
|
||||||
|
|
||||||
@api {
|
@api {
|
||||||
path /config
|
path /config
|
||||||
path /healthz
|
path /status
|
||||||
path /stats/errors
|
|
||||||
path /stats/checker
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@static {
|
@static {
|
||||||
|
@ -24,12 +22,12 @@
|
||||||
not path /static/*
|
not path /static/*
|
||||||
}
|
}
|
||||||
|
|
||||||
@imageproxy {
|
@morty {
|
||||||
path /image_proxy
|
path /morty/*
|
||||||
}
|
}
|
||||||
|
|
||||||
@notimageproxy {
|
@notmorty {
|
||||||
not path /image_proxy
|
not path /morty/*
|
||||||
}
|
}
|
||||||
|
|
||||||
header {
|
header {
|
||||||
|
@ -42,8 +40,11 @@
|
||||||
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
|
||||||
X-Content-Type-Options "nosniff"
|
X-Content-Type-Options "nosniff"
|
||||||
|
|
||||||
|
# Disallow the site to be rendered within a frame (clickjacking protection)
|
||||||
|
X-Frame-Options "SAMEORIGIN"
|
||||||
|
|
||||||
# Disable some features
|
# Disable some features
|
||||||
Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
|
Permissions-Policy "accelerometer=();ambient-light-sensor=(); autoplay=();camera=();encrypted-media=();focus-without-user-activation=(); geolocation=();gyroscope=();magnetometer=();microphone=();midi=();payment=();picture-in-picture=(); speaker=();sync-xhr=();usb=();vr=()"
|
||||||
|
|
||||||
# Disable some features (legacy)
|
# Disable some features (legacy)
|
||||||
Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
|
Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
|
||||||
|
@ -77,22 +78,29 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
# CSP (see http://content-security-policy.com/ )
|
# CSP (see http://content-security-policy.com/ )
|
||||||
header @imageproxy {
|
header @morty {
|
||||||
Content-Security-Policy "default-src 'none'; img-src 'self' data:"
|
Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'"
|
||||||
}
|
}
|
||||||
|
|
||||||
header @notimageproxy {
|
header @notmorty {
|
||||||
Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
|
Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
|
||||||
}
|
}
|
||||||
|
|
||||||
# SearXNG
|
# Morty
|
||||||
|
handle @morty {
|
||||||
|
reverse_proxy localhost:3000
|
||||||
|
}
|
||||||
|
|
||||||
|
# Filtron
|
||||||
handle {
|
handle {
|
||||||
encode zstd gzip
|
encode zstd gzip
|
||||||
|
|
||||||
reverse_proxy localhost:8080 {
|
reverse_proxy localhost:4040 {
|
||||||
header_up X-Forwarded-Port {http.request.port}
|
header_up X-Forwarded-Port {http.request.port}
|
||||||
header_up X-Forwarded-Proto {http.request.scheme}
|
header_up X-Forwarded-Proto {http.request.scheme}
|
||||||
header_up X-Real-IP {remote_host}
|
header_up X-Forwarded-TlsProto {tls_protocol}
|
||||||
|
header_up X-Forwarded-TlsCipher {tls_cipher}
|
||||||
|
header_up X-Forwarded-HttpsProto {proto}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
82
README.md
82
README.md
|
@ -6,45 +6,24 @@ Create a new SearXNG instance in five minutes using Docker
|
||||||
|
|
||||||
| Name | Description | Docker image | Dockerfile |
|
| Name | Description | Docker image | Dockerfile |
|
||||||
| -- | -- | -- | -- |
|
| -- | -- | -- | -- |
|
||||||
| [Caddy](https://github.com/caddyserver/caddy) | Reverse proxy (create a LetsEncrypt certificate automatically) | [docker.io/library/caddy:2-alpine](https://hub.docker.com/_/caddy) | [Dockerfile](https://github.com/caddyserver/caddy-docker/blob/master/Dockerfile.tmpl) |
|
| [Caddy](https://github.com/caddyserver/caddy) | Reverse proxy (create a LetsEncrypt certificate automatically) | [caddy/caddy:2-alpine](https://hub.docker.com/_/caddy) | [Dockerfile](https://github.com/caddyserver/caddy-docker) |
|
||||||
| [SearXNG](https://github.com/searxng/searxng) | SearXNG by itself | [docker.io/searxng/searxng:latest](https://hub.docker.com/r/searxng/searxng) | [Dockerfile](https://github.com/searxng/searxng/blob/master/Dockerfile) |
|
| [Filtron](https://github.com/dalf/filtron) | Filtering reverse HTTP proxy, bot and abuse protection | [dalf/filtron:latest](https://hub.docker.com/r/dalf/filtron) | See [asciimoo/filtron#4](https://github.com/asciimoo/filtron/pull/4) |
|
||||||
| [Valkey](https://github.com/valkey-io/valkey) | In-memory database | [cgr.dev/chainguard/valkey:latest](https://cgr.dev/chainguard/valkey) | [Valkey-image](https://github.com/chainguard-images/images/tree/main/images/valkey) |
|
| [SearXNG](https://github.com/searxng/searxng) | SearXNG by itself | [searxng/searxng:latest](https://hub.docker.com/r/searxng/searxng) | [Dockerfile](https://github.com/searxng/searxng/blob/master/Dockerfile) |
|
||||||
|
| [Morty](https://github.com/dalf/morty) | Privacy aware web content sanitizer proxy as a service. | [dalf/morty:latest](https://hub.docker.com/r/dalf/morty) | [Dockerfile](https://github.com/dalf/morty/blob/master/Dockerfile) |
|
||||||
|
|
||||||
## How to use it
|
## How to use it
|
||||||
|
|
||||||
- [Install docker](https://docs.docker.com/install/)
|
- [Install docker](https://docs.docker.com/install/)
|
||||||
- Get searxng-docker
|
- [Install docker-compose](https://docs.docker.com/compose/install/) (be sure that docker-compose version is at least 1.9.0)
|
||||||
|
- only on MacOSX: ```brew install coreutils``` to install ```greadlink```
|
||||||
|
- Get searxng-docker:
|
||||||
```sh
|
```sh
|
||||||
cd /usr/local
|
cd /usr/local
|
||||||
git clone https://github.com/searxng/searxng-docker.git
|
git clone https://github.com/searxng/searxng-docker.git
|
||||||
cd searxng-docker
|
cd searxng-docker
|
||||||
```
|
```
|
||||||
- Edit the [.env](https://github.com/searxng/searxng-docker/blob/master/.env) file to set the hostname and an email
|
- Generate MORTY_KEY ```sed -i "s|ReplaceWithARealKey\!|$(openssl rand -base64 33)|g" .env```
|
||||||
- Generate the secret key `sed -i "s|ultrasecretkey|$(openssl rand -hex 32)|g" searxng/settings.yml`
|
- Edit the other settings in [.env](https://github.com/searxng/searxng-docker/blob/master/.env) file according to your need
|
||||||
- Edit the [searxng/settings.yml](https://github.com/searxng/searxng-docker/blob/master/searxng/settings.yml) file according to your need
|
- Check everything is working: ```./start.sh```
|
||||||
- Check everything is working: `docker compose up`
|
|
||||||
- Run SearXNG in the background: `docker compose up -d`
|
|
||||||
|
|
||||||
> [!WARNING]
|
|
||||||
> If you use an older version of docker desktop (`< 3.6.0`), you may have to install Docker Compose v1.
|
|
||||||
> Accordingly, you should modify the commands in this documentation to suit Docker Compose v1. For instance, change 'docker compose up' to 'docker-compose up'.
|
|
||||||
>
|
|
||||||
> [Install the docker-compose plugin](https://docs.docker.com/compose/install/#scenario-two-install-the-compose-plugin) (be sure that docker-compose version is at least 1.9.0)
|
|
||||||
|
|
||||||
## How to access the logs
|
|
||||||
|
|
||||||
To access the logs from all the containers use: `docker compose logs -f`.
|
|
||||||
|
|
||||||
To access the logs of one specific container:
|
|
||||||
|
|
||||||
- Caddy: `docker compose logs -f caddy`
|
|
||||||
- SearXNG: `docker compose logs -f searxng`
|
|
||||||
- Valkey: `docker compose logs -f redis`
|
|
||||||
|
|
||||||
### Start SearXNG with systemd
|
|
||||||
|
|
||||||
You can skip this step if you don't use systemd.
|
|
||||||
|
|
||||||
- ```cp searxng-docker.service.template searxng-docker.service```
|
- ```cp searxng-docker.service.template searxng-docker.service```
|
||||||
- edit the content of ```WorkingDirectory``` in the ```searxng-docker.service``` file (only if the installation path is different from /usr/local/searxng-docker)
|
- edit the content of ```WorkingDirectory``` in the ```searxng-docker.service``` file (only if the installation path is different from /usr/local/searxng-docker)
|
||||||
- Install the systemd unit:
|
- Install the systemd unit:
|
||||||
|
@ -55,34 +34,35 @@ You can skip this step if you don't use systemd.
|
||||||
|
|
||||||
## Note on the image proxy feature
|
## Note on the image proxy feature
|
||||||
|
|
||||||
The SearXNG image proxy is activated by default.
|
The SearXNG image proxy is activated by default using [Morty](https://github.com/dalf/morty).
|
||||||
|
|
||||||
The default [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) allow the browser to access to ```${SEARXNG_HOSTNAME}``` and ```https://*.tile.openstreetmap.org;```.
|
The default [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) allow the browser to access to {SEARXNG_HOSTNAME} and ```https://*.tile.openstreetmap.org;```.
|
||||||
|
|
||||||
If some users want to disable the image proxy, you have to modify [./Caddyfile](https://github.com/searxng/searxng-docker/blob/master/Caddyfile). Replace the ```img-src 'self' data: https://*.tile.openstreetmap.org;``` by ```img-src * data:;```.
|
If some users wants to disable the image proxy, you have to modify [./Caddyfile](https://github.com/searxng/searxng-docker/blob/master/Caddyfile). Replace the ```img-src 'self' data: https://*.tile.openstreetmap.org;``` by ```img-src * data:;```.
|
||||||
|
|
||||||
|
## Custom docker-compose.yaml
|
||||||
|
|
||||||
|
Do not modify docker-compose.yaml otherwise you won't be able to update easily from the git repository.
|
||||||
|
|
||||||
|
It is possible to use the [extend feature](https://docs.docker.com/compose/extends/) of docker-compose:
|
||||||
|
- stop the service: ```systemctl stop searxng-docker.service```
|
||||||
|
- create a new docker-compose-extend.yaml, check with ```start.sh```
|
||||||
|
- update searxng-docker.service (see SEARXNG_DOCKERCOMPOSEFILE)
|
||||||
|
- restart the service: ```systemctl restart searxng-docker.service```
|
||||||
|
|
||||||
## Multi Architecture Docker images
|
## Multi Architecture Docker images
|
||||||
|
|
||||||
Supported architecture:
|
For now only the amd64 platform is supported.
|
||||||
|
|
||||||
- amd64
|
|
||||||
- arm64
|
|
||||||
- arm/v7
|
|
||||||
|
|
||||||
## How to update ?
|
## How to update ?
|
||||||
|
|
||||||
To update the SearXNG stack:
|
Check the content of [```update.sh```](https://github.com/searxng/searxng-docker/blob/master/update.sh).
|
||||||
|
|
||||||
```sh
|
## Access to the Filtron API
|
||||||
git pull
|
|
||||||
docker compose pull
|
The [Filtron API](https://github.com/dalf/filtron#api) is available on ```http://localhost:4041```.
|
||||||
docker compose up -d
|
|
||||||
|
For example, to display the loaded rules:
|
||||||
```
|
```
|
||||||
|
curl http://localhost:4041/rules | jq
|
||||||
Or the old way (with the old docker-compose version):
|
|
||||||
|
|
||||||
```sh
|
|
||||||
git pull
|
|
||||||
docker-compose pull
|
|
||||||
docker-compose up -d
|
|
||||||
```
|
```
|
||||||
|
|
|
@ -1,77 +1,86 @@
|
||||||
version: "3.7"
|
version: '3.7'
|
||||||
|
|
||||||
services:
|
services:
|
||||||
|
|
||||||
caddy:
|
caddy:
|
||||||
container_name: caddy
|
container_name: caddy
|
||||||
image: docker.io/library/caddy:2-alpine
|
image: caddy:2-alpine
|
||||||
|
restart: on-failure
|
||||||
network_mode: host
|
network_mode: host
|
||||||
restart: unless-stopped
|
|
||||||
volumes:
|
volumes:
|
||||||
- ./Caddyfile:/etc/caddy/Caddyfile:ro
|
- ./Caddyfile:/etc/caddy/Caddyfile:ro
|
||||||
- caddy-data:/data:rw
|
- caddy-data:/data:rw
|
||||||
- caddy-config:/config:rw
|
- caddy-config:/config:rw
|
||||||
environment:
|
environment:
|
||||||
- SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80}
|
- SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-localhost}
|
||||||
- SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
|
- SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
|
||||||
cap_drop:
|
cap_drop:
|
||||||
- ALL
|
- ALL
|
||||||
cap_add:
|
cap_add:
|
||||||
- NET_BIND_SERVICE
|
- NET_BIND_SERVICE
|
||||||
logging:
|
- DAC_OVERRIDE
|
||||||
driver: "json-file"
|
|
||||||
options:
|
|
||||||
max-size: "1m"
|
|
||||||
max-file: "1"
|
|
||||||
|
|
||||||
redis:
|
filtron:
|
||||||
container_name: redis
|
container_name: filtron
|
||||||
image: cgr.dev/chainguard/valkey:latest
|
image: dalf/filtron
|
||||||
command: --save 30 1 --loglevel warning
|
restart: always
|
||||||
restart: unless-stopped
|
ports:
|
||||||
|
- "127.0.0.1:4040:4040"
|
||||||
|
- "127.0.0.1:4041:4041"
|
||||||
networks:
|
networks:
|
||||||
- searxng
|
- searxng
|
||||||
|
command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searxng:8080
|
||||||
volumes:
|
volumes:
|
||||||
- valkey-data:/data
|
- ./rules.json:/etc/filtron/rules.json:rw
|
||||||
|
read_only: true
|
||||||
cap_drop:
|
cap_drop:
|
||||||
- ALL
|
- ALL
|
||||||
cap_add:
|
|
||||||
- SETGID
|
|
||||||
- SETUID
|
|
||||||
- DAC_OVERRIDE
|
|
||||||
logging:
|
|
||||||
driver: "json-file"
|
|
||||||
options:
|
|
||||||
max-size: "1m"
|
|
||||||
max-file: "1"
|
|
||||||
|
|
||||||
searxng:
|
searxng:
|
||||||
container_name: searxng
|
container_name: searxng
|
||||||
image: docker.io/fauli1221/ponysearch:latest
|
image: searxng/searxng:latest
|
||||||
restart: unless-stopped
|
restart: always
|
||||||
networks:
|
networks:
|
||||||
- searxng
|
- searxng
|
||||||
ports:
|
command: ${SEARXNG_COMMAND:-}
|
||||||
- "127.0.0.1:8080:8080"
|
|
||||||
volumes:
|
volumes:
|
||||||
- ./searxng:/etc/searxng:rw
|
- ./searxng:/etc/searxng:rw
|
||||||
environment:
|
environment:
|
||||||
- SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
|
- BIND_ADDRESS=0.0.0.0:8080
|
||||||
|
- BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
|
||||||
|
- MORTY_URL=https://${SEARXNG_HOSTNAME:-localhost}/morty/
|
||||||
|
- MORTY_KEY=${MORTY_KEY}
|
||||||
cap_drop:
|
cap_drop:
|
||||||
- ALL
|
- ALL
|
||||||
cap_add:
|
cap_add:
|
||||||
- CHOWN
|
- CHOWN
|
||||||
- SETGID
|
- SETGID
|
||||||
- SETUID
|
- SETUID
|
||||||
|
- DAC_OVERRIDE
|
||||||
|
|
||||||
|
morty:
|
||||||
|
container_name: morty
|
||||||
|
image: dalf/morty
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- "127.0.0.1:3000:3000"
|
||||||
|
networks:
|
||||||
|
- searxng
|
||||||
|
command: -timeout 6 -ipv6
|
||||||
|
environment:
|
||||||
|
- MORTY_KEY=${MORTY_KEY}
|
||||||
|
- MORTY_ADDRESS=0.0.0.0:3000
|
||||||
logging:
|
logging:
|
||||||
driver: "json-file"
|
driver: none
|
||||||
options:
|
read_only: true
|
||||||
max-size: "1m"
|
cap_drop:
|
||||||
max-file: "1"
|
- ALL
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
searxng:
|
searxng:
|
||||||
|
ipam:
|
||||||
|
driver: default
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
caddy-data:
|
caddy-data:
|
||||||
caddy-config:
|
caddy-config:
|
||||||
valkey-data:
|
|
||||||
|
|
147
rules.json
Normal file
147
rules.json
Normal file
|
@ -0,0 +1,147 @@
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"name": "searx.space",
|
||||||
|
"filters": ["Header:X-Forwarded-For=nslookup(check.searx.space)"],
|
||||||
|
"stop": true,
|
||||||
|
"actions": [{ "name": "log"}]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "IP limit, all paths",
|
||||||
|
"interval": 3,
|
||||||
|
"limit": 25,
|
||||||
|
"aggregations": ["Header:X-Forwarded-For"],
|
||||||
|
"actions": [
|
||||||
|
{"name": "block",
|
||||||
|
"params": {"message": "Rate limit exceeded, try again later."}}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "useragent limit, all paths",
|
||||||
|
"interval": 30,
|
||||||
|
"limit": 200,
|
||||||
|
"aggregations": ["Header:X-Forwarded-For", "Header:User-Agent"],
|
||||||
|
"stop": true,
|
||||||
|
"actions": [
|
||||||
|
{"name": "block",
|
||||||
|
"params": {"message": "Rate limit exceeded, try again later."}}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "search request",
|
||||||
|
"filters": ["Param:q", "Path=^(/|/search)$"],
|
||||||
|
"subrules": [
|
||||||
|
{
|
||||||
|
"name": "allow Firefox Android (issue #48 and #60)",
|
||||||
|
"filters": [
|
||||||
|
"Param:q=^1$",
|
||||||
|
"Header:User-Agent=(^MozacFetch/[0-9]{2,3}.[0-9].[0-9]+$|^Mozilla/5.0 \\(Android [0-9]{1,2}(.[0-9]{1,2}.[0-9]{1,2})?; Mobile; rv:[0-9]{2,3}.[0-9]\\) Gecko/[0-9]{2,3}.[0-9] Firefox/[0-9]{2,3}.[0-9]$)"
|
||||||
|
],
|
||||||
|
"stop": true,
|
||||||
|
"actions": [{"name": "log"}]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "robot agent forbidden",
|
||||||
|
"limit": 0,
|
||||||
|
"stop": true,
|
||||||
|
"filters": ["Header:User-Agent=([Cc][Uu][Rr][Ll]|[wW]get|Scrapy|splash|JavaFX|FeedFetcher|python-requests|Go-http-client|Java|Jakarta|okhttp|HttpClient|Jersey|Python|libwww-perl|Ruby|SynHttpClient|UniversalFeedParser)"],
|
||||||
|
"actions": [
|
||||||
|
{"name": "block",
|
||||||
|
"params": {"message": "Rate limit exceeded"}}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "bot forbidden",
|
||||||
|
"limit": 0,
|
||||||
|
"stop": true,
|
||||||
|
"filters": ["Header:User-Agent=(Googlebot|GoogleImageProxy|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT|Sogou|Abonti|Pixray|Spinn3r|SemrushBot|Exabot|ZmEu|BLEXBot|bitlybot)"],
|
||||||
|
"actions": [
|
||||||
|
{"name": "block",
|
||||||
|
"params": {"message": "Rate limit exceeded"}}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "block missing accept-language",
|
||||||
|
"filters": ["!Header:Accept-Language"],
|
||||||
|
"limit": 0,
|
||||||
|
"stop": true,
|
||||||
|
"actions": [
|
||||||
|
{"name": "block",
|
||||||
|
"params": {"message": "Rate limit exceeded"}}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "block Connection:close",
|
||||||
|
"filters": ["Header:Connection=close"],
|
||||||
|
"limit": 0,
|
||||||
|
"stop": true,
|
||||||
|
"actions": [
|
||||||
|
{"name": "block",
|
||||||
|
"params": {"message": "Rate limit exceeded"}}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "block no gzip support",
|
||||||
|
"filters": ["!Header:Accept-Encoding=(^gzip$|^gzip[;,]|[; ]gzip$|[; ]gzip[;,])"],
|
||||||
|
"limit": 0,
|
||||||
|
"stop": true,
|
||||||
|
"actions": [
|
||||||
|
{"name": "block",
|
||||||
|
"params": {"message": "Rate limit exceeded"}}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "block no deflate support",
|
||||||
|
"filters": ["!Header:Accept-Encoding=(^deflate$|^deflate[;,]|[; ]deflate$|[; ]deflate[;,])"],
|
||||||
|
"limit": 0,
|
||||||
|
"stop": true,
|
||||||
|
"actions": [
|
||||||
|
{"name": "block",
|
||||||
|
"params": {"message": "Rate limit exceeded"}}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "block accept everything",
|
||||||
|
"filters": ["!Header:Accept=text/html"],
|
||||||
|
"limit": 0,
|
||||||
|
"stop": true,
|
||||||
|
"actions": [
|
||||||
|
{"name": "block",
|
||||||
|
"params": {"message": "Rate limit exceeded"}}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "rss/json limit",
|
||||||
|
"interval": 3600,
|
||||||
|
"limit": 4,
|
||||||
|
"stop": true,
|
||||||
|
"filters": ["Param:format=(csv|json|rss)"],
|
||||||
|
"aggregations": ["Header:X-Forwarded-For"],
|
||||||
|
"actions": [
|
||||||
|
{"name": "block",
|
||||||
|
"params": {"message": "Rate limit exceeded, try again later."}}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "IP limit",
|
||||||
|
"interval": 3,
|
||||||
|
"limit": 3,
|
||||||
|
"aggregations": ["Header:X-Forwarded-For"],
|
||||||
|
"actions": [
|
||||||
|
{"name": "block",
|
||||||
|
"params": {"message": "Rate limit exceeded, try again later."}}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "IP and useragent limit",
|
||||||
|
"interval": 600,
|
||||||
|
"limit": 60,
|
||||||
|
"stop": true,
|
||||||
|
"aggregations": ["Header:X-Forwarded-For", "Header:User-Agent"],
|
||||||
|
"actions": [
|
||||||
|
{"name": "block",
|
||||||
|
"params": {"message": "Rate limit exceeded, try again later."}}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
|
@ -4,13 +4,13 @@ Requires=docker.service
|
||||||
After=docker.service
|
After=docker.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Restart=on-failure
|
Restart=always
|
||||||
|
|
||||||
|
Environment=SEARXNG_DIR=/usr/local/searxng-docker
|
||||||
Environment=SEARXNG_DOCKERCOMPOSEFILE=docker-compose.yaml
|
Environment=SEARXNG_DOCKERCOMPOSEFILE=docker-compose.yaml
|
||||||
|
|
||||||
WorkingDirectory=/usr/local/searxng-docker
|
ExecStart=/bin/sh -c "${SEARXNG_DIR}/start.sh"
|
||||||
ExecStart=/usr/local/bin/docker compose -f ${SEARXNG_DOCKERCOMPOSEFILE} up --remove-orphans
|
ExecStop=/bin/sh -c "${SEARXNG_DIR}/stop.sh"
|
||||||
ExecStop=/usr/local/bin/docker compose -f ${SEARXNG_DOCKERCOMPOSEFILE} down
|
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
# This configuration file updates the default configuration file
|
|
||||||
# See https://github.com/searxng/searxng/blob/master/searx/botdetection/limiter.toml
|
|
||||||
|
|
||||||
[botdetection.ip_limit]
|
|
||||||
# activate link_token method in the ip_limit method
|
|
||||||
link_token = true
|
|
|
@ -1,11 +0,0 @@
|
||||||
# see https://docs.searxng.org/admin/settings/settings.html#settings-use-default-settings
|
|
||||||
use_default_settings: true
|
|
||||||
server:
|
|
||||||
# base_url is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml
|
|
||||||
secret_key: "ultrasecretkey" # change this!
|
|
||||||
limiter: true # can be disabled for a private instance
|
|
||||||
image_proxy: true
|
|
||||||
ui:
|
|
||||||
static_use_hash: true
|
|
||||||
redis:
|
|
||||||
url: redis://redis:6379/0
|
|
11
start.sh
Executable file
11
start.sh
Executable file
|
@ -0,0 +1,11 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
READLINK="$(which readlink greadlink | tail -n1)"
|
||||||
|
BASE_DIR="$(dirname -- "`$READLINK -f -- "$0"`")"
|
||||||
|
cd -- "$BASE_DIR"
|
||||||
|
|
||||||
|
. ./util.sh
|
||||||
|
|
||||||
|
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down
|
||||||
|
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE rm -fv
|
||||||
|
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE up
|
9
stop.sh
Executable file
9
stop.sh
Executable file
|
@ -0,0 +1,9 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
READLINK="$(which readlink greadlink | tail -n1)"
|
||||||
|
BASE_DIR="$(dirname -- "`$READLINK -f -- "$0"`")"
|
||||||
|
cd -- "$BASE_DIR"
|
||||||
|
|
||||||
|
. ./util.sh
|
||||||
|
|
||||||
|
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down
|
93
update.sh
Executable file
93
update.sh
Executable file
|
@ -0,0 +1,93 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# Disclaimer: this is more a documentation than code to execute
|
||||||
|
#
|
||||||
|
|
||||||
|
# change if require
|
||||||
|
SERVICE_NAME="searxng-docker.service"
|
||||||
|
|
||||||
|
# change if require :
|
||||||
|
# fastforward : only fast-forward
|
||||||
|
# rebase : rebase with autostash, at your own risk
|
||||||
|
UPDATE_TYPE="fastforward"
|
||||||
|
|
||||||
|
READLINK="$(which readlink greadlink | tail -n1)"
|
||||||
|
BASE_DIR="$(dirname -- "`$READLINK -f -- "$0"`")"
|
||||||
|
cd -- "$BASE_DIR"
|
||||||
|
|
||||||
|
# check if git presence
|
||||||
|
if [ ! -x "$(which git)" ]; then
|
||||||
|
echo "git not found" 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# check if the current user owns the local git repository
|
||||||
|
git_owner=$(stat -c '%U' .git)
|
||||||
|
if [ "$git_owner" != "$(whoami)" ]; then
|
||||||
|
echo "The .git repository is own by $git_owner" 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# warning if the current branch is not master
|
||||||
|
current_branch=$(git rev-parse --abbrev-ref HEAD)
|
||||||
|
if [ "$current_branch" != "master" ]; then
|
||||||
|
echo "Warning: master won't be updated, only $current_branch"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# git fetch first
|
||||||
|
git fetch origin master
|
||||||
|
|
||||||
|
# is everything already up-to-date ?
|
||||||
|
current_commit=$(git rev-parse $current_branch)
|
||||||
|
origin_master_commit=$(git rev-parse origin/master)
|
||||||
|
if [ "$current_commit" = "$origin_master_commit" ]; then
|
||||||
|
echo "Already up-to-date, commit $current_commit"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# docker stuff
|
||||||
|
SEARXNG_DOCKERCOMPOSE=$(grep "Environment=SEARXNG_DOCKERCOMPOSEFILE=" "$SERVICE_NAME" | awk -F\= '{ print $3 }')
|
||||||
|
. ./util.sh
|
||||||
|
|
||||||
|
if [ ! -x "$(which systemctl)" ]; then
|
||||||
|
echo "systemctl not found" 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# stop the systemd service now, because after the update
|
||||||
|
# the code might be out of sync with the current running services
|
||||||
|
systemctl stop "${SERVICE_NAME}"
|
||||||
|
|
||||||
|
# update
|
||||||
|
case "$UPDATE_TYPE" in
|
||||||
|
"fastforward")
|
||||||
|
git pull --ff-only origin master
|
||||||
|
;;
|
||||||
|
"rebase")
|
||||||
|
git pull --rebase --autostash origin master
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# Check conflicts
|
||||||
|
if [ $(git ls-files -u | wc -l) -gt 0 ]; then
|
||||||
|
echo "There are git conflicts"
|
||||||
|
else
|
||||||
|
# update docker images
|
||||||
|
docker-compose -f $DOCKERCOMPOSEFILE pull
|
||||||
|
|
||||||
|
# remove dangling images
|
||||||
|
docker rmi $(docker images -f "dangling=true" -q)
|
||||||
|
|
||||||
|
# display SearxNG version
|
||||||
|
SEARXNG_IMAGE=$(cat $DOCKERCOMPOSEFILE | grep "searxng/searxng" | awk '{ print $2 }')
|
||||||
|
SEARXNG_VERSION=$(docker inspect -f '{{index .Config.Labels "org.label-schema.version"}}' $SEARXNG_IMAGE)
|
||||||
|
echo "SearXNG version: $SEARXNG_VERSION"
|
||||||
|
docker images --digests "searxng/*:latest"
|
||||||
|
|
||||||
|
# update SearxNG configuration
|
||||||
|
source ./.env
|
||||||
|
docker-compose -f $DOCKERCOMPOSEFILE run searxng ${SEARXNG_COMMAND} -d
|
||||||
|
|
||||||
|
# let the user see
|
||||||
|
echo "Use\nsystemctl start \"${SERVICE_NAME}\"\nto restart SearXNG"
|
||||||
|
fi
|
26
util.sh
Normal file
26
util.sh
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
set -e
|
||||||
|
|
||||||
|
DOCKERCOMPOSE=$(which docker-compose || echo "/usr/local/bin/docker-compose")
|
||||||
|
DOCKERCOMPOSEFILE="${DOCKERCOMPOSEFILE:-docker-compose.yaml}"
|
||||||
|
|
||||||
|
echo "use ${DOCKERCOMPOSEFILE}"
|
||||||
|
|
||||||
|
if [ ! -x "$(which docker)" ]; then
|
||||||
|
echo "docker not found" 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! docker version > /dev/null 2>&1; then
|
||||||
|
echo "can't execute docker (current user: $(whoami))" 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -x "${DOCKERCOMPOSE}" ]; then
|
||||||
|
echo "docker-compose not found" 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f "${DOCKERCOMPOSEFILE}" ]; then
|
||||||
|
echo "${DOCKERCOMPOSEFILE} not found" 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
Loading…
Reference in a new issue