searxng-docker/Caddyfile

{
	admin off

	log {
		output stderr
		format filter {
			# Preserves fist 8 bits from IPv4 and 32 bits from IPv6
			request>remote_ip ip_mask 8 32
			request>client_ip ip_mask 8 32

			# Remove identificable information
			request>remote_port delete
			request>headers delete
			request>uri query {
				delete url
				delete h
				delete q
			}
		}
	}
}

{$SEARXNG_HOSTNAME:http://localhost}

tls {$SEARXNG_TLS:internal}

@api {
	path /config
	path /healthz
	path /stats/errors
	path /stats/checker
}

@static {
	path /static/*
}

@imageproxy {
	path /image_proxy
}

header {
	# Force clients to use HTTPS
	Strict-Transport-Security "max-age=31536000"

	# Prevent MIME type sniffing from the declared Content-Type
	X-Content-Type-Options "nosniff"

	# Disable some browser features
	Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),cross-origin-isolated=(),display-capture=(self),document-domain=(),encrypted-media=(),execution-while-not-rendered=(),execution-while-out-of-viewport=(),fullscreen=(self),geolocation=(),gyroscope=(),keyboard-map=(self),magnetometer=(),microphone=(),midi=(),navigation-override=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(),usb=(),web-share=(),xr-spatial-tracking=()"

	# Set referrer policy
	Referrer-Policy "no-referrer"

	# X-Robots-Tag (comment to allow site indexing)
	X-Robots-Tag "noindex, noarchive, nofollow"

	# Remove "Server" header
	-Server
}

header @api {
	Access-Control-Allow-Methods "GET, OPTIONS"
	Access-Control-Allow-Origin "*"
}

route {
	# Caching
	header Cache-Control "no-cache, no-store"
	header @static Cache-Control "public, max-age=31536000"

	# CSP (https://content-security-policy.com)
	header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
	header @imageproxy Content-Security-Policy "default-src 'none'; img-src 'self' data:"
}

# SearXNG (uWSGI)
reverse_proxy localhost:8080 {
	header_up X-Forwarded-Port {http.request.port}
	header_up X-Real-IP {http.request.remote.host}

	# https://github.com/searx/searx-docker/issues/24
	header_up Connection "close"
}
[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 06:12:32 +00:00			`{`
rework Caddyfile 2024-08-06 10:50:09 +00:00			`admin off`

			`log {`
			`output stderr`
			`format filter {`
			`# Preserves fist 8 bits from IPv4 and 32 bits from IPv6`
			`request>remote_ip ip_mask 8 32`
			`request>client_ip ip_mask 8 32`

			`# Remove identificable information`
			`request>remote_port delete`
			`request>headers delete`
			`request>uri query {`
			`delete url`
			`delete h`
			`delete q`
			`}`
			`}`
			`}`
[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 06:12:32 +00:00			`}`

rework Caddyfile 2024-08-06 10:50:09 +00:00			`{$SEARXNG_HOSTNAME:http://localhost}`
[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 06:12:32 +00:00
rework Caddyfile 2024-08-06 10:50:09 +00:00			`tls {$SEARXNG_TLS:internal}`
[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 06:12:32 +00:00
rework Caddyfile 2024-08-06 10:50:09 +00:00			`@api {`
			`path /config`
			`path /healthz`
			`path /stats/errors`
			`path /stats/checker`
			`}`
Initial commit 2019-07-01 14:26:12 +00:00
rework Caddyfile 2024-08-06 10:50:09 +00:00			`@static {`
			`path /static/*`
			`}`
Add Permissions-Policy HTTP header to Caddyfile 2021-05-26 14:00:29 +00:00
rework Caddyfile 2024-08-06 10:50:09 +00:00			`@imageproxy {`
			`path /image_proxy`
			`}`
Initial commit 2019-07-01 14:26:12 +00:00
rework Caddyfile 2024-08-06 10:50:09 +00:00			`header {`
			`# Force clients to use HTTPS`
			`Strict-Transport-Security "max-age=31536000"`
Initial commit 2019-07-01 14:26:12 +00:00
rework Caddyfile 2024-08-06 10:50:09 +00:00			`# Prevent MIME type sniffing from the declared Content-Type`
			`X-Content-Type-Options "nosniff"`
Add filtron (configuration not done / checked) Drop capabilities 2019-07-06 12:54:05 +00:00
rework Caddyfile 2024-08-06 10:50:09 +00:00			`# Disable some browser features`
			Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),cross-origin-isolated=(),display-capture=(self),document-domain=(),encrypted-media=(),execution-while-not-rendered=(),execution-while-out-of-viewport=(),fullscreen=(self),geolocation=(),gyroscope=(),keyboard-map=(self),magnetometer=(),microphone=(),midi=(),navigation-override=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(),usb=(),web-share=(),xr-spatial-tracking=()"
Initial commit 2019-07-01 14:26:12 +00:00
rework Caddyfile 2024-08-06 10:50:09 +00:00			`# Set referrer policy`
			`Referrer-Policy "no-referrer"`
Update Content-Security-Policy header 2019-07-11 15:15:49 +00:00
rework Caddyfile 2024-08-06 10:50:09 +00:00			`# X-Robots-Tag (comment to allow site indexing)`
			`X-Robots-Tag "noindex, noarchive, nofollow"`
Mainly add searx/searx-checker - Add searx/searx-checker image with automatic check everyday. Result https://${HOSTNAME}/status - Cache /static files - Add start.sh, stop.sh, update.sh 2019-07-09 16:05:05 +00:00
rework Caddyfile 2024-08-06 10:50:09 +00:00			`# Remove "Server" header`
			`-Server`
			`}`
Mainly add searx/searx-checker - Add searx/searx-checker image with automatic check everyday. Result https://${HOSTNAME}/status - Cache /static files - Add start.sh, stop.sh, update.sh 2019-07-09 16:05:05 +00:00
rework Caddyfile 2024-08-06 10:50:09 +00:00			`header @api {`
			`Access-Control-Allow-Methods "GET, OPTIONS"`
			`Access-Control-Allow-Origin "*"`
			`}`
Update Caddyfile - Access-Control-Allow-Origin "*" only for /status, /config - Add Strict-Transport-Security - Modify Content-Security-Policy to allow https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com - Limit request header/body to 10kb 2019-07-13 08:59:07 +00:00
rework Caddyfile 2024-08-06 10:50:09 +00:00			`route {`
			`# Caching`
			`header Cache-Control "no-cache, no-store"`
fix missing "public" directive 2024-08-06 11:12:30 +00:00			`header @static Cache-Control "public, max-age=31536000"`
Initial commit 2019-07-01 14:26:12 +00:00
rework Caddyfile 2024-08-06 10:50:09 +00:00			`# CSP (https://content-security-policy.com)`
			header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
			`header @imageproxy Content-Security-Policy "default-src 'none'; img-src 'self' data:"`
			`}`
[mod] upgrade to Caddy v2 (#44) * Use docker image caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes. * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38) * Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection) 2020-07-13 06:12:32 +00:00
rework Caddyfile 2024-08-06 10:50:09 +00:00			`# SearXNG (uWSGI)`
			`reverse_proxy localhost:8080 {`
			`header_up X-Forwarded-Port {http.request.port}`
			`header_up X-Real-IP {http.request.remote.host}`
Mainly add searx/searx-checker - Add searx/searx-checker image with automatic check everyday. Result https://${HOSTNAME}/status - Cache /static files - Add start.sh, stop.sh, update.sh 2019-07-09 16:05:05 +00:00
rework Caddyfile 2024-08-06 10:50:09 +00:00			`# https://github.com/searx/searx-docker/issues/24`
			`header_up Connection "close"`
Initial commit 2019-07-01 14:26:12 +00:00			`}`