Rework Caddyfile (#255)

* rework Caddyfile

* fix missing "public" directive

* features cleanup

Since this header is attached to each outgoing request the overall size is slightly increased by 300 bytes, we don't care if the site is allowed to play media in the background, so with the vast majority of features that have been added (and those that were already present)

* restore encode directive

Caddyserver actually did passthrough the precompressed resources served by uWSGI (Oops)

* merge upstream changes

* fix typo

---------

Co-authored-by: Émilien (perso) <4016501+unixfox@users.noreply.github.com>

Caddyfile

@@ -1,13 +1,30 @@
 {
 	admin off
-}
 
-{$SEARXNG_HOSTNAME} {
 	log {
-        output discard
+		output stderr
+		format filter {
+			# Preserves first 8 bits from IPv4 and 32 bits from IPv6
+			request>remote_ip ip_mask 8 32
+			request>client_ip ip_mask 8 32
+
+			# Remove identificable information
+			request>remote_port delete
+			request>headers delete
+			request>uri query {
+				delete url
+				delete h
+				delete q
+			}
+		}
+	}
 }
 
-  tls {$SEARXNG_TLS}
+{$SEARXNG_HOSTNAME:http://localhost}
+
+tls {$SEARXNG_TLS:internal}
+
+encode zstd gzip
 
 @api {
 	path /config
@@ -16,45 +33,38 @@
 	path /stats/checker
 }
 
-  @static {
+@search {
-        path /static/*
+	path /search
-  }
-
-  @notstatic {
-        not path /static/*
 }
 
 @imageproxy {
 	path /image_proxy
 }
 
-  @notimageproxy {
+@static {
-        not path /image_proxy
+	path /static/*
 }
 
 header {
-        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+	# CSP (https://content-security-policy.com)
-        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+	Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src * data:; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com;"
 
-        # Enable cross-site filter (XSS) and tell browser to block detected attacks
+	# Disable some browser features
-        X-XSS-Protection "1; mode=block"
+	Permissions-Policy "accelerometer=(),camera=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),payment=(),usb=()"
 
-        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+	# Set referrer policy
-        X-Content-Type-Options "nosniff"
-
-        # Disable some features
-        Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
-
-        # Disable some features (legacy)
-        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
-
-        # Referer
 	Referrer-Policy "no-referrer"
 
-        # X-Robots-Tag
+	# Force clients to use HTTPS
+	Strict-Transport-Security "max-age=31536000"
+
+	# Prevent MIME type sniffing from the declared Content-Type
+	X-Content-Type-Options "nosniff"
+
+	# X-Robots-Tag (comment to allow site indexing)
 	X-Robots-Tag "noindex, noarchive, nofollow"
 
-        # Remove Server header
+	# Remove "Server" header
 	-Server
 }
 
@@ -63,37 +73,19 @@
 	Access-Control-Allow-Origin "*"
 }
 
-  # Cache
+route {
-  header @static {
+	# Cache policy
-        # Cache
+	header Cache-Control "max-age=0, no-store"
-        Cache-Control "public, max-age=31536000"
+	header @search Cache-Control "max-age=5, private"
-        defer
+	header @imageproxy Cache-Control "max-age=604800, public"
+	header @static Cache-Control "max-age=31536000, public, immutable"
 }
 
-  header @notstatic {
+# SearXNG (uWSGI)
-        # No Cache
-        Cache-Control "no-cache, no-store"
-        Pragma "no-cache"
-  }
-
-  # CSP (see http://content-security-policy.com/ )
-  header @imageproxy {
-        Content-Security-Policy "default-src 'none'; img-src 'self' data:"
-  }
-
-  header @notimageproxy {
-        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
-  }
-
-  # SearXNG
-  handle {
-        encode zstd gzip
-
 reverse_proxy localhost:8080 {
 	header_up X-Forwarded-Port {http.request.port}
-               header_up X-Forwarded-Proto {http.request.scheme}
+	header_up X-Real-IP {http.request.remote.host}
-               header_up X-Real-IP {remote_host}
-        }
-  }
 
+	# https://github.com/searx/searx-docker/issues/24
+	header_up Connection "close"
 }

docker-compose.yaml

@@ -11,8 +11,7 @@ services:
       - caddy-data:/data:rw
       - caddy-config:/config:rw
     environment:
-      - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80}
+      - SEARXNG_TLS=${LETSENCRYPT_EMAIL}
-      - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
     cap_drop:
       - ALL
     cap_add: