[mod] upgrade to Caddy v2 (#44)

* Use docker image caddy:2-alpine
* Caddyfile: remove "limits 10KB"
* Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules )
* caddy storage are docker volumes (caddy-data and caddy-config). start.sh and stop.sh have been modified to keep these volumes.
* .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables.
* docker-compose.yml: filtron and morty listen on 127.0.0.1 (related to #38)

* Fix #37: settings ```SEARX_HOSTNAME=localhost:8888``` works as expected (https connection)
This commit is contained in:
Alexandre Flament 2020-07-13 08:12:32 +02:00 committed by GitHub
parent 9947a18e4e
commit bdf5619765
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 98 additions and 77 deletions

21
.env
View File

@ -1,23 +1,14 @@
# hostname # By default listen on https://localhost
SEARX_HOSTNAME=localhost # To change this:
# * uncomment SEARX_HOSTNAME, and replace <host> by the searx hostname
# * uncomment LETSENCRYPT_EMAIL, and replace <email> by your email (require to create a Let's Encrypt certificate)
# comment both if SEARX_HOSTNAME is NOT localhost # SEARX_HOSTNAME=<host>
SEARX_PROTOCOL=https:// # LETSENCRYPT_EMAIL=<email>
SEARX_TLS=self_signed
# automatically update settings to the new version # automatically update settings to the new version
# comment this line if you made / will make some modifications to the settings # comment this line if you made / will make some modifications to the settings
SEARX_COMMAND=-f SEARX_COMMAND=-f
# Let's encrypt contact information
LETSENCRYPT_EMAIL=email@example.com
# Do you agree Let's Encrypt TOS https://letsencrypt.org/repository/
LETSENCRYPT_AGREE=false
# use openssl rand -base64 33 # use openssl rand -base64 33
MORTY_KEY=ReplaceWithARealKey! MORTY_KEY=ReplaceWithARealKey!
# filtron ( /filtron/rules ), use for example "tr -cd '[:alnum:]' < /dev/urandom | fold -w12 | head -n1"
FILTRON_USER=filtron
FILTRON_PASSWORD=SetARealPassword

106
Caddyfile
View File

@ -1,21 +1,36 @@
{$SEARX_PROTOCOL}{$SEARX_HOSTNAME} { {
admin off
}
{$SEARX_HOSTNAME} {
log {
output discard
}
tls {$SEARX_TLS} tls {$SEARX_TLS}
gzip {
not /morty
}
root /srv
header /config { @api {
Access-Control-Allow-Methods "GET, OPTIONS" path /config
Access-Control-Allow-Origin "*" path /status
} }
header /status { @static {
Access-Control-Allow-Methods "GET, OPTIONS" path /static/*
Access-Control-Allow-Origin "*"
} }
header / { @notstatic {
not path /static/*
}
@morty {
path /morty/*
}
@notmorty {
not path /morty/*
}
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
@ -28,16 +43,9 @@
# Disallow the site to be rendered within a frame (clickjacking protection) # Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "SAMEORIGIN" X-Frame-Options "SAMEORIGIN"
# CSP (see http://content-security-policy.com/ )
Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
# Disable some features # Disable some features
Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
# Cache
Cache-Control "no-cache, no-store"
Pragma "no-cache"
# Referer # Referer
Referrer-Policy "no-referrer" Referrer-Policy "no-referrer"
@ -48,36 +56,56 @@
-Server -Server
} }
header /morty { header @api {
Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'" Access-Control-Allow-Methods "GET, OPTIONS"
Access-Control-Allow-Origin "*"
} }
header /static { # Cache
Cache-Control "public, max-age=31536000" header @static {
-Pragma # Cache
Cache-Control "public, max-age=31536000"
defer
} }
rewrite / { header @notstatic {
regexp ^/status$ # No Cache
to /searx-checker/status.json Cache-Control "no-cache, no-store"
Pragma "no-cache"
} }
proxy / localhost:4040 { # CSP (see http://content-security-policy.com/ )
transparent header @morty {
header_upstream X-Forwarded-TlsProto {tls_protocol} Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'"
header_upstream X-Forwarded-TlsCipher {tls_cipher}
header_upstream X-Forwarded-HttpsProto {proto}
except /searx-checker/status.json
} }
basicauth /filtron {$FILTRON_USER} {$FILTRON_PASSWORD} header @notmorty {
proxy /filtron/rules localhost:4041 { Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
without /filtron
} }
proxy /morty localhost:3000 # Searx-Checker
uri replace /status /searx-checker/status.json
handle /searx-checker/status.json {
root * /srv
file_server
}
limits 10KB # Morty
handle @morty {
reverse_proxy localhost:3000
}
# Filtron
handle {
encode zstd gzip
reverse_proxy localhost:4040 {
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol}
header_up X-Forwarded-TlsCipher {tls_cipher}
header_up X-Forwarded-HttpsProto {proto}
}
}
} }

View File

@ -2,13 +2,11 @@
Create a new searx instance in five minutes using Docker (see https://github.com/asciimoo/searx/issues/1561 ) Create a new searx instance in five minutes using Docker (see https://github.com/asciimoo/searx/issues/1561 )
This is a work in progress, the bot protection is basic and not battle tested, and later on, may [change](https://github.com/unixfox/antibot-proxy).
## What is included ? ## What is included ?
| Name | Description | Docker image | Dockerfile | | Name | Description | Docker image | Dockerfile |
| -- | -- | -- | -- | | -- | -- | -- | -- |
| [Caddy](https://github.com/caddyserver/caddy) | Reverse proxy (create a LetsEncrypt certificate automatically) | [abiosoft/caddy:1.0.3-no-stats](https://hub.docker.com/r/abiosoft/caddy) | [Dockerfile](https://github.com/abiosoft/caddy-docker/blob/master/Dockerfile-no-stats) | | [Caddy](https://github.com/caddy/caddy) | Reverse proxy (create a LetsEncrypt certificate automatically) | [caddy/caddy:2-alpine](https://hub.docker.com/_/caddy) | [Dockerfile](https://github.com/caddyserver/caddy-docker) |
| [Filtron](https://github.com/asciimoo/filtron) | Filtering reverse HTTP proxy, bot and abuse protection | [dalf/filtron:latest](https://hub.docker.com/r/dalf/filtron) | See [asciimoo/filtron#4](https://github.com/asciimoo/filtron/pull/4) | | [Filtron](https://github.com/asciimoo/filtron) | Filtering reverse HTTP proxy, bot and abuse protection | [dalf/filtron:latest](https://hub.docker.com/r/dalf/filtron) | See [asciimoo/filtron#4](https://github.com/asciimoo/filtron/pull/4) |
| [Searx](https://github.com/asciimoo/searx) | searx by itself | [searx/searx:latest](https://hub.docker.com/r/searx/searx) | [Dockerfile](https://github.com/searx/searx/blob/master/Dockerfile) | | [Searx](https://github.com/asciimoo/searx) | searx by itself | [searx/searx:latest](https://hub.docker.com/r/searx/searx) | [Dockerfile](https://github.com/searx/searx/blob/master/Dockerfile) |
| [Morty](https://github.com/asciimoo/morty) | Privacy aware web content sanitizer proxy as a service. | [dalf/morty:latest](https://hub.docker.com/r/dalf/morty) | [Dockerfile](https://github.com/dalf/morty/blob/master/Dockerfile) | | [Morty](https://github.com/asciimoo/morty) | Privacy aware web content sanitizer proxy as a service. | [dalf/morty:latest](https://hub.docker.com/r/dalf/morty) | [Dockerfile](https://github.com/dalf/morty/blob/master/Dockerfile) |
@ -58,3 +56,12 @@ For now only the amd64 platform is supported.
## How to update ? ## How to update ?
Check the content of [```update.sh```](https://github.com/searx/searx-docker/blob/master/update.sh) Check the content of [```update.sh```](https://github.com/searx/searx-docker/blob/master/update.sh)
## Access to the Filtron API
The [Filtron API](https://github.com/asciimoo/filtron#api) is available on ```http://localhost:4041```
For example, to display the loaded rules:
```
curl http://localhost:4041/rules | jq
```

View File

@ -4,23 +4,16 @@ services:
caddy: caddy:
container_name: caddy container_name: caddy
image: abiosoft/caddy:1.0.3-no-stats image: caddy:2-alpine
ports:
- 80:80
- 443:443
network_mode: host network_mode: host
command: -email ${LETSENCRYPT_EMAIL} -agree=${LETSENCRYPT_AGREE} -log stdout -host ${SEARX_HOSTNAME} -conf /etc/Caddyfile
volumes: volumes:
- ./Caddyfile:/etc/Caddyfile:rw - ./Caddyfile:/etc/caddy/Caddyfile:ro
- ./caddy:/root/.caddy:rw
- ./srv:/srv:rw
- searx-checker:/srv/searx-checker:rw - searx-checker:/srv/searx-checker:rw
- caddy-data:/data:rw
- caddy-config:/config:rw
environment: environment:
- SEARX_HOSTNAME=${SEARX_HOSTNAME} - SEARX_HOSTNAME=${SEARX_HOSTNAME:-localhost}
- SEARX_PROTOCOL=${SEARX_PROTOCOL:-} - SEARX_TLS=${LETSENCRYPT_EMAIL:-internal}
- SEARX_TLS=${SEARX_TLS:-}
- FILTRON_USER=${FILTRON_USER}
- FILTRON_PASSWORD=${FILTRON_PASSWORD}
cap_drop: cap_drop:
- ALL - ALL
cap_add: cap_add:
@ -32,8 +25,8 @@ services:
image: dalf/filtron image: dalf/filtron
restart: always restart: always
ports: ports:
- 4040:4040 - "127.0.0.1:4040:4040"
- 4041:4041 - "127.0.0.1:4041:4041"
networks: networks:
- searx - searx
command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searx:8080 command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searx:8080
@ -54,8 +47,8 @@ services:
- ./searx:/etc/searx:rw - ./searx:/etc/searx:rw
environment: environment:
- BIND_ADDRESS=0.0.0.0:8080 - BIND_ADDRESS=0.0.0.0:8080
- BASE_URL=https://${SEARX_HOSTNAME}/ - BASE_URL=https://${SEARX_HOSTNAME:-localhost}/
- MORTY_URL=https://${SEARX_HOSTNAME}/morty/ - MORTY_URL=https://${SEARX_HOSTNAME:-localhost}/morty/
- MORTY_KEY=${MORTY_KEY} - MORTY_KEY=${MORTY_KEY}
cap_drop: cap_drop:
- ALL - ALL
@ -70,7 +63,7 @@ services:
image: dalf/morty image: dalf/morty
restart: always restart: always
ports: ports:
- 3000:3000 - "127.0.0.1:3000:3000"
networks: networks:
- searx - searx
command: -listen 0.0.0.0:3000 -timeout 6 -ipv6 command: -listen 0.0.0.0:3000 -timeout 6 -ipv6
@ -99,3 +92,5 @@ networks:
volumes: volumes:
searx-checker: searx-checker:
caddy-data:
caddy-config:

View File

@ -5,6 +5,6 @@ cd -- "$BASE_DIR"
. ./util.sh . ./util.sh
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down -v $DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE rm -fv $DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE rm -fv
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE up $DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE up

View File

@ -5,4 +5,4 @@ cd -- "$BASE_DIR"
. ./util.sh . ./util.sh
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down -v $DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down