[mod] upgrade to Caddy v2
* Use docker image caddy/caddy:2-alpine * Caddyfile: remove "limits 10KB" * Caddyfile: URL /filtron/rules removes (filtron API still availabled on http://localhost:4041/rules ) * .env: Remove SEARX_PROTOCOL, SEARX_TLS, FILTRON_USER and FILTRON_PASSWORD variables. * docker-compose.yml: filtron and morty listen on 127.0.0.1
This commit is contained in:
parent
9947a18e4e
commit
c498dcf04d
21
.env
21
.env
|
@ -1,23 +1,14 @@
|
||||||
# hostname
|
# By default listen on https://localhost
|
||||||
SEARX_HOSTNAME=localhost
|
# To change this:
|
||||||
|
# * uncomment SEARX_HOSTNAME, and replace <host> by the searx hostname
|
||||||
|
# * uncomment LETSENCRYPT_EMAIL, and replace <email> by your email (require to create a Let's Encrypt certificate)
|
||||||
|
|
||||||
# comment both if SEARX_HOSTNAME is NOT localhost
|
# SEARX_HOSTNAME=<host>
|
||||||
SEARX_PROTOCOL=https://
|
# LETSENCRYPT_EMAIL=<email>
|
||||||
SEARX_TLS=self_signed
|
|
||||||
|
|
||||||
# automatically update settings to the new version
|
# automatically update settings to the new version
|
||||||
# comment this line if you made / will make some modifications to the settings
|
# comment this line if you made / will make some modifications to the settings
|
||||||
SEARX_COMMAND=-f
|
SEARX_COMMAND=-f
|
||||||
|
|
||||||
# Let's encrypt contact information
|
|
||||||
LETSENCRYPT_EMAIL=email@example.com
|
|
||||||
|
|
||||||
# Do you agree Let's Encrypt TOS https://letsencrypt.org/repository/
|
|
||||||
LETSENCRYPT_AGREE=false
|
|
||||||
|
|
||||||
# use openssl rand -base64 33
|
# use openssl rand -base64 33
|
||||||
MORTY_KEY=ReplaceWithARealKey!
|
MORTY_KEY=ReplaceWithARealKey!
|
||||||
|
|
||||||
# filtron ( /filtron/rules ), use for example "tr -cd '[:alnum:]' < /dev/urandom | fold -w12 | head -n1"
|
|
||||||
FILTRON_USER=filtron
|
|
||||||
FILTRON_PASSWORD=SetARealPassword
|
|
||||||
|
|
106
Caddyfile
106
Caddyfile
|
@ -1,21 +1,36 @@
|
||||||
{$SEARX_PROTOCOL}{$SEARX_HOSTNAME} {
|
{
|
||||||
|
admin off
|
||||||
|
}
|
||||||
|
|
||||||
|
{$SEARX_HOSTNAME} {
|
||||||
|
log {
|
||||||
|
output discard
|
||||||
|
}
|
||||||
|
|
||||||
tls {$SEARX_TLS}
|
tls {$SEARX_TLS}
|
||||||
gzip {
|
|
||||||
not /morty
|
|
||||||
}
|
|
||||||
root /srv
|
|
||||||
|
|
||||||
header /config {
|
@api {
|
||||||
Access-Control-Allow-Methods "GET, OPTIONS"
|
path /config
|
||||||
Access-Control-Allow-Origin "*"
|
path /status
|
||||||
}
|
}
|
||||||
|
|
||||||
header /status {
|
@static {
|
||||||
Access-Control-Allow-Methods "GET, OPTIONS"
|
path /static/*
|
||||||
Access-Control-Allow-Origin "*"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
header / {
|
@notstatic {
|
||||||
|
not path /static/*
|
||||||
|
}
|
||||||
|
|
||||||
|
@morty {
|
||||||
|
path /morty/*
|
||||||
|
}
|
||||||
|
|
||||||
|
@notmorty {
|
||||||
|
not path /morty/*
|
||||||
|
}
|
||||||
|
|
||||||
|
header {
|
||||||
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
|
||||||
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
||||||
|
|
||||||
|
@ -28,16 +43,9 @@
|
||||||
# Disallow the site to be rendered within a frame (clickjacking protection)
|
# Disallow the site to be rendered within a frame (clickjacking protection)
|
||||||
X-Frame-Options "SAMEORIGIN"
|
X-Frame-Options "SAMEORIGIN"
|
||||||
|
|
||||||
# CSP (see http://content-security-policy.com/ )
|
|
||||||
Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
|
|
||||||
|
|
||||||
# Disable some features
|
# Disable some features
|
||||||
Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
|
Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
|
||||||
|
|
||||||
# Cache
|
|
||||||
Cache-Control "no-cache, no-store"
|
|
||||||
Pragma "no-cache"
|
|
||||||
|
|
||||||
# Referer
|
# Referer
|
||||||
Referrer-Policy "no-referrer"
|
Referrer-Policy "no-referrer"
|
||||||
|
|
||||||
|
@ -48,36 +56,56 @@
|
||||||
-Server
|
-Server
|
||||||
}
|
}
|
||||||
|
|
||||||
header /morty {
|
header @api {
|
||||||
Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'"
|
Access-Control-Allow-Methods "GET, OPTIONS"
|
||||||
|
Access-Control-Allow-Origin "*"
|
||||||
}
|
}
|
||||||
|
|
||||||
header /static {
|
# Cache
|
||||||
Cache-Control "public, max-age=31536000"
|
header @static {
|
||||||
-Pragma
|
# Cache
|
||||||
|
Cache-Control "public, max-age=31536000"
|
||||||
|
defer
|
||||||
}
|
}
|
||||||
|
|
||||||
rewrite / {
|
header @notstatic {
|
||||||
regexp ^/status$
|
# No Cache
|
||||||
to /searx-checker/status.json
|
Cache-Control "no-cache, no-store"
|
||||||
|
Pragma "no-cache"
|
||||||
}
|
}
|
||||||
|
|
||||||
proxy / localhost:4040 {
|
# CSP (see http://content-security-policy.com/ )
|
||||||
transparent
|
header @morty {
|
||||||
header_upstream X-Forwarded-TlsProto {tls_protocol}
|
Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'"
|
||||||
header_upstream X-Forwarded-TlsCipher {tls_cipher}
|
|
||||||
header_upstream X-Forwarded-HttpsProto {proto}
|
|
||||||
|
|
||||||
except /searx-checker/status.json
|
|
||||||
}
|
}
|
||||||
|
|
||||||
basicauth /filtron {$FILTRON_USER} {$FILTRON_PASSWORD}
|
header @notmorty {
|
||||||
proxy /filtron/rules localhost:4041 {
|
Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
|
||||||
without /filtron
|
|
||||||
}
|
}
|
||||||
|
|
||||||
proxy /morty localhost:3000
|
# Searx-Checker
|
||||||
|
uri replace /status /searx-checker/status.json
|
||||||
|
handle /searx-checker/status.json {
|
||||||
|
root * /srv
|
||||||
|
file_server
|
||||||
|
}
|
||||||
|
|
||||||
limits 10KB
|
# Morty
|
||||||
|
handle @morty {
|
||||||
|
reverse_proxy localhost:3000
|
||||||
|
}
|
||||||
|
|
||||||
|
# Filtron
|
||||||
|
handle {
|
||||||
|
encode zstd gzip
|
||||||
|
|
||||||
|
reverse_proxy localhost:4040 {
|
||||||
|
header_up X-Forwarded-Port {http.request.port}
|
||||||
|
header_up X-Forwarded-Proto {http.request.scheme}
|
||||||
|
header_up X-Forwarded-TlsProto {tls_protocol}
|
||||||
|
header_up X-Forwarded-TlsCipher {tls_cipher}
|
||||||
|
header_up X-Forwarded-HttpsProto {proto}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,7 +8,7 @@ This is a work in progress, the bot protection is basic and not battle tested, a
|
||||||
|
|
||||||
| Name | Description | Docker image | Dockerfile |
|
| Name | Description | Docker image | Dockerfile |
|
||||||
| -- | -- | -- | -- |
|
| -- | -- | -- | -- |
|
||||||
| [Caddy](https://github.com/caddyserver/caddy) | Reverse proxy (create a LetsEncrypt certificate automatically) | [abiosoft/caddy:1.0.3-no-stats](https://hub.docker.com/r/abiosoft/caddy) | [Dockerfile](https://github.com/abiosoft/caddy-docker/blob/master/Dockerfile-no-stats) |
|
| [Caddy](https://github.com/caddy/caddy) | Reverse proxy (create a LetsEncrypt certificate automatically) | [caddy/caddy:2-alpine](https://hub.docker.com/r/caddy/caddy) | [Dockerfile](https://github.com/caddyserver/caddy-docker) |
|
||||||
| [Filtron](https://github.com/asciimoo/filtron) | Filtering reverse HTTP proxy, bot and abuse protection | [dalf/filtron:latest](https://hub.docker.com/r/dalf/filtron) | See [asciimoo/filtron#4](https://github.com/asciimoo/filtron/pull/4) |
|
| [Filtron](https://github.com/asciimoo/filtron) | Filtering reverse HTTP proxy, bot and abuse protection | [dalf/filtron:latest](https://hub.docker.com/r/dalf/filtron) | See [asciimoo/filtron#4](https://github.com/asciimoo/filtron/pull/4) |
|
||||||
| [Searx](https://github.com/asciimoo/searx) | searx by itself | [searx/searx:latest](https://hub.docker.com/r/searx/searx) | [Dockerfile](https://github.com/searx/searx/blob/master/Dockerfile) |
|
| [Searx](https://github.com/asciimoo/searx) | searx by itself | [searx/searx:latest](https://hub.docker.com/r/searx/searx) | [Dockerfile](https://github.com/searx/searx/blob/master/Dockerfile) |
|
||||||
| [Morty](https://github.com/asciimoo/morty) | Privacy aware web content sanitizer proxy as a service. | [dalf/morty:latest](https://hub.docker.com/r/dalf/morty) | [Dockerfile](https://github.com/dalf/morty/blob/master/Dockerfile) |
|
| [Morty](https://github.com/asciimoo/morty) | Privacy aware web content sanitizer proxy as a service. | [dalf/morty:latest](https://hub.docker.com/r/dalf/morty) | [Dockerfile](https://github.com/dalf/morty/blob/master/Dockerfile) |
|
||||||
|
|
|
@ -4,23 +4,17 @@ services:
|
||||||
|
|
||||||
caddy:
|
caddy:
|
||||||
container_name: caddy
|
container_name: caddy
|
||||||
image: abiosoft/caddy:1.0.3-no-stats
|
image: caddy/caddy:2-alpine
|
||||||
ports:
|
|
||||||
- 80:80
|
|
||||||
- 443:443
|
|
||||||
network_mode: host
|
network_mode: host
|
||||||
command: -email ${LETSENCRYPT_EMAIL} -agree=${LETSENCRYPT_AGREE} -log stdout -host ${SEARX_HOSTNAME} -conf /etc/Caddyfile
|
command: caddy run -config /etc/caddy/Caddyfile
|
||||||
volumes:
|
volumes:
|
||||||
- ./Caddyfile:/etc/Caddyfile:rw
|
- ./Caddyfile:/etc/caddy/Caddyfile:rw
|
||||||
- ./caddy:/root/.caddy:rw
|
|
||||||
- ./srv:/srv:rw
|
|
||||||
- searx-checker:/srv/searx-checker:rw
|
- searx-checker:/srv/searx-checker:rw
|
||||||
|
- caddy-data:/data:rw
|
||||||
|
- caddy-config:/config:rw
|
||||||
environment:
|
environment:
|
||||||
- SEARX_HOSTNAME=${SEARX_HOSTNAME}
|
- SEARX_HOSTNAME=${SEARX_HOSTNAME:-localhost}
|
||||||
- SEARX_PROTOCOL=${SEARX_PROTOCOL:-}
|
- SEARX_TLS=${LETSENCRYPT_EMAIL:-internal}
|
||||||
- SEARX_TLS=${SEARX_TLS:-}
|
|
||||||
- FILTRON_USER=${FILTRON_USER}
|
|
||||||
- FILTRON_PASSWORD=${FILTRON_PASSWORD}
|
|
||||||
cap_drop:
|
cap_drop:
|
||||||
- ALL
|
- ALL
|
||||||
cap_add:
|
cap_add:
|
||||||
|
@ -32,8 +26,8 @@ services:
|
||||||
image: dalf/filtron
|
image: dalf/filtron
|
||||||
restart: always
|
restart: always
|
||||||
ports:
|
ports:
|
||||||
- 4040:4040
|
- "127.0.0.1:4040:4040"
|
||||||
- 4041:4041
|
- "127.0.0.1:4041:4041"
|
||||||
networks:
|
networks:
|
||||||
- searx
|
- searx
|
||||||
command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searx:8080
|
command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searx:8080
|
||||||
|
@ -54,8 +48,8 @@ services:
|
||||||
- ./searx:/etc/searx:rw
|
- ./searx:/etc/searx:rw
|
||||||
environment:
|
environment:
|
||||||
- BIND_ADDRESS=0.0.0.0:8080
|
- BIND_ADDRESS=0.0.0.0:8080
|
||||||
- BASE_URL=https://${SEARX_HOSTNAME}/
|
- BASE_URL=https://${SEARX_HOSTNAME:-localhost}/
|
||||||
- MORTY_URL=https://${SEARX_HOSTNAME}/morty/
|
- MORTY_URL=https://${SEARX_HOSTNAME:-localhost}/morty/
|
||||||
- MORTY_KEY=${MORTY_KEY}
|
- MORTY_KEY=${MORTY_KEY}
|
||||||
cap_drop:
|
cap_drop:
|
||||||
- ALL
|
- ALL
|
||||||
|
@ -70,7 +64,7 @@ services:
|
||||||
image: dalf/morty
|
image: dalf/morty
|
||||||
restart: always
|
restart: always
|
||||||
ports:
|
ports:
|
||||||
- 3000:3000
|
- "127.0.0.1:3000:3000"
|
||||||
networks:
|
networks:
|
||||||
- searx
|
- searx
|
||||||
command: -listen 0.0.0.0:3000 -timeout 6 -ipv6
|
command: -listen 0.0.0.0:3000 -timeout 6 -ipv6
|
||||||
|
@ -99,3 +93,5 @@ networks:
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
searx-checker:
|
searx-checker:
|
||||||
|
caddy-data:
|
||||||
|
caddy-config:
|
||||||
|
|
2
start.sh
2
start.sh
|
@ -5,6 +5,6 @@ cd -- "$BASE_DIR"
|
||||||
|
|
||||||
. ./util.sh
|
. ./util.sh
|
||||||
|
|
||||||
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down -v
|
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down
|
||||||
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE rm -fv
|
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE rm -fv
|
||||||
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE up
|
$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE up
|
||||||
|
|
Loading…
Reference in New Issue