Replace morty & filtron by redis & the limiter plugin

This commit is contained in:
Alexandre Flament 2022-02-25 22:43:05 +01:00
parent 2127795f63
commit fe4a33a2bf
4 changed files with 43 additions and 60 deletions

2
.env
View File

@ -11,4 +11,4 @@
SEARXNG_COMMAND=-f SEARXNG_COMMAND=-f
# use openssl rand -base64 33 # use openssl rand -base64 33
MORTY_KEY=ReplaceWithARealKey! SEARXNG_SECRET=ultrasecretkey

View File

@ -11,25 +11,26 @@
@api { @api {
path /config path /config
path /status path /status
} }
@static { @static {
path /static/* path /static/*
} }
@imageproxy {
path /image_proxy
}
@notimageproxy {
not path /image_proxy
}
@notstatic { @notstatic {
not path /static/* not path /static/*
} }
@morty {
path /morty/*
}
@notmorty {
not path /morty/*
}
header { header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
@ -67,8 +68,8 @@
# Cache # Cache
header @static { header @static {
# Cache # Cache
Cache-Control "public, max-age=31536000" Cache-Control "public, max-age=31536000"
defer defer
} }
header @notstatic { header @notstatic {
@ -78,24 +79,19 @@
} }
# CSP (see http://content-security-policy.com/ ) # CSP (see http://content-security-policy.com/ )
header @morty { header @imageproxy {
Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'" Content-Security-Policy "default-src 'none'; img-src 'self' data:"
} }
header @notmorty { header @notimageproxy {
Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com" Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
} }
# Morty # Searx
handle @morty {
reverse_proxy localhost:3000
}
# Filtron
handle { handle {
encode zstd gzip encode zstd gzip
reverse_proxy localhost:4040 { reverse_proxy localhost:8080 {
header_up X-Forwarded-Port {http.request.port} header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-TlsProto {tls_protocol} header_up X-Forwarded-TlsProto {tls_protocol}

View File

@ -5,14 +5,13 @@ services:
caddy: caddy:
container_name: caddy container_name: caddy
image: caddy:2-alpine image: caddy:2-alpine
restart: on-failure
network_mode: host network_mode: host
volumes: volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro - ./Caddyfile:/etc/caddy/Caddyfile:ro
- caddy-data:/data:rw - caddy-data:/data:rw
- caddy-config:/config:rw - caddy-config:/config:rw
environment: environment:
- SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-localhost} - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80}
- SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal} - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
cap_drop: cap_drop:
- ALL - ALL
@ -20,36 +19,36 @@ services:
- NET_BIND_SERVICE - NET_BIND_SERVICE
- DAC_OVERRIDE - DAC_OVERRIDE
filtron: redis:
container_name: filtron container_name: redis
image: dalf/filtron image: "redis:alpine"
restart: always command: redis-server --save "" --appendonly "no"
ports:
- "127.0.0.1:4040:4040"
- "127.0.0.1:4041:4041"
networks: networks:
- searxng - searxng
command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searxng:8080 tmpfs:
volumes: - /var/lib/redis
- ./rules.json:/etc/filtron/rules.json:rw
read_only: true
cap_drop: cap_drop:
- ALL - ALL
cap_add:
- SETGID
- SETUID
- DAC_OVERRIDE
searxng: searx:
container_name: searxng container_name: searx
image: searxng/searxng:latest image: searxng/searxng
restart: always restart: always
networks: networks:
- searxng - searxng
command: ${SEARXNG_COMMAND:-} command: ${SEARX_COMMAND:-}
ports:
- "127.0.0.1:8080:8080"
volumes: volumes:
- ./searxng:/etc/searxng:rw - ./searxng:/etc/searx:rw
environment: environment:
- BIND_ADDRESS=0.0.0.0:8080 - BIND_ADDRESS=0.0.0.0:8080
- BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/ - BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
- MORTY_URL=https://${SEARXNG_HOSTNAME:-localhost}/morty/ - SEARXNG_SECRET=${SEARXNG_SECRET}
- MORTY_KEY=${MORTY_KEY}
cap_drop: cap_drop:
- ALL - ALL
cap_add: cap_add:
@ -58,24 +57,6 @@ services:
- SETUID - SETUID
- DAC_OVERRIDE - DAC_OVERRIDE
morty:
container_name: morty
image: dalf/morty
restart: always
ports:
- "127.0.0.1:3000:3000"
networks:
- searxng
command: -timeout 6 -ipv6
environment:
- MORTY_KEY=${MORTY_KEY}
- MORTY_ADDRESS=0.0.0.0:3000
logging:
driver: none
read_only: true
cap_drop:
- ALL
networks: networks:
searxng: searxng:
ipam: ipam:

6
searxng/settings.yml Normal file
View File

@ -0,0 +1,6 @@
use_default_settings: true
server:
limiter: true
image_proxy: true
redis:
url: redis://redis:6379/0