mirror of
https://github.com/searxng/searxng-docker.git
synced 2025-12-22 19:50:00 +00:00
8de6ea65ab
* [fix] container: remove static hashing Allows browser cache heuristics to properly work. Related https://github.com/searxng/searxng/pull/5006 Closes https://github.com/searxng/searxng-docker/issues/409 * [fix] container: don't revalidate at every request As Granian no longer handles static files directly, the whole process goes through Flask, which apart from being slow, is resource intensive, even to serve HTTP 304 responses.
87 lines
2.0 KiB
Caddyfile
87 lines
2.0 KiB
Caddyfile
{
|
|
admin off
|
|
|
|
log {
|
|
output stderr
|
|
format filter {
|
|
# Preserves first 8 bits from IPv4 and 32 bits from IPv6
|
|
request>remote_ip ip_mask 8 32
|
|
request>client_ip ip_mask 8 32
|
|
|
|
# Remove identificable information
|
|
request>remote_port delete
|
|
request>headers delete
|
|
request>uri query {
|
|
delete url
|
|
delete h
|
|
delete q
|
|
}
|
|
}
|
|
}
|
|
|
|
servers {
|
|
client_ip_headers X-Forwarded-For X-Real-IP
|
|
|
|
# Allow the following IP to passthrough the "X-Forwarded-*" headers to SearXNG
|
|
# https://caddyserver.com/docs/caddyfile/options#trusted-proxies
|
|
trusted_proxies static private_ranges
|
|
trusted_proxies_strict
|
|
}
|
|
}
|
|
|
|
{$SEARXNG_HOSTNAME}
|
|
|
|
tls {$SEARXNG_TLS}
|
|
|
|
encode zstd gzip
|
|
|
|
@api {
|
|
path /config
|
|
path /healthz
|
|
path /stats/errors
|
|
path /stats/checker
|
|
}
|
|
|
|
@static {
|
|
path /static/*
|
|
}
|
|
|
|
@imageproxy {
|
|
path /image_proxy
|
|
}
|
|
|
|
header {
|
|
# CSP (https://content-security-policy.com)
|
|
Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https:; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self'; img-src * data:; frame-src https:;"
|
|
|
|
# Disable browser features
|
|
Permissions-Policy "accelerometer=(),camera=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),payment=(),usb=()"
|
|
|
|
# Only allow same-origin requests
|
|
Referrer-Policy "same-origin"
|
|
|
|
# Prevent MIME type sniffing from the declared Content-Type
|
|
X-Content-Type-Options "nosniff"
|
|
|
|
# Comment header to allow indexing by search engines
|
|
X-Robots-Tag "noindex, nofollow, noarchive, nositelinkssearchbox, nosnippet, notranslate, noimageindex"
|
|
|
|
# Remove "Server" header
|
|
-Server
|
|
}
|
|
|
|
header @api {
|
|
Access-Control-Allow-Methods "GET, OPTIONS"
|
|
Access-Control-Allow-Origin "*"
|
|
}
|
|
|
|
route {
|
|
# Cache policy
|
|
header Cache-Control "no-cache"
|
|
header @static Cache-Control "public, max-age=30, stale-while-revalidate=60"
|
|
header @imageproxy Cache-Control "public, max-age=3600"
|
|
}
|
|
|
|
# SearXNG
|
|
reverse_proxy localhost:8080
|