From e0a3dee3bf39125d345f7ad64c292de9c772e16a Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Sat, 3 Jun 2023 18:49:21 +0200 Subject: [PATCH] [POC] limiter: change PING of link_token mehtod from CSS to while PR #2357 [1] was being implemented the question came up: would be better to change the PING resource from CSS to an image so that some terminal based browser may still able to pass the test [1] This patch implements a POC in where a tag is loaded instaed a CSS. To test this patch activate limiter and link_token method [3] and start a developer instance:: make run In your terminal browser open http://127.0.0.1:8888/search?q=foo If the browser is suitable for the link_token method, it loads the image and the following messages appear:: DEBUG searx.botdetection.limiter : OK 127.0.0.1/32: /clientft61aak7fzyu6o6v.svg ... DEBUG searx.botdetection.link_token : token is valid --> True DEBUG searx.botdetection.link_token : store ping_key for (client) network 127.0.0.1/32 (IP 127.0.0.1) -> SearXNG_limiter.ping[...] Browsers that do not load images will be blocked: If you try by example:: lynx http://127.0.0.1:8888/search?q=foo you will see a WARNING message like:: WARNING searx.botdetection.link_token : missing ping (IP: 127.0.0.1/32) / request: SearXNG_limiter.ping[...] ---- [1] https://github.com/searxng/searxng/commit/80aaef6c95b572df1fa3a8c30b7fdc1538d7a306 [2] https://github.com/searxng/searxng/pull/2357#issuecomment-1574898834 [3] activate limiter and link_token method ```diff diff --git a/searx/botdetection/limiter.toml b/searx/botdetection/limiter.toml index 71a231e8f..7e1dba755 100644 --- a/searx/botdetection/limiter.toml +++ b/searx/botdetection/limiter.toml @@ -17,6 +17,6 @@ ipv6_prefix = 48 filter_link_local = false # acrivate link_token method in the ip_limit method -link_token = false +link_token = true diff --git a/searx/settings.yml b/searx/settings.yml index a82a3432d..e7b983afc 100644 --- a/searx/settings.yml +++ b/searx/settings.yml @@ -73,7 +73,7 @@ server: # public URL of the instance, to ensure correct inbound links. Is overwritten # by ${SEARXNG_URL}. base_url: false # "http://example.com/location" - limiter: false # rate limit the number of request on the instance, block some bots + limiter: true # rate limit the number of request on the instance, block some bots # If your instance owns a /etc/searxng/settings.yml file, then set the following # values there. ``` Signed-off-by: Markus Heiser --- searx/templates/simple/base.html | 6 +++--- searx/webapp.py | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/searx/templates/simple/base.html b/searx/templates/simple/base.html index 3c6ed11c7..cd8816ffe 100644 --- a/searx/templates/simple/base.html +++ b/searx/templates/simple/base.html @@ -17,9 +17,6 @@ {% else %} {% endif %} - {% if get_setting('server.limiter') %} - - {% endif %} {% block styles %}{% endblock %} @@ -82,5 +79,8 @@ + {%- if get_setting('server.limiter') -%} + + {%- endif -%} diff --git a/searx/webapp.py b/searx/webapp.py index d6322447a..ce93feb09 100755 --- a/searx/webapp.py +++ b/searx/webapp.py @@ -644,10 +644,10 @@ def health(): return Response('OK', mimetype='text/plain') -@app.route('/client.css', methods=['GET', 'POST']) +@app.route('/client.svg', methods=['GET', 'POST']) def client_token(token=None): link_token.ping(request, token) - return Response('', mimetype='text/css') + return Response('', mimetype='image/svg+xml') @app.route('/search', methods=['GET', 'POST'])