Move wiki entry https://github.com/asciimoo/searx/wiki/Searx-instances
into user section of the docs (#1785).
links has been ported from markdown to reST by::
regexpr: \[([^\]]*)\]\(([^)]*)\)
substitution: `\1 <\2>`__
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
We explicitly specific the static directory here using alias to allow to
host from a other subdirectory than "searx" which just so happens to
match the source code directory.
Closes: #1617
There is an issue with the setup example in https://asciimoo.github.io/searx/dev/install/installation.html#installation for subdirectory URL deployments:
```nginx
root /usr/local/searx;
location = /searx { rewrite ^ /searx/; }
try_files $uri @searx;
}
location @searx {
uwsgi_param SCRIPT_NAME /searx;
include uwsgi_params;
uwsgi_modifier1 30;
uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
```
`try_files` causes Nginx to search for files in the server root first. If it matches a file, it is returned. Only if no file matched, the request is passed to uwsgi. The worst consequence I can think of is that `settings.yml` can be downloaded without authentication (where secrets and configuration details are stored).
To fix this, I propose:
```nginx
location = /searx {
rewrite ^ /searx/;
}
location /searx/static {
}
location /searx {
uwsgi_param SCRIPT_NAME /searx;
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
```
And add
```
route-run = fixpathinfo:
```
to `/etc/uwsgi/apps-available/searx.ini` because `uwsgi_modifier1 30` is apparently deprecated. Ref: https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.11.html#fixpathinfo-routing-action
I assume this issue exists because some uwsgi upstream docs also use the `try_files` construct (at least I have seen this somewhere in the docs or somewhere else on the Internet but cannot find it right now again).
https://uwsgi-docs.readthedocs.io/en/latest/Nginx.html#hosting-multiple-apps-in-the-same-process-aka-managing-script-name-and-path-info also warns about this:
> If used incorrectly a configuration like this may cause security problems. For your sanity’s sake, double-triple-quadruple check that your application files, configuration files and any other sensitive files are outside of the root of the static files.
When results are fetched from any programming related documentation site
(like git-scm.com, docs.python.org etc), content in Info box is shown as
raw HTML code.
This change addresses the issue by using "safe" filter feature provided by
Django. See,
- https://docs.djangoproject.com/en/3.0/ref/templates/builtins/#safe
- Searx issue tracker (issue #1649), for more information.
Resolves: #1649
Markus Heiser
Adam Tauber
frankdelange
Robin Schneider
Mathieu Brunot
Vipul