aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorterminaldweller <thabogre@gmail.com>2022-07-03 06:40:10 +0000
committerterminaldweller <thabogre@gmail.com>2022-07-03 06:40:10 +0000
commitbc4bb70fccdf72072a39cd663100617859b694a7 (patch)
tree40a587d5bce2577cbce832d0957fea4dd62de8f8
parentupdates (diff)
downloadscripts-bc4bb70fccdf72072a39cd663100617859b694a7.tar.gz
scripts-bc4bb70fccdf72072a39cd663100617859b694a7.zip
searxng
-rw-r--r--terminaldweller.com/haproxy/haproxy.cfg49
-rw-r--r--terminaldweller.com/searxng/.env7
-rw-r--r--terminaldweller.com/searxng/Caddyfile99
-rw-r--r--terminaldweller.com/searxng/docker-compose.yaml67
-rw-r--r--terminaldweller.com/searxng/searxng/settings.yml11
-rw-r--r--terminaldweller.com/searxng/searxng/uwsgi.ini49
6 files changed, 269 insertions, 13 deletions
diff --git a/terminaldweller.com/haproxy/haproxy.cfg b/terminaldweller.com/haproxy/haproxy.cfg
index 9930fe6..dcc7714 100644
--- a/terminaldweller.com/haproxy/haproxy.cfg
+++ b/terminaldweller.com/haproxy/haproxy.cfg
@@ -26,7 +26,7 @@ resolvers docker_resolver
resolve_retries 3
timeout retry 1000ms
timeout resolve 1000ms
-
+
#Frontends
frontend http
bind *:80
@@ -41,12 +41,22 @@ frontend http
acl editor-host hdr_sub(host) -i editor.terminaldweller.com
acl editorsave-host hdr_sub(host) -i editorsave.terminaldweller.com
acl devourer-host hdr_sub(host) -i mila.terminaldweller.com
+ acl discord-host hdr_sub(host) -i discord.terminaldweller.com
acl mila-api-acl url_beg /mila
acl crypto-api-acl url_beg /crypto
acl http ssl_fc,not
- #Conditions
+
+ #Redirects
#this will prevent any letsencrypt cert challenges from working
- http-request redirect scheme https if http
+ #http-request redirect scheme https if http
+ http-request redirect scheme https code 301 if http blog-host !letsencrypt-acl
+ http-request redirect scheme https code 301 if http editor-host
+ http-request redirect scheme https code 301 if http editorsave-host
+ http-request redirect scheme https code 301 if http api-host
+ http-request redirect scheme https code 301 if http devourer-host
+ #http-request redirect scheme https code 301 if http searx-host !letsencrypt-acl
+
+ #Conditions
#use_backend chat-cert-backend if letsencrypt-acl chat-host
use_backend blog-backend-cert if letsencrypt-acl blog-host
use_backend blog-backend-cert if letsencrypt-acl editor-host
@@ -82,6 +92,7 @@ frontend https
acl cargo-host-s req.ssl_sni -i cargo.terminaldweller.com
acl editor-host-s req.ssl_sni -i editor.terminaldweller.com
acl editorsave-host-s req.ssl_sni -i editorsave.terminaldweller.com
+ acl discord-host-s req.ssl_sni -i discord.terminaldweller.com
#Conditions
use_backend mail-backend-s if mail-host-s
#use_backend chat-backend-s if chat-host-s
@@ -89,20 +100,29 @@ frontend https
#use_backend api-crypto-backend-s if api-host-s crypto-api-acl
use_backend api-crypto-backend-s if api-host-s
use_backend api-mila-backend-s if mila-api-host-s
- #use_backend searx-backend-s if searx-host-s
+ use_backend searx-backend-s if searx-host-s
use_backend cargo-backend-s if cargo-host-s
use_backend editor-backend-s if editor-host-s
use_backend editorsave-backend-s if editorsave-host-s
frontend jabber5222
bind *:5222
- timeout client 60s
mode tcp
- tcp-request inspect-delay 5s
- tcp-request content accept if { req.ssl_hello_type 1 }
- tcp-request content reject
- acl chat-host-s req.ssl_sni -i chat.terminaldweller.com
- use_backend chat-backend-c2s if chat-host-s
+ use_backend chat-backend-c2s
+#frontend jabber5222
+# bind *:5222
+# timeout client 60s
+# mode tcp
+# tcp-request inspect-delay 5s
+# tcp-request content accept if { req.ssl_hello_type 1 }
+# tcp-request content reject
+# acl chat-host-s req.ssl_sni -i chat.terminaldweller.com
+# use_backend chat-backend-c2s if chat-host-s
+#frontend jabbber5222
+# bind *:5280
+# mode http
+# acl chat-host hdr_sub(host) -i chat.terminaldweller.com
+# use_backend chat-backend if chat-host
frontend jabber5280
bind *:5280
mode http
@@ -259,13 +279,16 @@ backend api-mila-backend-cert
backend chat-backend-admin
mode http
server chat-host 130.185.121.80:5280
+backend chat-backend
+ mode http
+ server chat-host 130.185.121.80:5222
backend chat-backend-s
mode tcp
option ssl-hello-chk
server chat-host 130.185.121.80:5443
backend chat-backend-c2s
mode tcp
- option ssl-hello-chk
+ #option ssl-hello-chk
server chat-host 130.185.121.80:5222
backend chat-cert-backend
mode http
@@ -276,11 +299,11 @@ backend searx-backend-cert
server searx-host-cert 130.185.121.80:80
backend searx-backend
mode http
- server searx-host 130.185.121.80:4040
+ server searx-host 130.185.121.80:8080
backend searx-backend-s
mode tcp
option ssl-hello-chk
- server searx-host-s 130.185.121.80:4040
+ server searx-host-s 130.185.121.80:8081 maxconn 10
backend cargo-backend-s
mode tcp
diff --git a/terminaldweller.com/searxng/.env b/terminaldweller.com/searxng/.env
new file mode 100644
index 0000000..f21562a
--- /dev/null
+++ b/terminaldweller.com/searxng/.env
@@ -0,0 +1,7 @@
+# By default listen on https://localhost
+# To change this:
+# * uncomment SEARXNG_HOSTNAME, and replace <host> by the SearXNG hostname
+# * uncomment LETSENCRYPT_EMAIL, and replace <email> by your email (require to create a Let's Encrypt certificate)
+
+SEARXNG_HOSTNAME=searx.terminaldweller.com
+LETSENCRYPT_EMAIL=devi@terminaldweller.com
diff --git a/terminaldweller.com/searxng/Caddyfile b/terminaldweller.com/searxng/Caddyfile
new file mode 100644
index 0000000..be88221
--- /dev/null
+++ b/terminaldweller.com/searxng/Caddyfile
@@ -0,0 +1,99 @@
+{
+ admin off
+ https_port 8081
+}
+
+{$SEARXNG_HOSTNAME} {
+ log {
+ output discard
+ }
+
+ tls {$SEARXNG_TLS}
+
+ @api {
+ path /config
+ path /healthz
+ path /stats/errors
+ path /stats/checker
+ }
+
+ @static {
+ path /static/*
+ }
+
+ @notstatic {
+ not path /static/*
+ }
+
+ @imageproxy {
+ path /image_proxy
+ }
+
+ @notimageproxy {
+ not path /image_proxy
+ }
+
+ header {
+ # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+ Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+
+ # Enable cross-site filter (XSS) and tell browser to block detected attacks
+ X-XSS-Protection "1; mode=block"
+
+ # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+ X-Content-Type-Options "nosniff"
+
+ # Disable some features
+ Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
+
+ # Disable some features (legacy)
+ Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
+
+ # Referer
+ Referrer-Policy "no-referrer"
+
+ # X-Robots-Tag
+ X-Robots-Tag "noindex, noarchive, nofollow"
+
+ # Remove Server header
+ -Server
+ }
+
+ header @api {
+ Access-Control-Allow-Methods "GET, OPTIONS"
+ Access-Control-Allow-Origin "*"
+ }
+
+ # Cache
+ header @static {
+ # Cache
+ Cache-Control "public, max-age=31536000"
+ defer
+ }
+
+ header @notstatic {
+ # No Cache
+ Cache-Control "no-cache, no-store"
+ Pragma "no-cache"
+ }
+
+ # CSP (see http://content-security-policy.com/ )
+ header @imageproxy {
+ Content-Security-Policy "default-src 'none'; img-src 'self' data:"
+ }
+
+ header @notimageproxy {
+ Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
+ }
+
+ # SearXNG
+ handle {
+ encode zstd gzip
+
+ reverse_proxy localhost:8080 {
+ header_up X-Forwarded-Port {http.request.port}
+ header_up X-Forwarded-Proto {http.request.scheme}
+ }
+ }
+
+}
diff --git a/terminaldweller.com/searxng/docker-compose.yaml b/terminaldweller.com/searxng/docker-compose.yaml
new file mode 100644
index 0000000..f592709
--- /dev/null
+++ b/terminaldweller.com/searxng/docker-compose.yaml
@@ -0,0 +1,67 @@
+version: '3.7'
+
+services:
+
+ caddy:
+ container_name: caddy
+ image: caddy:2-alpine
+ network_mode: host
+ volumes:
+ - ./Caddyfile:/etc/caddy/Caddyfile:ro
+ - caddy-data:/data:rw
+ - caddy-config:/config:rw
+ environment:
+ - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80}
+ - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
+ cap_drop:
+ - ALL
+ cap_add:
+ - NET_BIND_SERVICE
+ - DAC_OVERRIDE
+
+ redis:
+ container_name: redis
+ image: "redis:alpine"
+ command: redis-server --save "" --appendonly "no"
+ networks:
+ - searxng
+ tmpfs:
+ - /var/lib/redis
+ cap_drop:
+ - ALL
+ cap_add:
+ - SETGID
+ - SETUID
+ - DAC_OVERRIDE
+
+ searxng:
+ container_name: searxng
+ image: searxng/searxng:latest
+ networks:
+ - searxng
+ ports:
+ - "127.0.0.1:8080:8080"
+ volumes:
+ - ./searxng:/etc/searxng:rw
+ environment:
+ - SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
+ cap_drop:
+ - ALL
+ cap_add:
+ - CHOWN
+ - SETGID
+ - SETUID
+ - DAC_OVERRIDE
+ logging:
+ driver: "json-file"
+ options:
+ max-size: "1m"
+ max-file: "1"
+networks:
+ searxng:
+ ipam:
+ driver: default
+
+volumes:
+ caddy-data:
+ caddy-config:
diff --git a/terminaldweller.com/searxng/searxng/settings.yml b/terminaldweller.com/searxng/searxng/settings.yml
new file mode 100644
index 0000000..16258b9
--- /dev/null
+++ b/terminaldweller.com/searxng/searxng/settings.yml
@@ -0,0 +1,11 @@
+# see https://docs.searxng.org/admin/engines/settings.html#use-default-settings
+use_default_settings: true
+server:
+ # base_url is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml
+ secret_key: "" # change this!
+ limiter: true # can be disabled for a private instance
+ image_proxy: true
+ui:
+ static_use_hash: true
+redis:
+ url: redis://redis:6379/0
diff --git a/terminaldweller.com/searxng/searxng/uwsgi.ini b/terminaldweller.com/searxng/searxng/uwsgi.ini
new file mode 100644
index 0000000..7574799
--- /dev/null
+++ b/terminaldweller.com/searxng/searxng/uwsgi.ini
@@ -0,0 +1,49 @@
+[uwsgi]
+# Who will run the code
+uid = searxng
+gid = searxng
+
+# Number of workers (usually CPU count)
+workers = %k
+threads = 4
+
+# The right granted on the created socket
+chmod-socket = 666
+
+# Plugin to use and interpretor config
+single-interpreter = true
+master = true
+plugin = python3
+lazy-apps = true
+enable-threads = true
+
+# Module to import
+module = searx.webapp
+
+# Virtualenv and python path
+pythonpath = /usr/local/searxng/
+chdir = /usr/local/searxng/searx/
+
+# automatically set processes name to something meaningful
+auto-procname = true
+
+# Disable request logging for privacy
+disable-logging = true
+log-5xx = true
+
+# Set the max size of a request (request-body excluded)
+buffer-size = 8192
+
+# No keep alive
+# See https://github.com/searx/searx-docker/issues/24
+add-header = Connection: close
+
+# uwsgi serves the static files
+# expires set to one year since there are hashes
+static-map = /static=/usr/local/searxng/searx/static
+static-expires = /* 31557600
+static-gzip-all = True
+offload-threads = %k
+
+# Cache
+cache2 = name=searxngcache,items=2000,blocks=2000,blocksize=4096,bitmap=1