diff options
-rw-r--r-- | terminaldweller.com/haproxy/haproxy.cfg | 49 | ||||
-rw-r--r-- | terminaldweller.com/searxng/.env | 7 | ||||
-rw-r--r-- | terminaldweller.com/searxng/Caddyfile | 99 | ||||
-rw-r--r-- | terminaldweller.com/searxng/docker-compose.yaml | 67 | ||||
-rw-r--r-- | terminaldweller.com/searxng/searxng/settings.yml | 11 | ||||
-rw-r--r-- | terminaldweller.com/searxng/searxng/uwsgi.ini | 49 |
6 files changed, 269 insertions, 13 deletions
diff --git a/terminaldweller.com/haproxy/haproxy.cfg b/terminaldweller.com/haproxy/haproxy.cfg index 9930fe6..dcc7714 100644 --- a/terminaldweller.com/haproxy/haproxy.cfg +++ b/terminaldweller.com/haproxy/haproxy.cfg @@ -26,7 +26,7 @@ resolvers docker_resolver resolve_retries 3 timeout retry 1000ms timeout resolve 1000ms - + #Frontends frontend http bind *:80 @@ -41,12 +41,22 @@ frontend http acl editor-host hdr_sub(host) -i editor.terminaldweller.com acl editorsave-host hdr_sub(host) -i editorsave.terminaldweller.com acl devourer-host hdr_sub(host) -i mila.terminaldweller.com + acl discord-host hdr_sub(host) -i discord.terminaldweller.com acl mila-api-acl url_beg /mila acl crypto-api-acl url_beg /crypto acl http ssl_fc,not - #Conditions + + #Redirects #this will prevent any letsencrypt cert challenges from working - http-request redirect scheme https if http + #http-request redirect scheme https if http + http-request redirect scheme https code 301 if http blog-host !letsencrypt-acl + http-request redirect scheme https code 301 if http editor-host + http-request redirect scheme https code 301 if http editorsave-host + http-request redirect scheme https code 301 if http api-host + http-request redirect scheme https code 301 if http devourer-host + #http-request redirect scheme https code 301 if http searx-host !letsencrypt-acl + + #Conditions #use_backend chat-cert-backend if letsencrypt-acl chat-host use_backend blog-backend-cert if letsencrypt-acl blog-host use_backend blog-backend-cert if letsencrypt-acl editor-host @@ -82,6 +92,7 @@ frontend https acl cargo-host-s req.ssl_sni -i cargo.terminaldweller.com acl editor-host-s req.ssl_sni -i editor.terminaldweller.com acl editorsave-host-s req.ssl_sni -i editorsave.terminaldweller.com + acl discord-host-s req.ssl_sni -i discord.terminaldweller.com #Conditions use_backend mail-backend-s if mail-host-s #use_backend chat-backend-s if chat-host-s @@ -89,20 +100,29 @@ frontend https #use_backend api-crypto-backend-s if api-host-s crypto-api-acl use_backend api-crypto-backend-s if api-host-s use_backend api-mila-backend-s if mila-api-host-s - #use_backend searx-backend-s if searx-host-s + use_backend searx-backend-s if searx-host-s use_backend cargo-backend-s if cargo-host-s use_backend editor-backend-s if editor-host-s use_backend editorsave-backend-s if editorsave-host-s frontend jabber5222 bind *:5222 - timeout client 60s mode tcp - tcp-request inspect-delay 5s - tcp-request content accept if { req.ssl_hello_type 1 } - tcp-request content reject - acl chat-host-s req.ssl_sni -i chat.terminaldweller.com - use_backend chat-backend-c2s if chat-host-s + use_backend chat-backend-c2s +#frontend jabber5222 +# bind *:5222 +# timeout client 60s +# mode tcp +# tcp-request inspect-delay 5s +# tcp-request content accept if { req.ssl_hello_type 1 } +# tcp-request content reject +# acl chat-host-s req.ssl_sni -i chat.terminaldweller.com +# use_backend chat-backend-c2s if chat-host-s +#frontend jabbber5222 +# bind *:5280 +# mode http +# acl chat-host hdr_sub(host) -i chat.terminaldweller.com +# use_backend chat-backend if chat-host frontend jabber5280 bind *:5280 mode http @@ -259,13 +279,16 @@ backend api-mila-backend-cert backend chat-backend-admin mode http server chat-host 130.185.121.80:5280 +backend chat-backend + mode http + server chat-host 130.185.121.80:5222 backend chat-backend-s mode tcp option ssl-hello-chk server chat-host 130.185.121.80:5443 backend chat-backend-c2s mode tcp - option ssl-hello-chk + #option ssl-hello-chk server chat-host 130.185.121.80:5222 backend chat-cert-backend mode http @@ -276,11 +299,11 @@ backend searx-backend-cert server searx-host-cert 130.185.121.80:80 backend searx-backend mode http - server searx-host 130.185.121.80:4040 + server searx-host 130.185.121.80:8080 backend searx-backend-s mode tcp option ssl-hello-chk - server searx-host-s 130.185.121.80:4040 + server searx-host-s 130.185.121.80:8081 maxconn 10 backend cargo-backend-s mode tcp diff --git a/terminaldweller.com/searxng/.env b/terminaldweller.com/searxng/.env new file mode 100644 index 0000000..f21562a --- /dev/null +++ b/terminaldweller.com/searxng/.env @@ -0,0 +1,7 @@ +# By default listen on https://localhost +# To change this: +# * uncomment SEARXNG_HOSTNAME, and replace <host> by the SearXNG hostname +# * uncomment LETSENCRYPT_EMAIL, and replace <email> by your email (require to create a Let's Encrypt certificate) + +SEARXNG_HOSTNAME=searx.terminaldweller.com +LETSENCRYPT_EMAIL=devi@terminaldweller.com diff --git a/terminaldweller.com/searxng/Caddyfile b/terminaldweller.com/searxng/Caddyfile new file mode 100644 index 0000000..be88221 --- /dev/null +++ b/terminaldweller.com/searxng/Caddyfile @@ -0,0 +1,99 @@ +{ + admin off + https_port 8081 +} + +{$SEARXNG_HOSTNAME} { + log { + output discard + } + + tls {$SEARXNG_TLS} + + @api { + path /config + path /healthz + path /stats/errors + path /stats/checker + } + + @static { + path /static/* + } + + @notstatic { + not path /static/* + } + + @imageproxy { + path /image_proxy + } + + @notimageproxy { + not path /image_proxy + } + + header { + # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + + # Disable some features + Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()" + + # Disable some features (legacy) + Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" + + # Referer + Referrer-Policy "no-referrer" + + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + + # Remove Server header + -Server + } + + header @api { + Access-Control-Allow-Methods "GET, OPTIONS" + Access-Control-Allow-Origin "*" + } + + # Cache + header @static { + # Cache + Cache-Control "public, max-age=31536000" + defer + } + + header @notstatic { + # No Cache + Cache-Control "no-cache, no-store" + Pragma "no-cache" + } + + # CSP (see http://content-security-policy.com/ ) + header @imageproxy { + Content-Security-Policy "default-src 'none'; img-src 'self' data:" + } + + header @notimageproxy { + Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com" + } + + # SearXNG + handle { + encode zstd gzip + + reverse_proxy localhost:8080 { + header_up X-Forwarded-Port {http.request.port} + header_up X-Forwarded-Proto {http.request.scheme} + } + } + +} diff --git a/terminaldweller.com/searxng/docker-compose.yaml b/terminaldweller.com/searxng/docker-compose.yaml new file mode 100644 index 0000000..f592709 --- /dev/null +++ b/terminaldweller.com/searxng/docker-compose.yaml @@ -0,0 +1,67 @@ +version: '3.7' + +services: + + caddy: + container_name: caddy + image: caddy:2-alpine + network_mode: host + volumes: + - ./Caddyfile:/etc/caddy/Caddyfile:ro + - caddy-data:/data:rw + - caddy-config:/config:rw + environment: + - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80} + - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal} + cap_drop: + - ALL + cap_add: + - NET_BIND_SERVICE + - DAC_OVERRIDE + + redis: + container_name: redis + image: "redis:alpine" + command: redis-server --save "" --appendonly "no" + networks: + - searxng + tmpfs: + - /var/lib/redis + cap_drop: + - ALL + cap_add: + - SETGID + - SETUID + - DAC_OVERRIDE + + searxng: + container_name: searxng + image: searxng/searxng:latest + networks: + - searxng + ports: + - "127.0.0.1:8080:8080" + volumes: + - ./searxng:/etc/searxng:rw + environment: + - SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/ + cap_drop: + - ALL + cap_add: + - CHOWN + - SETGID + - SETUID + - DAC_OVERRIDE + logging: + driver: "json-file" + options: + max-size: "1m" + max-file: "1" +networks: + searxng: + ipam: + driver: default + +volumes: + caddy-data: + caddy-config: diff --git a/terminaldweller.com/searxng/searxng/settings.yml b/terminaldweller.com/searxng/searxng/settings.yml new file mode 100644 index 0000000..16258b9 --- /dev/null +++ b/terminaldweller.com/searxng/searxng/settings.yml @@ -0,0 +1,11 @@ +# see https://docs.searxng.org/admin/engines/settings.html#use-default-settings +use_default_settings: true +server: + # base_url is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml + secret_key: "" # change this! + limiter: true # can be disabled for a private instance + image_proxy: true +ui: + static_use_hash: true +redis: + url: redis://redis:6379/0 diff --git a/terminaldweller.com/searxng/searxng/uwsgi.ini b/terminaldweller.com/searxng/searxng/uwsgi.ini new file mode 100644 index 0000000..7574799 --- /dev/null +++ b/terminaldweller.com/searxng/searxng/uwsgi.ini @@ -0,0 +1,49 @@ +[uwsgi] +# Who will run the code +uid = searxng +gid = searxng + +# Number of workers (usually CPU count) +workers = %k +threads = 4 + +# The right granted on the created socket +chmod-socket = 666 + +# Plugin to use and interpretor config +single-interpreter = true +master = true +plugin = python3 +lazy-apps = true +enable-threads = true + +# Module to import +module = searx.webapp + +# Virtualenv and python path +pythonpath = /usr/local/searxng/ +chdir = /usr/local/searxng/searx/ + +# automatically set processes name to something meaningful +auto-procname = true + +# Disable request logging for privacy +disable-logging = true +log-5xx = true + +# Set the max size of a request (request-body excluded) +buffer-size = 8192 + +# No keep alive +# See https://github.com/searx/searx-docker/issues/24 +add-header = Connection: close + +# uwsgi serves the static files +# expires set to one year since there are hashes +static-map = /static=/usr/local/searxng/searx/static +static-expires = /* 31557600 +static-gzip-all = True +offload-threads = %k + +# Cache +cache2 = name=searxngcache,items=2000,blocks=2000,blocksize=4096,bitmap=1 |