diff --git a/searxng/compose.yaml b/searxng/compose.yaml index 2383ec2..d307d55 100644 --- a/searxng/compose.yaml +++ b/searxng/compose.yaml @@ -22,19 +22,18 @@ services: image: docker.io/searxng/searxng:latest restart: unless-stopped volumes: - - config:/etc/searxng/ - - ./settings.yml:/etc/searxng/settings.yml + - ./config/:/etc/searxng/ environment: - SEARXNG_SECRET - - REDIS_HOST=redis + - SEARXNG_REDIS_URL=redis://redis networks: + - default - nginx depends_on: - redis volumes: redis: - config: sites: external: true certs: diff --git a/searxng/config/limiter.toml b/searxng/config/limiter.toml new file mode 100644 index 0000000..3be8d16 --- /dev/null +++ b/searxng/config/limiter.toml @@ -0,0 +1,40 @@ +[real_ip] + +# Number of values to trust for X-Forwarded-For. + +x_for = 1 + +# The prefix defines the number of leading bits in an address that are compared +# to determine whether or not an address is part of a (client) network. + +ipv4_prefix = 32 +ipv6_prefix = 48 + +[botdetection.ip_limit] + +# To get unlimited access in a local network, by default link-lokal addresses +# (networks) are not monitored by the ip_limit +filter_link_local = false + +# activate link_token method in the ip_limit method +link_token = false + +[botdetection.ip_lists] + +# In the limiter, the ip_lists method has priority over all other methods -> if +# an IP is in the pass_ip list, it has unrestricted access and it is also not +# checked if e.g. the "user agent" suggests a bot (e.g. curl). + +block_ip = [ + # '93.184.216.34', # IPv4 of example.org + # '257.1.1.1', # invalid IP --> will be ignored, logged in ERROR class +] + +pass_ip = [ + # '192.168.0.0/16', # IPv4 private network + # 'fe80::/10' # IPv6 linklocal / wins over botdetection.ip_limit.filter_link_local +] + +# Activate passlist of (hardcoded) IPs from the SearXNG organization, +# e.g. `check.searx.space`. +pass_searxng_org = true diff --git a/searxng/settings.yml b/searxng/config/settings.yml similarity index 99% rename from searxng/settings.yml rename to searxng/config/settings.yml index 1bc4bed..182c6df 100644 --- a/searxng/settings.yml +++ b/searxng/config/settings.yml @@ -11,7 +11,7 @@ general: # mailto:contact@example.com contact_url: false # record stats - enable_metrics: true + enable_metrics: false brand: new_issue_url: https://github.com/searxng/searxng/issues/new @@ -34,9 +34,8 @@ search: default_lang: "auto" # Available languages languages: - - fr - - en - - all + - fr-FR + - en-US # ban time in seconds after engine errors ban_time_on_fail: 5 # max ban time in seconds after engine errors @@ -70,7 +69,7 @@ server: # by ${SEARXNG_URL}. base_url: false # "http://example.com/location" limiter: false # rate limit the number of request on the instance, block some bots - public_instance: true # enable features designed only for public instances + public_instance: false # enable features designed only for public instances # If your instance owns a /etc/searxng/settings.yml file, then set the following # values there. diff --git a/searxng/entrypoint.sh b/searxng/entrypoint.sh deleted file mode 100755 index bfb68a5..0000000 --- a/searxng/entrypoint.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -e - -sed -i "s|ultrasecretkey|$(openssl rand -hex 32)|g" /tmp/settings.yml - -mv /tmp/settings.yml "$SEARXNG_SETTINGS_PATH" - -exec "$@" diff --git a/searxng/nginx.conf b/searxng/nginx.conf index 8434b5f..f81f555 100644 --- a/searxng/nginx.conf +++ b/searxng/nginx.conf @@ -19,7 +19,11 @@ server { proxy_set_header Host $host; proxy_set_header Connection $http_connection; + + # see flaskfix.py proxy_set_header X-Scheme $scheme; + + # see limiter.py proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; }