fix(searXNG): default lang, rate limit

searxng/compose.yaml

@@ -22,19 +22,18 @@ services:
     image: docker.io/searxng/searxng:latest
     restart: unless-stopped
     volumes:
-      - config:/etc/searxng/
+      - ./config/:/etc/searxng/
-      - ./settings.yml:/etc/searxng/settings.yml
     environment:
       - SEARXNG_SECRET
-      - REDIS_HOST=redis
+      - SEARXNG_REDIS_URL=redis://redis
     networks:
+      - default
       - nginx
     depends_on:
       - redis
 
 volumes:
   redis:
-  config:
   sites:
     external: true
   certs:

searxng/config/limiter.toml

@@ -0,0 +1,40 @@
+[real_ip]
+
+# Number of values to trust for X-Forwarded-For.
+
+x_for = 1
+
+# The prefix defines the number of leading bits in an address that are compared
+# to determine whether or not an address is part of a (client) network.
+
+ipv4_prefix = 32
+ipv6_prefix = 48
+
+[botdetection.ip_limit]
+
+# To get unlimited access in a local network, by default link-lokal addresses
+# (networks) are not monitored by the ip_limit
+filter_link_local = false
+
+# activate link_token method in the ip_limit method
+link_token = false
+
+[botdetection.ip_lists]
+
+# In the limiter, the ip_lists method has priority over all other methods -> if
+# an IP is in the pass_ip list, it has unrestricted access and it is also not
+# checked if e.g. the "user agent" suggests a bot (e.g. curl).
+
+block_ip = [
+  # '93.184.216.34',  # IPv4 of example.org
+  # '257.1.1.1',      # invalid IP --> will be ignored, logged in ERROR class
+]
+
+pass_ip = [
+  # '192.168.0.0/16',      # IPv4 private network
+  # 'fe80::/10'            # IPv6 linklocal / wins over botdetection.ip_limit.filter_link_local
+]
+
+# Activate passlist of (hardcoded) IPs from the SearXNG organization,
+# e.g. `check.searx.space`.
+pass_searxng_org = true

searxng/config/settings.yml

@@ -11,7 +11,7 @@ general:
   # mailto:contact@example.com
   contact_url: false
   # record stats
-  enable_metrics: true
+  enable_metrics: false
 
 brand:
   new_issue_url: https://github.com/searxng/searxng/issues/new
@@ -34,9 +34,8 @@ search:
   default_lang: "auto"
   # Available languages
   languages:
-    - fr
+    - fr-FR
-    - en
+    - en-US
-    - all
   # ban time in seconds after engine errors
   ban_time_on_fail: 5
   # max ban time in seconds after engine errors
@@ -70,7 +69,7 @@ server:
   # by ${SEARXNG_URL}.
   base_url: false  # "http://example.com/location"
   limiter: false  # rate limit the number of request on the instance, block some bots
-  public_instance: true  # enable features designed only for public instances
+  public_instance: false  # enable features designed only for public instances
 
   # If your instance owns a /etc/searxng/settings.yml file, then set the following
   # values there.

searxng/entrypoint.sh

@@ -1,7 +0,0 @@
-#!/bin/sh -e
-
-sed -i "s|ultrasecretkey|$(openssl rand -hex 32)|g" /tmp/settings.yml
-
-mv /tmp/settings.yml "$SEARXNG_SETTINGS_PATH"
-
-exec "$@"

searxng/nginx.conf

@@ -19,7 +19,11 @@ server {
 
         proxy_set_header Host            $host;
         proxy_set_header Connection      $http_connection;
+
+        # see flaskfix.py
         proxy_set_header X-Scheme        $scheme;
+
+        # see limiter.py
         proxy_set_header X-Real-IP       $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }