From 46443be0087391fc5f6d90ef7ad0e02d83a7a847 Mon Sep 17 00:00:00 2001 From: cnphpbb Date: Mon, 8 Sep 2025 20:27:13 +0800 Subject: [PATCH] =?UTF-8?q?feat(searxng):=20=E6=B7=BB=E5=8A=A0Caddy?= =?UTF-8?q?=E9=85=8D=E7=BD=AE=E6=96=87=E4=BB=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 添加stack.yml用于定义SearXNG和Redis的docker-compose服务配置 添加Caddyfile作为反向代理配置,包含安全头设置和缓存策略 --- searxng/Caddyfile | 91 ++++++++++++++++++++++++ searxng/{searxng.stack.yml => stack.yml} | 4 +- 2 files changed, 93 insertions(+), 2 deletions(-) create mode 100644 searxng/Caddyfile rename searxng/{searxng.stack.yml => stack.yml} (94%) diff --git a/searxng/Caddyfile b/searxng/Caddyfile new file mode 100644 index 0000000..d3e40f9 --- /dev/null +++ b/searxng/Caddyfile @@ -0,0 +1,91 @@ +{ + admin off + + log { + output stderr + format filter { + # Preserves first 8 bits from IPv4 and 32 bits from IPv6 + request>remote_ip ip_mask 8 32 + request>client_ip ip_mask 8 32 + + # Remove identificable information + request>remote_port delete + request>headers delete + request>uri query { + delete url + delete h + delete q + } + } + } + + servers { + client_ip_headers X-Forwarded-For X-Real-IP + + # Allow the following IP to passthrough the "X-Forwarded-*" headers to SearXNG + # https://caddyserver.com/docs/caddyfile/options#trusted-proxies + trusted_proxies static private_ranges + trusted_proxies_strict + } +} + +{$SEARXNG_HOSTNAME} + +tls {$SEARXNG_TLS} + +encode zstd gzip + +@api { + path /config + path /healthz + path /stats/errors + path /stats/checker +} + +@static { + path /static/* +} + +@imageproxy { + path /image_proxy +} + +header { + # CSP (https://content-security-policy.com) + Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https:; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self'; img-src * data:; frame-src https:;" + + # Disable browser features + Permissions-Policy "accelerometer=(),camera=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),payment=(),usb=()" + + # Only allow same-origin requests + Referrer-Policy "same-origin" + + # Prevent MIME type sniffing from the declared Content-Type + X-Content-Type-Options "nosniff" + + # Comment header to allow indexing by search engines + X-Robots-Tag "noindex, nofollow, noarchive, nositelinkssearchbox, nosnippet, notranslate, noimageindex" + + # enable HSTS + # WARNING: Once this value is set, the site must continue to support HTTPS until the expiry time is reached. + + # Strict-Transport-Security max-age=15768000; + + # Remove "Server" header + -Server +} + +header @api { + Access-Control-Allow-Methods "GET, OPTIONS" + Access-Control-Allow-Origin "*" +} + +route { + # Cache policy + header Cache-Control "no-cache" + header @static Cache-Control "public, max-age=30, stale-while-revalidate=60" + header @imageproxy Cache-Control "public, max-age=3600" +} + +# SearXNG +reverse_proxy localhost:8080 \ No newline at end of file diff --git a/searxng/searxng.stack.yml b/searxng/stack.yml similarity index 94% rename from searxng/searxng.stack.yml rename to searxng/stack.yml index 814cbfb..32e2de6 100644 --- a/searxng/searxng.stack.yml +++ b/searxng/stack.yml @@ -1,6 +1,6 @@ # mkdir -pv /data/volumes/searxng/{redis-data,etc-searxng} -# pull:: docker compose --env-file ./searxng/env.cfg -f ./searxng/searxng.stack.yml pull -# Run:: docker compose --env-file ./searxng/env.cfg -f ./searxng/searxng.stack.yml up -d +# pull:: docker compose --env-file ./searxng/env.cfg -f ./searxng/stack.yml pull +# Run:: docker compose --env-file ./searxng/env.cfg -f ./searxng/stack.yml up -d services: