diff --git a/searxng/Caddyfile b/searxng/Caddyfile new file mode 100644 index 0000000..d3e40f9 --- /dev/null +++ b/searxng/Caddyfile @@ -0,0 +1,91 @@ +{ + admin off + + log { + output stderr + format filter { + # Preserves first 8 bits from IPv4 and 32 bits from IPv6 + request>remote_ip ip_mask 8 32 + request>client_ip ip_mask 8 32 + + # Remove identificable information + request>remote_port delete + request>headers delete + request>uri query { + delete url + delete h + delete q + } + } + } + + servers { + client_ip_headers X-Forwarded-For X-Real-IP + + # Allow the following IP to passthrough the "X-Forwarded-*" headers to SearXNG + # https://caddyserver.com/docs/caddyfile/options#trusted-proxies + trusted_proxies static private_ranges + trusted_proxies_strict + } +} + +{$SEARXNG_HOSTNAME} + +tls {$SEARXNG_TLS} + +encode zstd gzip + +@api { + path /config + path /healthz + path /stats/errors + path /stats/checker +} + +@static { + path /static/* +} + +@imageproxy { + path /image_proxy +} + +header { + # CSP (https://content-security-policy.com) + Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https:; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self'; img-src * data:; frame-src https:;" + + # Disable browser features + Permissions-Policy "accelerometer=(),camera=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),payment=(),usb=()" + + # Only allow same-origin requests + Referrer-Policy "same-origin" + + # Prevent MIME type sniffing from the declared Content-Type + X-Content-Type-Options "nosniff" + + # Comment header to allow indexing by search engines + X-Robots-Tag "noindex, nofollow, noarchive, nositelinkssearchbox, nosnippet, notranslate, noimageindex" + + # enable HSTS + # WARNING: Once this value is set, the site must continue to support HTTPS until the expiry time is reached. + + # Strict-Transport-Security max-age=15768000; + + # Remove "Server" header + -Server +} + +header @api { + Access-Control-Allow-Methods "GET, OPTIONS" + Access-Control-Allow-Origin "*" +} + +route { + # Cache policy + header Cache-Control "no-cache" + header @static Cache-Control "public, max-age=30, stale-while-revalidate=60" + header @imageproxy Cache-Control "public, max-age=3600" +} + +# SearXNG +reverse_proxy localhost:8080 \ No newline at end of file diff --git a/searxng/searxng.stack.yml b/searxng/stack.yml similarity index 94% rename from searxng/searxng.stack.yml rename to searxng/stack.yml index 814cbfb..32e2de6 100644 --- a/searxng/searxng.stack.yml +++ b/searxng/stack.yml @@ -1,6 +1,6 @@ # mkdir -pv /data/volumes/searxng/{redis-data,etc-searxng} -# pull:: docker compose --env-file ./searxng/env.cfg -f ./searxng/searxng.stack.yml pull -# Run:: docker compose --env-file ./searxng/env.cfg -f ./searxng/searxng.stack.yml up -d +# pull:: docker compose --env-file ./searxng/env.cfg -f ./searxng/stack.yml pull +# Run:: docker compose --env-file ./searxng/env.cfg -f ./searxng/stack.yml up -d services: