5 files changed, 246 insertions, 0 deletions
diff --git a/utils/templates/etc/apache2/sites-available/searx.conf:filtron b/utils/templates/etc/apache2/sites-available/searx.conf:filtron
new file mode 100644
index 000000000..11bd70376
--- /dev/null
+++ b/utils/templates/etc/apache2/sites-available/searx.conf:filtron
@@ -0,0 +1,23 @@
+# -*- coding: utf-8; mode: apache -*-
+
+ProxyPreserveHost On
+
+<Location ${FILTRON_URL_PATH} >
+
+    Require all granted
+    Order deny,allow
+    Deny from all
+    #Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1
+    Allow from all
+
+    ProxyPass http://${FILTRON_LISTEN}
+    RequestHeader set X-Script-Name ${FILTRON_URL_PATH}
+
+    # In Apache it seems, that setting HTTP_HOST header direct here does have no
+    # effect.  I needed to set 'ProxyPreserveHost On' (see above).  HTTP_HOST is
+    # needed by searx to render correct *Search URL* in the *Link* box and
+    # *saved preference*.
+
+    # RequestHeader set Host ${PUBLIC_HOST}
+
+</Location>
diff --git a/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi b/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi
new file mode 100644
index 000000000..51cbdf41f
--- /dev/null
+++ b/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi
@@ -0,0 +1,25 @@
+# -*- coding: utf-8; mode: apache -*-
+
+<IfModule mod_uwsgi.c>
+
+    # SetEnvIf Request_URI "${SEARX_URL_PATH}" dontlog
+    # CustomLog /dev/null combined env=dontlog
+
+    <Location ${SEARX_URL_PATH}>
+
+        <IfModule mod_security2.c>
+            SecRuleEngine Off
+        </IfModule>
+
+        Options FollowSymLinks Indexes
+        SetHandler uwsgi-handler
+        uWSGISocket ${SEARX_UWSGI_SOCKET}
+
+        Order deny,allow
+        Deny from all
+        # Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1
+        Allow from all
+
+    </Location>
+
+</IfModule>
diff --git a/utils/templates/etc/filtron/rules.json b/utils/templates/etc/filtron/rules.json
new file mode 100644
index 000000000..f333306e1
--- /dev/null
+++ b/utils/templates/etc/filtron/rules.json
@@ -0,0 +1,107 @@
+[{
+  "name":"search request",
+  "filters":[
+    "Param:q",
+    "Path=^(/|/search)$"
+  ],
+  "interval":120,
+  "limit":19,
+  "actions":[
+    {
+      "name":"block",
+      "params":{
+        "message":"common rate limit exceeded"
+      }
+    }
+  ],
+  "subrules":[
+    {
+      "name":"roboagent limit",
+      "interval":60,
+      "limit":3,
+      "filters":[
+        "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client|Ruby)"
+      ],
+      "actions":[
+        {"name":"log"},
+        {
+          "name":"block",
+          "params":{
+            "message":"rate limit exceeded"
+          }
+        }
+      ]
+    },
+    {
+      "name":"botlimit",
+      "interval":60,
+      "limit":0,
+      "stop":true,
+      "filters":[
+        "Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)"
+      ],
+      "actions":[
+        {"name":"log"},
+        {
+          "name":"block",
+          "params":{
+            "message":"rate limit exceeded"
+          }
+        }
+      ]
+    },
+    {
+      "name":"IP limit",
+      "interval":60,
+      "limit":13,
+      "stop":true,
+      "aggregations":[
+        "Header:X-Forwarded-For"
+      ],
+      "actions":[
+        {"name":"log"},
+        {
+          "name":"block",
+          "params":{
+            "message":"rate limit exceeded"
+          }
+        }
+      ]
+    },
+    {
+      "name":"rss/json limit",
+      "interval":60,
+      "limit":13,
+      "stop":true,
+      "filters":[
+        "Param:format=(csv|json|rss)"
+      ],
+      "actions":[
+        {"name":"log"},
+        {
+          "name":"block",
+          "params":{
+            "message":"rate limit exceeded"
+          }
+        }
+      ]
+    },
+    {
+      "name":"useragent limit",
+      "interval":60,
+      "limit":13,
+      "aggregations":[
+        "Header:User-Agent"
+      ],
+      "actions":[
+        {"name":"log"},
+        {
+          "name":"block",
+          "params":{
+            "message":"rate limit exceeded"
+          }
+        }
+      ]
+    }
+  ]
+}]
diff --git a/utils/templates/etc/uwsgi/apps-available/searx.ini b/utils/templates/etc/uwsgi/apps-available/searx.ini
new file mode 100644
index 000000000..cff47f896
--- /dev/null
+++ b/utils/templates/etc/uwsgi/apps-available/searx.ini
@@ -0,0 +1,62 @@
+[uwsgi]
+
+# uWSGI core
+# ----------
+#
+# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#uwsgi-core
+
+# Who will run the code
+uid = ${SERVICE_USER}
+gid = ${SERVICE_GROUP}
+
+# chdir to specified directory before apps loading
+chdir = ${SEARX_SRC}/searx
+
+# disable logging for privacy
+disable-logging = true
+
+# The right granted on the created socket
+chmod-socket = 666
+
+# Plugin to use and interpretor config
+single-interpreter = true
+
+# enable master process
+master = true
+
+# load apps in each worker instead of the master
+lazy-apps = true
+
+# load uWSGI plugins
+plugin = python3,http
+
+# By default the Python plugin does not initialize the GIL.  This means your
+# app-generated threads will not run.  If you need threads, remember to enable
+# them with enable-threads.  Running uWSGI in multithreading mode (with the
+# threads options) will automatically enable threading support. This *strange*
+# default behaviour is for performance reasons.
+enable-threads = true
+
+
+# plugin: python
+# --------------
+#
+# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-python
+
+# load a WSGI module
+module = searx.webapp
+
+# set PYTHONHOME/virtualenv
+virtualenv = ${SEARX_PYENV}
+
+# add directory (or glob) to pythonpath
+pythonpath = ${SEARX_SRC}
+
+
+# plugin http
+# -----------
+#
+# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http
+
+# Native HTTP support: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html
+http = ${SEARX_INTERNAL_URL}
diff --git a/utils/templates/lib/systemd/system/filtron.service b/utils/templates/lib/systemd/system/filtron.service
new file mode 100644
index 000000000..3b0c6edcc
--- /dev/null
+++ b/utils/templates/lib/systemd/system/filtron.service
@@ -0,0 +1,29 @@
+[Unit]
+
+Description=${SERVICE_NAME}
+After=syslog.target
+After=network.target
+
+[Service]
+
+Type=simple
+User=${SERVICE_USER}
+Group=${SERVICE_GROUP}
+WorkingDirectory=${SERVICE_HOME}
+ExecStart=${SERVICE_HOME}/go-apps/bin/filtron -api '${FILTRON_API}' -listen '${FILTRON_LISTEN}' -rules '${FILTRON_RULES}' -target '${FILTRON_TARGET}'
+
+Restart=always
+Environment=USER=${SERVICE_USER} HOME=${SERVICE_HOME}
+
+# Some distributions may not support these hardening directives.  If you cannot
+# start the service due to an unknown option, comment out the ones not supported
+# by your version of systemd.
+
+ProtectSystem=full
+PrivateDevices=yes
+PrivateTmp=yes
+NoNewPrivileges=true
+
+[Install]
+
+WantedBy=multi-user.target