summaryrefslogtreecommitdiff
path: root/utils/templates
diff options
context:
space:
mode:
Diffstat (limited to 'utils/templates')
-rw-r--r--utils/templates/etc/apache2/sites-available/morty.conf28
-rw-r--r--utils/templates/etc/apache2/sites-available/searx.conf:filtron33
-rw-r--r--utils/templates/etc/apache2/sites-available/searx.conf:uwsgi27
-rw-r--r--utils/templates/etc/filtron/rules.json127
-rw-r--r--utils/templates/etc/uwsgi/apps-available/searx.ini65
-rw-r--r--utils/templates/lib/systemd/system/filtron.service29
-rw-r--r--utils/templates/lib/systemd/system/morty.service29
7 files changed, 338 insertions, 0 deletions
diff --git a/utils/templates/etc/apache2/sites-available/morty.conf b/utils/templates/etc/apache2/sites-available/morty.conf
new file mode 100644
index 000000000..6bcc77b78
--- /dev/null
+++ b/utils/templates/etc/apache2/sites-available/morty.conf
@@ -0,0 +1,28 @@
+# -*- coding: utf-8; mode: apache -*-
+
+ProxyPreserveHost On
+
+<Location ${PUBLIC_URL_PATH_MORTY} >
+
+ <IfModule mod_security2.c>
+ SecRuleEngine Off
+ </IfModule>
+
+ Require all granted
+
+ Order deny,allow
+ Deny from all
+ #Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1
+ Allow from all
+
+ ProxyPass http://${MORTY_LISTEN}
+ RequestHeader set X-Script-Name ${PUBLIC_URL_PATH_MORTY}
+
+ # In Apache it seems, that setting HTTP_HOST header direct here does have no
+ # effect. I needed to set 'ProxyPreserveHost On' (see above). HTTP_HOST is
+ # needed by searx to render correct *Search URL* in the *Link* box and
+ # *saved preference*.
+
+ # RequestHeader set Host ${PUBLIC_URL_PATH_MORTY}
+
+</Location>
diff --git a/utils/templates/etc/apache2/sites-available/searx.conf:filtron b/utils/templates/etc/apache2/sites-available/searx.conf:filtron
new file mode 100644
index 000000000..5ede66301
--- /dev/null
+++ b/utils/templates/etc/apache2/sites-available/searx.conf:filtron
@@ -0,0 +1,33 @@
+# -*- coding: utf-8; mode: apache -*-
+
+ProxyPreserveHost On
+
+# SecRuleRemoveById 981054
+# SecRuleRemoveById 981059
+# SecRuleRemoveById 981060
+# SecRuleRemoveById 950907
+
+<Location ${FILTRON_URL_PATH} >
+
+ <IfModule mod_security2.c>
+ SecRuleEngine Off
+ </IfModule>
+
+ Require all granted
+
+ Order deny,allow
+ Deny from all
+ #Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1
+ Allow from all
+
+ ProxyPass http://${FILTRON_LISTEN}
+ RequestHeader set X-Script-Name ${FILTRON_URL_PATH}
+
+ # In Apache it seems, that setting HTTP_HOST header direct here does have no
+ # effect. I needed to set 'ProxyPreserveHost On' (see above). HTTP_HOST is
+ # needed by searx to render correct *Search URL* in the *Link* box and
+ # *saved preference*.
+
+ # RequestHeader set Host ${PUBLIC_HOST}
+
+</Location>
diff --git a/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi b/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi
new file mode 100644
index 000000000..21e01ac4e
--- /dev/null
+++ b/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi
@@ -0,0 +1,27 @@
+# -*- coding: utf-8; mode: apache -*-
+
+<IfModule mod_uwsgi.c>
+
+ # SetEnvIf Request_URI "${SEARX_URL_PATH}" dontlog
+ # CustomLog /dev/null combined env=dontlog
+
+ <Location ${SEARX_URL_PATH}>
+
+ <IfModule mod_security2.c>
+ SecRuleEngine Off
+ </IfModule>
+
+ Require all granted
+
+ Options FollowSymLinks Indexes
+ SetHandler uwsgi-handler
+ uWSGISocket ${SEARX_UWSGI_SOCKET}
+
+ Order deny,allow
+ Deny from all
+ # Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1
+ Allow from all
+
+ </Location>
+
+</IfModule>
diff --git a/utils/templates/etc/filtron/rules.json b/utils/templates/etc/filtron/rules.json
new file mode 100644
index 000000000..8fbffa937
--- /dev/null
+++ b/utils/templates/etc/filtron/rules.json
@@ -0,0 +1,127 @@
+[
+ {
+ "name": "roboagent limit",
+ "filters": [
+ "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client|Ruby|UniversalFeedParser)"
+ ],
+ "limit": 0,
+ "stop": true,
+ "actions": [
+ { "name": "log"},
+ { "name": "block",
+ "params": {
+ "message": "Rate limit exceeded"
+ }
+ }
+ ]
+ },
+ {
+ "name": "botlimit",
+ "filters": [
+ "Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)"
+ ],
+ "limit": 0,
+ "stop": true,
+ "actions": [
+ { "name": "log"},
+ { "name": "block",
+ "params": {
+ "message": "Rate limit exceeded"
+ }
+ }
+ ]
+ },
+ { "name": "suspiciously frequent IP",
+ "filters": [],
+ "interval": 600,
+ "limit": 30,
+ "aggregations": [
+ "Header:X-Forwarded-For"
+ ],
+ "actions":[
+ {"name":"log"}
+ ]
+ },
+ { "name": "search request",
+ "filters": [
+ "Param:q",
+ "Path=^(/|/search)$"
+ ],
+ "interval": 61,
+ "limit": 999,
+ "subrules": [
+ {
+ "name": "missing Accept-Language",
+ "filters": ["!Header:Accept-Language"],
+ "limit": 0,
+ "stop": true,
+ "actions": [
+ {"name":"log"},
+ {"name": "block",
+ "params": {"message": "Rate limit exceeded"}}
+ ]
+ },
+ {
+ "name": "suspiciously Connection=close header",
+ "filters": ["Header:Connection=close"],
+ "limit": 0,
+ "stop": true,
+ "actions": [
+ {"name":"log"},
+ {"name": "block",
+ "params": {"message": "Rate limit exceeded"}}
+ ]
+ },
+ {
+ "name": "IP limit",
+ "interval": 61,
+ "limit": 9,
+ "stop": true,
+ "aggregations": [
+ "Header:X-Forwarded-For"
+ ],
+ "actions": [
+ { "name": "log"},
+ { "name": "block",
+ "params": {
+ "message": "Rate limit exceeded"
+ }
+ }
+ ]
+ },
+ {
+ "name": "rss/json limit",
+ "filters": [
+ "Param:format=(csv|json|rss)"
+ ],
+ "interval": 121,
+ "limit": 2,
+ "stop": true,
+ "actions": [
+ { "name": "log"},
+ { "name": "block",
+ "params": {
+ "message": "Rate limit exceeded"
+ }
+ }
+ ]
+ },
+ {
+ "name": "useragent limit",
+ "interval": 61,
+ "limit": 199,
+ "aggregations": [
+ "Header:User-Agent"
+ ],
+ "actions": [
+ { "name": "log"},
+ { "name": "block",
+ "params": {
+ "message": "Rate limit exceeded"
+ }
+ }
+ ]
+ }
+ ]
+ }
+]
diff --git a/utils/templates/etc/uwsgi/apps-available/searx.ini b/utils/templates/etc/uwsgi/apps-available/searx.ini
new file mode 100644
index 000000000..bc62e5864
--- /dev/null
+++ b/utils/templates/etc/uwsgi/apps-available/searx.ini
@@ -0,0 +1,65 @@
+[uwsgi]
+
+# uWSGI core
+# ----------
+#
+# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#uwsgi-core
+
+# Who will run the code
+uid = ${SERVICE_USER}
+gid = ${SERVICE_GROUP}
+
+# chdir to specified directory before apps loading
+chdir = ${SEARX_SRC}/searx
+
+# searx configuration (settings.yml)
+env = SEARX_SETTINGS_PATH=${SEARX_SETTINGS_PATH}
+
+# disable logging for privacy
+disable-logging = true
+
+# The right granted on the created socket
+chmod-socket = 666
+
+# Plugin to use and interpretor config
+single-interpreter = true
+
+# enable master process
+master = true
+
+# load apps in each worker instead of the master
+lazy-apps = true
+
+# load uWSGI plugins
+plugin = python3,http
+
+# By default the Python plugin does not initialize the GIL. This means your
+# app-generated threads will not run. If you need threads, remember to enable
+# them with enable-threads. Running uWSGI in multithreading mode (with the
+# threads options) will automatically enable threading support. This *strange*
+# default behaviour is for performance reasons.
+enable-threads = true
+
+
+# plugin: python
+# --------------
+#
+# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-python
+
+# load a WSGI module
+module = searx.webapp
+
+# set PYTHONHOME/virtualenv
+virtualenv = ${SEARX_PYENV}
+
+# add directory (or glob) to pythonpath
+pythonpath = ${SEARX_SRC}
+
+
+# plugin http
+# -----------
+#
+# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http
+
+# Native HTTP support: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html
+http = ${SEARX_INTERNAL_URL}
diff --git a/utils/templates/lib/systemd/system/filtron.service b/utils/templates/lib/systemd/system/filtron.service
new file mode 100644
index 000000000..3b0c6edcc
--- /dev/null
+++ b/utils/templates/lib/systemd/system/filtron.service
@@ -0,0 +1,29 @@
+[Unit]
+
+Description=${SERVICE_NAME}
+After=syslog.target
+After=network.target
+
+[Service]
+
+Type=simple
+User=${SERVICE_USER}
+Group=${SERVICE_GROUP}
+WorkingDirectory=${SERVICE_HOME}
+ExecStart=${SERVICE_HOME}/go-apps/bin/filtron -api '${FILTRON_API}' -listen '${FILTRON_LISTEN}' -rules '${FILTRON_RULES}' -target '${FILTRON_TARGET}'
+
+Restart=always
+Environment=USER=${SERVICE_USER} HOME=${SERVICE_HOME}
+
+# Some distributions may not support these hardening directives. If you cannot
+# start the service due to an unknown option, comment out the ones not supported
+# by your version of systemd.
+
+ProtectSystem=full
+PrivateDevices=yes
+PrivateTmp=yes
+NoNewPrivileges=true
+
+[Install]
+
+WantedBy=multi-user.target
diff --git a/utils/templates/lib/systemd/system/morty.service b/utils/templates/lib/systemd/system/morty.service
new file mode 100644
index 000000000..d463c5097
--- /dev/null
+++ b/utils/templates/lib/systemd/system/morty.service
@@ -0,0 +1,29 @@
+[Unit]
+
+Description=${SERVICE_NAME}
+After=syslog.target
+After=network.target
+
+[Service]
+
+Type=simple
+User=${SERVICE_USER}
+Group=${SERVICE_GROUP}
+WorkingDirectory=${SERVICE_HOME}
+ExecStart=${SERVICE_HOME}/go-apps/bin/morty -key '' -listen '${MORTY_LISTEN}' -timeout ${MORTY_TIMEOUT}
+
+Restart=always
+Environment=USER=${SERVICE_USER} HOME=${SERVICE_HOME} DEBUG=${SERVICE_ENV_DEBUG}
+
+# Some distributions may not support these hardening directives. If you cannot
+# start the service due to an unknown option, comment out the ones not supported
+# by your version of systemd.
+
+ProtectSystem=full
+PrivateDevices=yes
+PrivateTmp=yes
+NoNewPrivileges=true
+
+[Install]
+
+WantedBy=multi-user.target
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-27 13:43:20 +0000