From 4139c63d23a1f4cc427eb428bcff0594c395c1c5 Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Wed, 8 Jan 2020 19:21:07 +0100 Subject: utils/filtron.sh: add script to install filtron middleware Signed-off-by: Markus Heiser --- utils/templates/etc/filtron/rules.json | 56 ++++++++++++++++++++++ utils/templates/lib/systemd/system/filtron.service | 29 +++++++++++ 2 files changed, 85 insertions(+) create mode 100644 utils/templates/etc/filtron/rules.json create mode 100644 utils/templates/lib/systemd/system/filtron.service (limited to 'utils/templates') diff --git a/utils/templates/etc/filtron/rules.json b/utils/templates/etc/filtron/rules.json new file mode 100644 index 000000000..4a232388e --- /dev/null +++ b/utils/templates/etc/filtron/rules.json @@ -0,0 +1,56 @@ +[ + { + "name": "api limit", + "interval": 60, + "limit": 1000, + "filters": ["Path=^/api"], + "aggregations": ["Path"], + "actions": [ + {"name": "block"} + ], + "subrules": [ + { + "name": "drop put", + "interval": 60, + "limit": 100, + "filters": ["Method=PUT"], + "aggregations": ["Header:X-Forwarded-For"], + "actions": [ + {"name": "shell", + "params": {"cmd": "iptables -A INPUT -s %v -j DROP", "args": ["Header:X-Forwarded-For"]}} + ] + } + ] + }, + { + "name": "log'n'block rss", + "interval": 300, + "limit": 2500, + "filters": ["Path=^/$", "GET:format=rss"], + "actions": [ + {"name": "log"}, + {"name": "block"} + ] + }, + { + "name": "log rule", + "filters": ["Path=/"], + "actions": [ {"name": "log"} ], + "subrules": [ + { + "name": "block missing accept-language", + "filters": ["!Header:Accept-Language"], + "actions": [ + {"name": "block"} + ] + }, + { + "name": "block curl", + "filters": ["Header:User-Agent=[Cc]url"], + "actions": [ + {"name": "block"} + ] + } + ] + } +] diff --git a/utils/templates/lib/systemd/system/filtron.service b/utils/templates/lib/systemd/system/filtron.service new file mode 100644 index 000000000..fdb67731a --- /dev/null +++ b/utils/templates/lib/systemd/system/filtron.service @@ -0,0 +1,29 @@ +[Unit] + +Description=${SERVICE_NAME} +After=syslog.target +After=network.target + +[Service] + +Type=simple +User=${SERVICE_USER} +Group=${SERVICE_GROUP} +WorkingDirectory=${SERVICE_HOME} +ExecStart=${SERVICE_HOME}/go-apps/bin/filtron -rules ${FILTRON_RULES} + +Restart=always +Environment=USER=${SERVICE_USER} HOME=${SERVICE_HOME} + +# Some distributions may not support these hardening directives. If you cannot +# start the service due to an unknown option, comment out the ones not supported +# by your version of systemd. + +ProtectSystem=full +PrivateDevices=yes +PrivateTmp=yes +NoNewPrivileges=true + +[Install] + +WantedBy=multi-user.target -- cgit v1.2.3 From 4990b07b4bc42b0caf0d890f8c81c3545bbb807b Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Thu, 9 Jan 2020 16:25:05 +0100 Subject: utils/filtron.sh: various fix from first installation test (WIP) Signed-off-by: Markus Heiser --- utils/templates/etc/filtron/rules.json | 142 +++++++++++++-------- utils/templates/lib/systemd/system/filtron.service | 2 +- 2 files changed, 93 insertions(+), 51 deletions(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/filtron/rules.json b/utils/templates/etc/filtron/rules.json index 4a232388e..b54e097a5 100644 --- a/utils/templates/etc/filtron/rules.json +++ b/utils/templates/etc/filtron/rules.json @@ -1,56 +1,98 @@ -[ +[{ + "name":"search request", + "filters":[ + "Param:q", + "Path=^(/|/search)$" + ], + "interval":60, + "limit":15, + "subrules":[ { - "name": "api limit", - "interval": 60, - "limit": 1000, - "filters": ["Path=^/api"], - "aggregations": ["Path"], - "actions": [ - {"name": "block"} - ], - "subrules": [ - { - "name": "drop put", - "interval": 60, - "limit": 100, - "filters": ["Method=PUT"], - "aggregations": ["Header:X-Forwarded-For"], - "actions": [ - {"name": "shell", - "params": {"cmd": "iptables -A INPUT -s %v -j DROP", "args": ["Header:X-Forwarded-For"]}} - ] - } - ] + "name":"roboagent limit", + "interval":60, + "limit":15, + "filters":[ + "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client)" + ], + "actions":[ + {"name": "log"}, + { + "name":"block", + "params":{ + "message":"Rate limit exceeded" + } + } + ] }, { - "name": "log'n'block rss", - "interval": 300, - "limit": 2500, - "filters": ["Path=^/$", "GET:format=rss"], - "actions": [ - {"name": "log"}, - {"name": "block"} - ] + "name":"botlimit", + "limit":0, + "stop":true, + "filters":[ + "Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)" + ], + "actions":[ + {"name": "log"}, + { + "name":"block", + "params":{ + "message":"Rate limit exceeded" + } + } + ] }, { - "name": "log rule", - "filters": ["Path=/"], - "actions": [ {"name": "log"} ], - "subrules": [ - { - "name": "block missing accept-language", - "filters": ["!Header:Accept-Language"], - "actions": [ - {"name": "block"} - ] - }, - { - "name": "block curl", - "filters": ["Header:User-Agent=[Cc]url"], - "actions": [ - {"name": "block"} - ] - } - ] + "name":"IP limit", + "interval":60, + "limit":15, + "stop":true, + "aggregations":[ + "Header:X-Forwarded-For" + ], + "actions":[ + {"name": "log"}, + { + "name":"block", + "params":{ + "message":"Rate limit exceeded" + } + } + ] + }, + { + "name":"rss/json limit", + "interval":60, + "limit":15, + "stop":true, + "filters":[ + "Param:format=(csv|json|rss)" + ], + "actions":[ + {"name": "log"}, + { + "name":"block", + "params":{ + "message":"Rate limit exceeded" + } + } + ] + }, + { + "name":"useragent limit", + "interval":60, + "limit":15, + "aggregations":[ + "Header:User-Agent" + ], + "actions":[ + {"name": "log"}, + { + "name":"block", + "params":{ + "message":"Rate limit exceeded" + } + } + ] } -] + ] +}] diff --git a/utils/templates/lib/systemd/system/filtron.service b/utils/templates/lib/systemd/system/filtron.service index fdb67731a..3b0c6edcc 100644 --- a/utils/templates/lib/systemd/system/filtron.service +++ b/utils/templates/lib/systemd/system/filtron.service @@ -10,7 +10,7 @@ Type=simple User=${SERVICE_USER} Group=${SERVICE_GROUP} WorkingDirectory=${SERVICE_HOME} -ExecStart=${SERVICE_HOME}/go-apps/bin/filtron -rules ${FILTRON_RULES} +ExecStart=${SERVICE_HOME}/go-apps/bin/filtron -api '${FILTRON_API}' -listen '${FILTRON_LISTEN}' -rules '${FILTRON_RULES}' -target '${FILTRON_TARGET}' Restart=always Environment=USER=${SERVICE_USER} HOME=${SERVICE_HOME} -- cgit v1.2.3 From b5449ec47cff805a05329a3e5f925cd661457530 Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Mon, 13 Jan 2020 18:37:05 +0100 Subject: filtron: log suspiciously frequent queries (WIP) Signed-off-by: Markus Heiser --- utils/templates/etc/filtron/rules.json | 59 +++++++++++++++++++++++----------- 1 file changed, 40 insertions(+), 19 deletions(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/filtron/rules.json b/utils/templates/etc/filtron/rules.json index b54e097a5..634f5f2d6 100644 --- a/utils/templates/etc/filtron/rules.json +++ b/utils/templates/etc/filtron/rules.json @@ -1,42 +1,63 @@ [{ + "name":"suspiciously frequent queries", + "filters":[ + "Param:q", + "Path=^(/|/search)$" + ], + "interval":120, + "limit":9, + "actions":[ + {"name":"log"} + ] + }, + { "name":"search request", "filters":[ "Param:q", "Path=^(/|/search)$" ], - "interval":60, - "limit":15, + "interval":120, + "limit":19, + "actions":[ + { + "name":"block", + "params":{ + "message":"common rate limit exceeded" + } + } + ], "subrules":[ { "name":"roboagent limit", "interval":60, - "limit":15, + "limit":3, "filters":[ - "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client)" + "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client|Ruby)" ], "actions":[ - {"name": "log"}, - { + {"name":"log"}, + { "name":"block", "params":{ - "message":"Rate limit exceeded" + "message":"rate limit exceeded" } } ] }, { "name":"botlimit", + "interval":60, "limit":0, "stop":true, "filters":[ "Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)" ], "actions":[ - {"name": "log"}, + {"name":"log"}, { "name":"block", "params":{ - "message":"Rate limit exceeded" + "message":"rate limit exceeded" } } ] @@ -44,17 +65,17 @@ { "name":"IP limit", "interval":60, - "limit":15, + "limit":13, "stop":true, "aggregations":[ "Header:X-Forwarded-For" ], "actions":[ - {"name": "log"}, + {"name":"log"}, { "name":"block", "params":{ - "message":"Rate limit exceeded" + "message":"rate limit exceeded" } } ] @@ -62,34 +83,34 @@ { "name":"rss/json limit", "interval":60, - "limit":15, + "limit":13, "stop":true, "filters":[ "Param:format=(csv|json|rss)" ], "actions":[ - {"name": "log"}, + {"name":"log"}, { "name":"block", "params":{ - "message":"Rate limit exceeded" + "message":"rate limit exceeded" } } ] - }, + }, { "name":"useragent limit", "interval":60, - "limit":15, + "limit":13, "aggregations":[ "Header:User-Agent" ], "actions":[ - {"name": "log"}, + {"name":"log"}, { "name":"block", "params":{ - "message":"Rate limit exceeded" + "message":"rate limit exceeded" } } ] -- cgit v1.2.3 From 89df9d91412c2ebb8817e72c0ca9c8cfc5852f66 Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Thu, 16 Jan 2020 14:01:38 +0100 Subject: utils/searx.sh: add script to install isolated searx service (WIP) Signed-off-by: Markus Heiser --- utils/templates/etc/uwsgi/apps-available/searx.ini | 62 ++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 utils/templates/etc/uwsgi/apps-available/searx.ini (limited to 'utils/templates') diff --git a/utils/templates/etc/uwsgi/apps-available/searx.ini b/utils/templates/etc/uwsgi/apps-available/searx.ini new file mode 100644 index 000000000..138a57384 --- /dev/null +++ b/utils/templates/etc/uwsgi/apps-available/searx.ini @@ -0,0 +1,62 @@ +[uwsgi] + +# uWSGI core +# ---------- +# +# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#uwsgi-core + +# Who will run the code +uid = ${SERVICE_USER} +gid = ${SERVICE_GROUP} + +# chdir to specified directory before apps loading +chdir = ${SEARX_SRC} + +# disable logging for privacy +disable-logging = true + +# The right granted on the created socket +chmod-socket = 666 + +# Plugin to use and interpretor config +single-interpreter = true + +# enable master process +master = true + +# load apps in each worker instead of the master +lazy-apps = true + +# load uWSGI plugins +plugin = python3 + +# By default the Python plugin does not initialize the GIL. This means your +# app-generated threads will not run. If you need threads, remember to enable +# them with enable-threads. Running uWSGI in multithreading mode (with the +# threads options) will automatically enable threading support. This *strange* +# default behaviour is for performance reasons. +enable-threads = true + + +# plugin: python +# -------------- +# +# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-python + +# load a WSGI module +module = searx.webapp + +# set PYTHONHOME/virtualenv +virtualenv = ${SEARX_PYENV} + +# add directory (or glob) to pythonpath +pythonpath = ${SERVICE_HOME} + + +# plugin http +# ----------- +# +# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http + +# Native HTTP support: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html +http = ${SEARX_URL} -- cgit v1.2.3 From 9b5a7f7559faf121e44ba3e7260290bd7efe74bf Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Mon, 20 Jan 2020 16:55:05 +0100 Subject: utils/searx.sh: add script to install isolated searx service First version which serves searx over uwsgi at http://127.0.0.1:8888 Signed-off-by: Markus Heiser --- utils/templates/etc/uwsgi/apps-available/searx.ini | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/uwsgi/apps-available/searx.ini b/utils/templates/etc/uwsgi/apps-available/searx.ini index 138a57384..d3893b3ad 100644 --- a/utils/templates/etc/uwsgi/apps-available/searx.ini +++ b/utils/templates/etc/uwsgi/apps-available/searx.ini @@ -10,7 +10,7 @@ uid = ${SERVICE_USER} gid = ${SERVICE_GROUP} # chdir to specified directory before apps loading -chdir = ${SEARX_SRC} +chdir = ${SEARX_SRC}/searx # disable logging for privacy disable-logging = true @@ -28,7 +28,7 @@ master = true lazy-apps = true # load uWSGI plugins -plugin = python3 +plugin = python3,http # By default the Python plugin does not initialize the GIL. This means your # app-generated threads will not run. If you need threads, remember to enable @@ -50,7 +50,7 @@ module = searx.webapp virtualenv = ${SEARX_PYENV} # add directory (or glob) to pythonpath -pythonpath = ${SERVICE_HOME} +pythonpath = ${SEARX_SRC} # plugin http -- cgit v1.2.3 From d171fcd56ea0444598c6ae6d6d089dd2488bd64d Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Tue, 21 Jan 2020 18:38:57 +0100 Subject: utils/searx.sh: add apache site searx.conf:uwsgi Signed-off-by: Markus Heiser --- .../etc/apache2/sites-available/searx.conf:uwsgi | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 utils/templates/etc/apache2/sites-available/searx.conf:uwsgi (limited to 'utils/templates') diff --git a/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi b/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi new file mode 100644 index 000000000..4147e8520 --- /dev/null +++ b/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi @@ -0,0 +1,25 @@ +# -*- coding: utf-8; mode: apache -*- + + + + # SetEnvIf Request_URI "${SEARX_APACHE_URL}" dontlog + # CustomLog /dev/null combined env=dontlog + + + + + SecRuleEngine Off + + + Options FollowSymLinks Indexes + SetHandler uwsgi-handler + uWSGISocket ${SEARX_UWSGI_SOCKET} + + Order deny,allow + Deny from all + # Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1 + Allow from all + + + + -- cgit v1.2.3 From 971a8264b2e21dd844d2cc2b54686def8ba18c06 Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Mon, 27 Jan 2020 19:08:40 +0100 Subject: utils/searx.sh: add apache site searx.conf:uwsgi (WIP) Signed-off-by: Markus Heiser --- utils/templates/etc/apache2/sites-available/searx.conf:uwsgi | 4 ++-- utils/templates/etc/uwsgi/apps-available/searx.ini | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi b/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi index 4147e8520..51cbdf41f 100644 --- a/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi +++ b/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi @@ -2,10 +2,10 @@ - # SetEnvIf Request_URI "${SEARX_APACHE_URL}" dontlog + # SetEnvIf Request_URI "${SEARX_URL_PATH}" dontlog # CustomLog /dev/null combined env=dontlog - + SecRuleEngine Off diff --git a/utils/templates/etc/uwsgi/apps-available/searx.ini b/utils/templates/etc/uwsgi/apps-available/searx.ini index d3893b3ad..cff47f896 100644 --- a/utils/templates/etc/uwsgi/apps-available/searx.ini +++ b/utils/templates/etc/uwsgi/apps-available/searx.ini @@ -59,4 +59,4 @@ pythonpath = ${SEARX_SRC} # https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http # Native HTTP support: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html -http = ${SEARX_URL} +http = ${SEARX_INTERNAL_URL} -- cgit v1.2.3 From 924bf6551794e5962688c1e2962dc0c94869e2f1 Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Wed, 29 Jan 2020 20:00:50 +0100 Subject: utils/searx.sh & filtron.sh: misc changes from first tests (WIP) Signed-off-by: Markus Heiser --- utils/templates/etc/apache2/sites-available/searx.conf:filtron | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 utils/templates/etc/apache2/sites-available/searx.conf:filtron (limited to 'utils/templates') diff --git a/utils/templates/etc/apache2/sites-available/searx.conf:filtron b/utils/templates/etc/apache2/sites-available/searx.conf:filtron new file mode 100644 index 000000000..d2f5431a7 --- /dev/null +++ b/utils/templates/etc/apache2/sites-available/searx.conf:filtron @@ -0,0 +1,3 @@ +# -*- coding: utf-8; mode: apache -*- + +ProxyPass "/searx" "http://127.0.0.1:4004/" -- cgit v1.2.3 From 6274a54746b4444f8850aecea0cb0734c6bdc29c Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Thu, 30 Jan 2020 19:55:51 +0100 Subject: utils/searx.sh & filtron.sh: misc changes from first tests (WIP) Signed-off-by: Markus Heiser --- .../etc/apache2/sites-available/searx.conf:filtron | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/apache2/sites-available/searx.conf:filtron b/utils/templates/etc/apache2/sites-available/searx.conf:filtron index d2f5431a7..f0914e9f9 100644 --- a/utils/templates/etc/apache2/sites-available/searx.conf:filtron +++ b/utils/templates/etc/apache2/sites-available/searx.conf:filtron @@ -1,3 +1,15 @@ # -*- coding: utf-8; mode: apache -*- -ProxyPass "/searx" "http://127.0.0.1:4004/" + + + Require all granted + Allow from all + + Order deny,allow + Deny from all + #Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1 + + ProxyPass "http://127.0.0.1:4004" + RequestHeader set "X-Script-Name" "${FILTRON_URL_PATH}" + + -- cgit v1.2.3 From 91a55e159e09450bb25206f42cf0189c2f5476ca Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Fri, 31 Jan 2020 15:54:07 +0100 Subject: apache: reverse proxy, set `ProxyPreserveHost On` related discussions: - https://github.com/asciimoo/searx/issues/1822 - https://github.com/asciimoo/searx/issues/1819#issuecomment-580400259 Signed-off-by: Markus Heiser --- .../etc/apache2/sites-available/searx.conf:filtron | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/apache2/sites-available/searx.conf:filtron b/utils/templates/etc/apache2/sites-available/searx.conf:filtron index f0914e9f9..11bd70376 100644 --- a/utils/templates/etc/apache2/sites-available/searx.conf:filtron +++ b/utils/templates/etc/apache2/sites-available/searx.conf:filtron @@ -1,15 +1,23 @@ # -*- coding: utf-8; mode: apache -*- +ProxyPreserveHost On + Require all granted - Allow from all - Order deny,allow Deny from all #Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1 + Allow from all + + ProxyPass http://${FILTRON_LISTEN} + RequestHeader set X-Script-Name ${FILTRON_URL_PATH} + + # In Apache it seems, that setting HTTP_HOST header direct here does have no + # effect. I needed to set 'ProxyPreserveHost On' (see above). HTTP_HOST is + # needed by searx to render correct *Search URL* in the *Link* box and + # *saved preference*. - ProxyPass "http://127.0.0.1:4004" - RequestHeader set "X-Script-Name" "${FILTRON_URL_PATH}" + # RequestHeader set Host ${PUBLIC_HOST} -- cgit v1.2.3 From 0bb884708745a708b35a3185afc6ad99f20c1838 Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Fri, 31 Jan 2020 17:25:38 +0100 Subject: utils/filtron.sh: add option to debug filtron requests Signed-off-by: Markus Heiser --- utils/templates/etc/filtron/rules.json | 12 ------------ 1 file changed, 12 deletions(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/filtron/rules.json b/utils/templates/etc/filtron/rules.json index 634f5f2d6..f333306e1 100644 --- a/utils/templates/etc/filtron/rules.json +++ b/utils/templates/etc/filtron/rules.json @@ -1,16 +1,4 @@ [{ - "name":"suspiciously frequent queries", - "filters":[ - "Param:q", - "Path=^(/|/search)$" - ], - "interval":120, - "limit":9, - "actions":[ - {"name":"log"} - ] - }, - { "name":"search request", "filters":[ "Param:q", -- cgit v1.2.3 From a4437c47ac0bd22cd7f5aaa8e7895cdd8e93a317 Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Sun, 2 Feb 2020 18:14:10 +0100 Subject: utils/morty.sh: add script to install morty result proxy Signed-off-by: Markus Heiser --- .../etc/apache2/sites-available/morty.conf | 23 +++++++++++++++++ utils/templates/lib/systemd/system/morty.service | 29 ++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 utils/templates/etc/apache2/sites-available/morty.conf create mode 100644 utils/templates/lib/systemd/system/morty.service (limited to 'utils/templates') diff --git a/utils/templates/etc/apache2/sites-available/morty.conf b/utils/templates/etc/apache2/sites-available/morty.conf new file mode 100644 index 000000000..231b3fb79 --- /dev/null +++ b/utils/templates/etc/apache2/sites-available/morty.conf @@ -0,0 +1,23 @@ +# -*- coding: utf-8; mode: apache -*- + +ProxyPreserveHost On + + + + Require all granted + Order deny,allow + Deny from all + #Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1 + Allow from all + + ProxyPass http://${MORTY_LISTEN} + RequestHeader set X-Script-Name ${PUBLIC_URL_PATH_MORTY} + + # In Apache it seems, that setting HTTP_HOST header direct here does have no + # effect. I needed to set 'ProxyPreserveHost On' (see above). HTTP_HOST is + # needed by searx to render correct *Search URL* in the *Link* box and + # *saved preference*. + + # RequestHeader set Host ${PUBLIC_URL_PATH_MORTY} + + diff --git a/utils/templates/lib/systemd/system/morty.service b/utils/templates/lib/systemd/system/morty.service new file mode 100644 index 000000000..d463c5097 --- /dev/null +++ b/utils/templates/lib/systemd/system/morty.service @@ -0,0 +1,29 @@ +[Unit] + +Description=${SERVICE_NAME} +After=syslog.target +After=network.target + +[Service] + +Type=simple +User=${SERVICE_USER} +Group=${SERVICE_GROUP} +WorkingDirectory=${SERVICE_HOME} +ExecStart=${SERVICE_HOME}/go-apps/bin/morty -key '' -listen '${MORTY_LISTEN}' -timeout ${MORTY_TIMEOUT} + +Restart=always +Environment=USER=${SERVICE_USER} HOME=${SERVICE_HOME} DEBUG=${SERVICE_ENV_DEBUG} + +# Some distributions may not support these hardening directives. If you cannot +# start the service due to an unknown option, comment out the ones not supported +# by your version of systemd. + +ProtectSystem=full +PrivateDevices=yes +PrivateTmp=yes +NoNewPrivileges=true + +[Install] + +WantedBy=multi-user.target -- cgit v1.2.3 From 2f40f61f83afb34f0c4b95019a53050a504ce43a Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Tue, 4 Feb 2020 17:59:58 +0100 Subject: /etc/filtron/rules.json: normalize rules from docs & tooling box Signed-off-by: Markus Heiser --- utils/templates/etc/filtron/rules.json | 202 ++++++++++++++++----------------- 1 file changed, 100 insertions(+), 102 deletions(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/filtron/rules.json b/utils/templates/etc/filtron/rules.json index f333306e1..1c7005ae5 100644 --- a/utils/templates/etc/filtron/rules.json +++ b/utils/templates/etc/filtron/rules.json @@ -1,107 +1,105 @@ -[{ - "name":"search request", - "filters":[ - "Param:q", - "Path=^(/|/search)$" - ], - "interval":120, - "limit":19, - "actions":[ - { - "name":"block", - "params":{ - "message":"common rate limit exceeded" - } - } - ], - "subrules":[ - { - "name":"roboagent limit", - "interval":60, - "limit":3, - "filters":[ - "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client|Ruby)" - ], - "actions":[ - {"name":"log"}, - { - "name":"block", - "params":{ - "message":"rate limit exceeded" +[ + { "name": "suspiciously frequent IP", + "filters": [], + "interval": 600, + "limit": 30, + "aggregations": [ + "Header:X-Forwarded-For" + ], + "actions":[ + {"name":"log"} + ] + }, + { "name": "search request", + "filters": [ + "Param:q", + "Path=^(/|/search)$" + ], + "interval": 61, + "limit": 999, + "subrules": [ + { + "name": "roboagent limit", + "interval": 61, + "limit": 1, + "filters": [ + "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client)" + ], + "actions": [ + { "name": "log"}, + { "name": "block", + "params": { + "message": "Rate limit exceeded" + } } - } - ] - }, - { - "name":"botlimit", - "interval":60, - "limit":0, - "stop":true, - "filters":[ - "Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)" - ], - "actions":[ - {"name":"log"}, - { - "name":"block", - "params":{ - "message":"rate limit exceeded" + ] + }, + { + "name": "botlimit", + "limit": 0, + "stop": true, + "filters": [ + "Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)" + ], + "actions": [ + { "name": "log"}, + { "name": "block", + "params": { + "message": "Rate limit exceeded" + } } - } - ] - }, - { - "name":"IP limit", - "interval":60, - "limit":13, - "stop":true, - "aggregations":[ - "Header:X-Forwarded-For" - ], - "actions":[ - {"name":"log"}, - { - "name":"block", - "params":{ - "message":"rate limit exceeded" + ] + }, + { + "name": "IP limit", + "interval": 61, + "limit": 9, + "stop": true, + "aggregations": [ + "Header:X-Forwarded-For" + ], + "actions": [ + { "name": "log"}, + { "name": "block", + "params": { + "message": "Rate limit exceeded" + } } - } - ] - }, - { - "name":"rss/json limit", - "interval":60, - "limit":13, - "stop":true, - "filters":[ - "Param:format=(csv|json|rss)" - ], - "actions":[ - {"name":"log"}, - { - "name":"block", - "params":{ - "message":"rate limit exceeded" + ] + }, + { + "name": "rss/json limit", + "interval": 121, + "limit": 2, + "stop": true, + "filters": [ + "Param:format=(csv|json|rss)" + ], + "actions": [ + { "name": "log"}, + { "name": "block", + "params": { + "message": "Rate limit exceeded" + } } - } - ] - }, - { - "name":"useragent limit", - "interval":60, - "limit":13, - "aggregations":[ - "Header:User-Agent" - ], - "actions":[ - {"name":"log"}, - { - "name":"block", - "params":{ - "message":"rate limit exceeded" + ] + }, + { + "name": "useragent limit", + "interval": 61, + "limit": 199, + "aggregations": [ + "Header:User-Agent" + ], + "actions": [ + { "name": "log"}, + { "name": "block", + "params": { + "message": "Rate limit exceeded" + } } - } - ] - } - ] -}] + ] + } + ] + } +] -- cgit v1.2.3 From 71d7550dbe750f35f0dd7b5c513bc9e8db9512ee Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Tue, 4 Feb 2020 19:47:33 +0100 Subject: tooling box ./utils/*: minor fix from production test --- utils/templates/etc/apache2/sites-available/morty.conf | 5 +++++ utils/templates/etc/apache2/sites-available/searx.conf:filtron | 9 +++++++++ utils/templates/etc/apache2/sites-available/searx.conf:uwsgi | 2 ++ 3 files changed, 16 insertions(+) (limited to 'utils/templates') diff --git a/utils/templates/etc/apache2/sites-available/morty.conf b/utils/templates/etc/apache2/sites-available/morty.conf index 231b3fb79..6bcc77b78 100644 --- a/utils/templates/etc/apache2/sites-available/morty.conf +++ b/utils/templates/etc/apache2/sites-available/morty.conf @@ -4,7 +4,12 @@ ProxyPreserveHost On + + SecRuleEngine Off + + Require all granted + Order deny,allow Deny from all #Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1 diff --git a/utils/templates/etc/apache2/sites-available/searx.conf:filtron b/utils/templates/etc/apache2/sites-available/searx.conf:filtron index 11bd70376..3f03dfadd 100644 --- a/utils/templates/etc/apache2/sites-available/searx.conf:filtron +++ b/utils/templates/etc/apache2/sites-available/searx.conf:filtron @@ -2,9 +2,18 @@ ProxyPreserveHost On +# SecRuleRemoveById 981054 +# SecRuleRemoveById 981059 +# SecRuleRemoveById 981060 + + + SecRuleEngine Off + + Require all granted + Order deny,allow Deny from all #Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1 diff --git a/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi b/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi index 51cbdf41f..21e01ac4e 100644 --- a/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi +++ b/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi @@ -11,6 +11,8 @@ SecRuleEngine Off + Require all granted + Options FollowSymLinks Indexes SetHandler uwsgi-handler uWSGISocket ${SEARX_UWSGI_SOCKET} -- cgit v1.2.3 From ed4cb4f1603dc519aa42cc626874f23d2e9db84e Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Sat, 8 Feb 2020 13:24:08 +0100 Subject: tooling box: varius fix from tests --- utils/templates/etc/apache2/sites-available/searx.conf:filtron | 1 + 1 file changed, 1 insertion(+) (limited to 'utils/templates') diff --git a/utils/templates/etc/apache2/sites-available/searx.conf:filtron b/utils/templates/etc/apache2/sites-available/searx.conf:filtron index 3f03dfadd..5ede66301 100644 --- a/utils/templates/etc/apache2/sites-available/searx.conf:filtron +++ b/utils/templates/etc/apache2/sites-available/searx.conf:filtron @@ -5,6 +5,7 @@ ProxyPreserveHost On # SecRuleRemoveById 981054 # SecRuleRemoveById 981059 # SecRuleRemoveById 981060 +# SecRuleRemoveById 950907 -- cgit v1.2.3 From 0d6153db127133e59137f4359975bafd705e0f4b Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Tue, 11 Feb 2020 15:57:42 +0100 Subject: filtron.sh: updated rules from production Signed-off-by: Markus Heiser --- utils/templates/etc/filtron/rules.json | 226 ++++++++++++++++++--------------- 1 file changed, 123 insertions(+), 103 deletions(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/filtron/rules.json b/utils/templates/etc/filtron/rules.json index 1c7005ae5..f4a99b3e8 100644 --- a/utils/templates/etc/filtron/rules.json +++ b/utils/templates/etc/filtron/rules.json @@ -1,105 +1,125 @@ [ - { "name": "suspiciously frequent IP", - "filters": [], - "interval": 600, - "limit": 30, - "aggregations": [ - "Header:X-Forwarded-For" - ], - "actions":[ - {"name":"log"} - ] - }, - { "name": "search request", - "filters": [ - "Param:q", - "Path=^(/|/search)$" - ], - "interval": 61, - "limit": 999, - "subrules": [ - { - "name": "roboagent limit", - "interval": 61, - "limit": 1, - "filters": [ - "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client)" - ], - "actions": [ - { "name": "log"}, - { "name": "block", - "params": { - "message": "Rate limit exceeded" - } - } - ] - }, - { - "name": "botlimit", - "limit": 0, - "stop": true, - "filters": [ - "Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)" - ], - "actions": [ - { "name": "log"}, - { "name": "block", - "params": { - "message": "Rate limit exceeded" - } - } - ] - }, - { - "name": "IP limit", - "interval": 61, - "limit": 9, - "stop": true, - "aggregations": [ - "Header:X-Forwarded-For" - ], - "actions": [ - { "name": "log"}, - { "name": "block", - "params": { - "message": "Rate limit exceeded" - } - } - ] - }, - { - "name": "rss/json limit", - "interval": 121, - "limit": 2, - "stop": true, - "filters": [ - "Param:format=(csv|json|rss)" - ], - "actions": [ - { "name": "log"}, - { "name": "block", - "params": { - "message": "Rate limit exceeded" - } - } - ] - }, - { - "name": "useragent limit", - "interval": 61, - "limit": 199, - "aggregations": [ - "Header:User-Agent" - ], - "actions": [ - { "name": "log"}, - { "name": "block", - "params": { - "message": "Rate limit exceeded" - } - } - ] - } - ] - } + { + "name": "roboagent limit", + "filters": [ + "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client|Ruby|UniversalFeedParser)" + ], + "limit": 0, + "stop": true, + "actions": [ + { "name": "log"}, + { "name": "block", + "params": { + "message": "Rate limit exceeded" + } + } + ] + }, + { + "name": "botlimit", + "filters": [ + "Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)" + ], + "limit": 0, + "stop": true, + "actions": [ + { "name": "log"}, + { "name": "block", + "params": { + "message": "Rate limit exceeded" + } + } + ] + }, + { "name": "suspiciously frequent IP", + "filters": [], + "interval": 600, + "limit": 30, + "aggregations": [ + "Header:X-Forwarded-For" + ], + "actions":[ + {"name":"log"} + ] + }, + { "name": "search request", + "filters": [ + "Param:q", + "Path=^(/|/search)$" + ], + "interval": 61, + "limit": 999, + "subrules": [ + { + "name": "missing Accept-Language", + "filters": ["!Header:Accept-Language"], + "limit": 0, + "stop": true, + "actions": [ + {"name": "block", + "params": {"message": "Rate limit exceeded"}} + ] + }, + { + "name": "suspiciously Connection=close header", + "filters": ["Header:Connection=close"], + "limit": 0, + "stop": true, + "actions": [ + {"name": "block", + "params": {"message": "Rate limit exceeded"}} + ] + }, + { + "name": "IP limit", + "interval": 61, + "limit": 9, + "stop": true, + "aggregations": [ + "Header:X-Forwarded-For" + ], + "actions": [ + { "name": "log"}, + { "name": "block", + "params": { + "message": "Rate limit exceeded" + } + } + ] + }, + { + "name": "rss/json limit", + "filters": [ + "Param:format=(csv|json|rss)" + ], + "interval": 121, + "limit": 2, + "stop": true, + "actions": [ + { "name": "log"}, + { "name": "block", + "params": { + "message": "Rate limit exceeded" + } + } + ] + }, + { + "name": "useragent limit", + "interval": 61, + "limit": 199, + "aggregations": [ + "Header:User-Agent" + ], + "actions": [ + { "name": "log"}, + { "name": "block", + "params": { + "message": "Rate limit exceeded" + } + } + ] + } + ] + } ] -- cgit v1.2.3 From de58f02f6b502f05a86df50e3e6fa77d0b666ec9 Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Mon, 17 Feb 2020 15:36:10 +0100 Subject: filtron: add missing log action to the filtron rules Signed-off-by: Markus Heiser --- utils/templates/etc/filtron/rules.json | 2 ++ 1 file changed, 2 insertions(+) (limited to 'utils/templates') diff --git a/utils/templates/etc/filtron/rules.json b/utils/templates/etc/filtron/rules.json index f4a99b3e8..8fbffa937 100644 --- a/utils/templates/etc/filtron/rules.json +++ b/utils/templates/etc/filtron/rules.json @@ -56,6 +56,7 @@ "limit": 0, "stop": true, "actions": [ + {"name":"log"}, {"name": "block", "params": {"message": "Rate limit exceeded"}} ] @@ -66,6 +67,7 @@ "limit": 0, "stop": true, "actions": [ + {"name":"log"}, {"name": "block", "params": {"message": "Rate limit exceeded"}} ] -- cgit v1.2.3 From 59e4026762a809fe2a5b5a5a949d7d671f4d989b Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Mon, 17 Feb 2020 18:58:59 +0100 Subject: searx.sh: install settings at /etc/searx/settings.yml Signed-off-by: Markus Heiser --- utils/templates/etc/uwsgi/apps-available/searx.ini | 3 +++ 1 file changed, 3 insertions(+) (limited to 'utils/templates') diff --git a/utils/templates/etc/uwsgi/apps-available/searx.ini b/utils/templates/etc/uwsgi/apps-available/searx.ini index cff47f896..bc62e5864 100644 --- a/utils/templates/etc/uwsgi/apps-available/searx.ini +++ b/utils/templates/etc/uwsgi/apps-available/searx.ini @@ -12,6 +12,9 @@ gid = ${SERVICE_GROUP} # chdir to specified directory before apps loading chdir = ${SEARX_SRC}/searx +# searx configuration (settings.yml) +env = SEARX_SETTINGS_PATH=${SEARX_SETTINGS_PATH} + # disable logging for privacy disable-logging = true -- cgit v1.2.3 From d5917cc029e2736b11412a570470c666af093ec9 Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Tue, 25 Feb 2020 20:20:17 +0100 Subject: utils/lib.sh: make uWSGI installation available for all distros support: ubuntu, debin, fedora, archlinux Signed-off-by: Markus Heiser --- utils/templates/etc/uwsgi/apps-archlinux/searx.ini | 66 ++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 utils/templates/etc/uwsgi/apps-archlinux/searx.ini (limited to 'utils/templates') diff --git a/utils/templates/etc/uwsgi/apps-archlinux/searx.ini b/utils/templates/etc/uwsgi/apps-archlinux/searx.ini new file mode 100644 index 000000000..08873cf0f --- /dev/null +++ b/utils/templates/etc/uwsgi/apps-archlinux/searx.ini @@ -0,0 +1,66 @@ +[uwsgi] + +# uWSGI core +# ---------- +# +# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#uwsgi-core + +# Who will run the code +uid = ${SERVICE_USER} +gid = ${SERVICE_GROUP} + +# chdir to specified directory before apps loading +chdir = ${SEARX_SRC}/searx + +# searx configuration (settings.yml) +env = SEARX_SETTINGS_PATH=${SEARX_SETTINGS_PATH} + +# disable logging for privacy +logger = systemd +disable-logging = false + +# The right granted on the created socket +chmod-socket = 666 + +# Plugin to use and interpretor config +single-interpreter = true + +# enable master process +master = true + +# load apps in each worker instead of the master +lazy-apps = true + +# load uWSGI plugins +plugin = python,http,systemd_logger + +# By default the Python plugin does not initialize the GIL. This means your +# app-generated threads will not run. If you need threads, remember to enable +# them with enable-threads. Running uWSGI in multithreading mode (with the +# threads options) will automatically enable threading support. This *strange* +# default behaviour is for performance reasons. +enable-threads = true + + +# plugin: python +# -------------- +# +# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-python + +# load a WSGI module +module = searx.webapp + +# set PYTHONHOME/virtualenv +virtualenv = ${SEARX_PYENV} + +# add directory (or glob) to pythonpath +pythonpath = ${SEARX_SRC} + + +# plugin http +# ----------- +# +# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http + +# Native HTTP support: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html +http = ${SEARX_INTERNAL_URL} -- cgit v1.2.3 From af6acd3417bf53c151b9ba6068186c1e472a2776 Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Wed, 26 Feb 2020 19:07:55 +0100 Subject: LXC: install searx-suite installs searx, filtron & morty on all containers Signed-off-by: Markus Heiser --- utils/templates/etc/uwsgi/apps-archlinux/searx.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/uwsgi/apps-archlinux/searx.ini b/utils/templates/etc/uwsgi/apps-archlinux/searx.ini index 08873cf0f..78ad50443 100644 --- a/utils/templates/etc/uwsgi/apps-archlinux/searx.ini +++ b/utils/templates/etc/uwsgi/apps-archlinux/searx.ini @@ -32,7 +32,7 @@ master = true lazy-apps = true # load uWSGI plugins -plugin = python,http,systemd_logger +plugin = python # By default the Python plugin does not initialize the GIL. This means your # app-generated threads will not run. If you need threads, remember to enable -- cgit v1.2.3 From 387c6a77691fec514704bdf178b9ab94ad4abb40 Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Fri, 6 Mar 2020 14:47:00 +0100 Subject: docs: improve description of uwsgi & ngingx setup Signed-off-by: Markus Heiser --- utils/templates/etc/uwsgi/apps-archlinux/searx.ini | 20 +++++++++++++++++--- utils/templates/etc/uwsgi/apps-available/searx.ini | 20 +++++++++++++++++--- 2 files changed, 34 insertions(+), 6 deletions(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/uwsgi/apps-archlinux/searx.ini b/utils/templates/etc/uwsgi/apps-archlinux/searx.ini index 78ad50443..f96554060 100644 --- a/utils/templates/etc/uwsgi/apps-archlinux/searx.ini +++ b/utils/templates/etc/uwsgi/apps-archlinux/searx.ini @@ -57,10 +57,24 @@ virtualenv = ${SEARX_PYENV} pythonpath = ${SEARX_SRC} -# plugin http -# ----------- +# speak to upstream +# ----------------- # -# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http +# Activate the 'http' configuration for filtron or activate the 'socket' +# configuration if you setup your HTTP server to use uWSGI protocol via sockets. +# using IP: +# +# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http # Native HTTP support: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html + http = ${SEARX_INTERNAL_URL} + +# using unix-sockets: +# +# On some distributions you need to create the app folder for the sockets:: +# +# mkdir -p /run/uwsgi/app/searx/socket +# chmod -R ${SERVICE_USER}:${SERVICE_GROUP} /run/uwsgi/app/searx/socket +# +# socket = /run/uwsgi/app/searx/socket \ No newline at end of file diff --git a/utils/templates/etc/uwsgi/apps-available/searx.ini b/utils/templates/etc/uwsgi/apps-available/searx.ini index bc62e5864..4f8674012 100644 --- a/utils/templates/etc/uwsgi/apps-available/searx.ini +++ b/utils/templates/etc/uwsgi/apps-available/searx.ini @@ -56,10 +56,24 @@ virtualenv = ${SEARX_PYENV} pythonpath = ${SEARX_SRC} -# plugin http -# ----------- +# speak to upstream +# ----------------- # -# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http +# Activate the 'http' configuration for filtron or activate the 'socket' +# configuration if you setup your HTTP server to use uWSGI protocol via sockets. +# using IP: +# +# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http # Native HTTP support: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html + http = ${SEARX_INTERNAL_URL} + +# using unix-sockets: +# +# On some distributions you need to create the app folder for the sockets:: +# +# mkdir -p /run/uwsgi/app/searx/socket +# chmod -R ${SERVICE_USER}:${SERVICE_GROUP} /run/uwsgi/app/searx/socket +# +# socket = /run/uwsgi/app/searx/socket \ No newline at end of file -- cgit v1.2.3 From c15337850e64562c376e5de57d8809a3a05b8a5d Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Fri, 6 Mar 2020 22:06:19 +0100 Subject: fix: minor typos Signed-off-by: Markus Heiser --- utils/templates/etc/uwsgi/apps-archlinux/searx.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/uwsgi/apps-archlinux/searx.ini b/utils/templates/etc/uwsgi/apps-archlinux/searx.ini index f96554060..66653fc0e 100644 --- a/utils/templates/etc/uwsgi/apps-archlinux/searx.ini +++ b/utils/templates/etc/uwsgi/apps-archlinux/searx.ini @@ -17,7 +17,7 @@ env = SEARX_SETTINGS_PATH=${SEARX_SETTINGS_PATH} # disable logging for privacy logger = systemd -disable-logging = false +disable-logging = true # The right granted on the created socket chmod-socket = 666 -- cgit v1.2.3 From 7b4cf2eb489d8f6c95ccac5af180254b78e7c460 Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Sun, 29 Mar 2020 15:09:34 +0200 Subject: tooling box: simplify build enviroments - no more need for a .config.mk - docs: use searx.brands environment - searx.sh, filtron.sh & morty.sh are sourcing utils/brand.env Signed-off-by: Markus Heiser --- utils/templates/etc/apache2/sites-available/morty.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/apache2/sites-available/morty.conf b/utils/templates/etc/apache2/sites-available/morty.conf index 6bcc77b78..2c5727b19 100644 --- a/utils/templates/etc/apache2/sites-available/morty.conf +++ b/utils/templates/etc/apache2/sites-available/morty.conf @@ -23,6 +23,6 @@ ProxyPreserveHost On # needed by searx to render correct *Search URL* in the *Link* box and # *saved preference*. - # RequestHeader set Host ${PUBLIC_URL_PATH_MORTY} + # RequestHeader set Host ${PUBLIC_HOST} -- cgit v1.2.3 From e530e20ae6a4d1f8621f535523cd2af76f715b0b Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Sat, 4 Apr 2020 17:53:16 +0200 Subject: misc: fix variuous marginals Signed-off-by: Markus Heiser --- utils/templates/etc/apache2/sites-available/morty.conf | 4 +--- utils/templates/etc/apache2/sites-available/searx.conf:filtron | 6 +++--- 2 files changed, 4 insertions(+), 6 deletions(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/apache2/sites-available/morty.conf b/utils/templates/etc/apache2/sites-available/morty.conf index 2c5727b19..48b4dd766 100644 --- a/utils/templates/etc/apache2/sites-available/morty.conf +++ b/utils/templates/etc/apache2/sites-available/morty.conf @@ -19,9 +19,7 @@ ProxyPreserveHost On RequestHeader set X-Script-Name ${PUBLIC_URL_PATH_MORTY} # In Apache it seems, that setting HTTP_HOST header direct here does have no - # effect. I needed to set 'ProxyPreserveHost On' (see above). HTTP_HOST is - # needed by searx to render correct *Search URL* in the *Link* box and - # *saved preference*. + # effect. I needed to set 'ProxyPreserveHost On' (see above). # RequestHeader set Host ${PUBLIC_HOST} diff --git a/utils/templates/etc/apache2/sites-available/searx.conf:filtron b/utils/templates/etc/apache2/sites-available/searx.conf:filtron index 5ede66301..e34049063 100644 --- a/utils/templates/etc/apache2/sites-available/searx.conf:filtron +++ b/utils/templates/etc/apache2/sites-available/searx.conf:filtron @@ -24,9 +24,9 @@ ProxyPreserveHost On RequestHeader set X-Script-Name ${FILTRON_URL_PATH} # In Apache it seems, that setting HTTP_HOST header direct here does have no - # effect. I needed to set 'ProxyPreserveHost On' (see above). HTTP_HOST is - # needed by searx to render correct *Search URL* in the *Link* box and - # *saved preference*. + # effect. I needed to set 'ProxyPreserveHost On' (see above). HTTP_HOST + # (ProxyPreserveHost On) is needed by searx to render correct *Search URL* + # in the *Link* box and *saved preference*. # RequestHeader set Host ${PUBLIC_HOST} -- cgit v1.2.3 From c81849cb5a22d937c0f1de1d02d1fb8e3a7849cd Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Sun, 5 Apr 2020 17:40:37 +0200 Subject: filtron.sh & morty.sh: improve usage message (if used in containers) BTW: normalize soma variable names Signed-off-by: Markus Heiser --- utils/templates/etc/uwsgi/apps-archlinux/searx.ini | 2 +- utils/templates/etc/uwsgi/apps-available/searx.ini | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/uwsgi/apps-archlinux/searx.ini b/utils/templates/etc/uwsgi/apps-archlinux/searx.ini index 66653fc0e..8d3349c58 100644 --- a/utils/templates/etc/uwsgi/apps-archlinux/searx.ini +++ b/utils/templates/etc/uwsgi/apps-archlinux/searx.ini @@ -68,7 +68,7 @@ pythonpath = ${SEARX_SRC} # https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http # Native HTTP support: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html -http = ${SEARX_INTERNAL_URL} +http = ${SEARX_INTERNAL_HTTP} # using unix-sockets: # diff --git a/utils/templates/etc/uwsgi/apps-available/searx.ini b/utils/templates/etc/uwsgi/apps-available/searx.ini index 4f8674012..806f74439 100644 --- a/utils/templates/etc/uwsgi/apps-available/searx.ini +++ b/utils/templates/etc/uwsgi/apps-available/searx.ini @@ -67,7 +67,7 @@ pythonpath = ${SEARX_SRC} # https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http # Native HTTP support: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html -http = ${SEARX_INTERNAL_URL} +http = ${SEARX_INTERNAL_HTTP} # using unix-sockets: # -- cgit v1.2.3 From eb0d4646d818fe12032379aae2fcd8b5bdb6467e Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Mon, 6 Apr 2020 17:59:06 +0200 Subject: docs: rework of chapter "Install with apache" BTW: normalize installation-nginx.rst --- utils/templates/etc/apache2/sites-available/morty.conf | 4 ++-- utils/templates/etc/apache2/sites-available/searx.conf:filtron | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/apache2/sites-available/morty.conf b/utils/templates/etc/apache2/sites-available/morty.conf index 48b4dd766..4421cdd51 100644 --- a/utils/templates/etc/apache2/sites-available/morty.conf +++ b/utils/templates/etc/apache2/sites-available/morty.conf @@ -18,8 +18,8 @@ ProxyPreserveHost On ProxyPass http://${MORTY_LISTEN} RequestHeader set X-Script-Name ${PUBLIC_URL_PATH_MORTY} - # In Apache it seems, that setting HTTP_HOST header direct here does have no - # effect. I needed to set 'ProxyPreserveHost On' (see above). + # In Apache it seems, that setting HTTP_HOST header directive here does have + # no effect. I needed to set 'ProxyPreserveHost On' (see above). # RequestHeader set Host ${PUBLIC_HOST} diff --git a/utils/templates/etc/apache2/sites-available/searx.conf:filtron b/utils/templates/etc/apache2/sites-available/searx.conf:filtron index e34049063..2d6af7889 100644 --- a/utils/templates/etc/apache2/sites-available/searx.conf:filtron +++ b/utils/templates/etc/apache2/sites-available/searx.conf:filtron @@ -23,8 +23,8 @@ ProxyPreserveHost On ProxyPass http://${FILTRON_LISTEN} RequestHeader set X-Script-Name ${FILTRON_URL_PATH} - # In Apache it seems, that setting HTTP_HOST header direct here does have no - # effect. I needed to set 'ProxyPreserveHost On' (see above). HTTP_HOST + # In Apache it seems, that setting HTTP_HOST header directive here does have + # no effect. I needed to set 'ProxyPreserveHost On' (see above). HTTP_HOST # (ProxyPreserveHost On) is needed by searx to render correct *Search URL* # in the *Link* box and *saved preference*. -- cgit v1.2.3 From ee39a098acb2386abd5382de5c9476cc4ffe2e03 Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Tue, 7 Apr 2020 18:31:51 +0200 Subject: apache: normalize installation (docs and script)s over all distros Signed-off-by: Markus Heiser --- utils/templates/etc/apache2 | 1 + .../etc/apache2/sites-available/morty.conf | 26 ----------------- .../etc/apache2/sites-available/searx.conf:filtron | 33 ---------------------- .../etc/apache2/sites-available/searx.conf:uwsgi | 27 ------------------ .../templates/etc/httpd/sites-available/morty.conf | 28 ++++++++++++++++++ .../etc/httpd/sites-available/searx.conf:filtron | 33 ++++++++++++++++++++++ .../etc/httpd/sites-available/searx.conf:uwsgi | 27 ++++++++++++++++++ 7 files changed, 89 insertions(+), 86 deletions(-) create mode 120000 utils/templates/etc/apache2 delete mode 100644 utils/templates/etc/apache2/sites-available/morty.conf delete mode 100644 utils/templates/etc/apache2/sites-available/searx.conf:filtron delete mode 100644 utils/templates/etc/apache2/sites-available/searx.conf:uwsgi create mode 100644 utils/templates/etc/httpd/sites-available/morty.conf create mode 100644 utils/templates/etc/httpd/sites-available/searx.conf:filtron create mode 100644 utils/templates/etc/httpd/sites-available/searx.conf:uwsgi (limited to 'utils/templates') diff --git a/utils/templates/etc/apache2 b/utils/templates/etc/apache2 new file mode 120000 index 000000000..558a90717 --- /dev/null +++ b/utils/templates/etc/apache2 @@ -0,0 +1 @@ +httpd \ No newline at end of file diff --git a/utils/templates/etc/apache2/sites-available/morty.conf b/utils/templates/etc/apache2/sites-available/morty.conf deleted file mode 100644 index 4421cdd51..000000000 --- a/utils/templates/etc/apache2/sites-available/morty.conf +++ /dev/null @@ -1,26 +0,0 @@ -# -*- coding: utf-8; mode: apache -*- - -ProxyPreserveHost On - - - - - SecRuleEngine Off - - - Require all granted - - Order deny,allow - Deny from all - #Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1 - Allow from all - - ProxyPass http://${MORTY_LISTEN} - RequestHeader set X-Script-Name ${PUBLIC_URL_PATH_MORTY} - - # In Apache it seems, that setting HTTP_HOST header directive here does have - # no effect. I needed to set 'ProxyPreserveHost On' (see above). - - # RequestHeader set Host ${PUBLIC_HOST} - - diff --git a/utils/templates/etc/apache2/sites-available/searx.conf:filtron b/utils/templates/etc/apache2/sites-available/searx.conf:filtron deleted file mode 100644 index 2d6af7889..000000000 --- a/utils/templates/etc/apache2/sites-available/searx.conf:filtron +++ /dev/null @@ -1,33 +0,0 @@ -# -*- coding: utf-8; mode: apache -*- - -ProxyPreserveHost On - -# SecRuleRemoveById 981054 -# SecRuleRemoveById 981059 -# SecRuleRemoveById 981060 -# SecRuleRemoveById 950907 - - - - - SecRuleEngine Off - - - Require all granted - - Order deny,allow - Deny from all - #Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1 - Allow from all - - ProxyPass http://${FILTRON_LISTEN} - RequestHeader set X-Script-Name ${FILTRON_URL_PATH} - - # In Apache it seems, that setting HTTP_HOST header directive here does have - # no effect. I needed to set 'ProxyPreserveHost On' (see above). HTTP_HOST - # (ProxyPreserveHost On) is needed by searx to render correct *Search URL* - # in the *Link* box and *saved preference*. - - # RequestHeader set Host ${PUBLIC_HOST} - - diff --git a/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi b/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi deleted file mode 100644 index 21e01ac4e..000000000 --- a/utils/templates/etc/apache2/sites-available/searx.conf:uwsgi +++ /dev/null @@ -1,27 +0,0 @@ -# -*- coding: utf-8; mode: apache -*- - - - - # SetEnvIf Request_URI "${SEARX_URL_PATH}" dontlog - # CustomLog /dev/null combined env=dontlog - - - - - SecRuleEngine Off - - - Require all granted - - Options FollowSymLinks Indexes - SetHandler uwsgi-handler - uWSGISocket ${SEARX_UWSGI_SOCKET} - - Order deny,allow - Deny from all - # Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1 - Allow from all - - - - diff --git a/utils/templates/etc/httpd/sites-available/morty.conf b/utils/templates/etc/httpd/sites-available/morty.conf new file mode 100644 index 000000000..326fcc755 --- /dev/null +++ b/utils/templates/etc/httpd/sites-available/morty.conf @@ -0,0 +1,28 @@ +# -*- coding: utf-8; mode: apache -*- + +LoadModule headers_module ${APACHE_MODULES}/mod_headers.so +LoadModule proxy_module ${APACHE_MODULES}/mod_proxy.so +LoadModule proxy_module ${APACHE_MODULES}/mod_proxy_http.so +#LoadModule setenvif_module ${APACHE_MODULES}/mod_setenvif.so + +# SetEnvIf Request_URI "${PUBLIC_URL_PATH_MORTY}" dontlog +# CustomLog /dev/null combined env=dontlog + + + + + SecRuleEngine Off + + + Require all granted + + Order deny,allow + Deny from all + #Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1 + Allow from all + + ProxyPreserveHost On + ProxyPass http://${MORTY_LISTEN} + RequestHeader set X-Script-Name ${PUBLIC_URL_PATH_MORTY} + + diff --git a/utils/templates/etc/httpd/sites-available/searx.conf:filtron b/utils/templates/etc/httpd/sites-available/searx.conf:filtron new file mode 100644 index 000000000..11dd360bc --- /dev/null +++ b/utils/templates/etc/httpd/sites-available/searx.conf:filtron @@ -0,0 +1,33 @@ +# -*- coding: utf-8; mode: apache -*- + +LoadModule headers_module ${APACHE_MODULES}/mod_headers.so +LoadModule proxy_module ${APACHE_MODULES}/mod_proxy.so +LoadModule proxy_module ${APACHE_MODULES}/mod_proxy_http.so +#LoadModule setenvif_module ${APACHE_MODULES}/mod_setenvif.so + +# SetEnvIf Request_URI "${FILTRON_URL_PATH}" dontlog +# CustomLog /dev/null combined env=dontlog + +# SecRuleRemoveById 981054 +# SecRuleRemoveById 981059 +# SecRuleRemoveById 981060 +# SecRuleRemoveById 950907 + + + + + SecRuleEngine Off + + + Require all granted + + Order deny,allow + Deny from all + #Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1 + Allow from all + + ProxyPreserveHost On + ProxyPass http://${FILTRON_LISTEN} + RequestHeader set X-Script-Name ${FILTRON_URL_PATH} + + diff --git a/utils/templates/etc/httpd/sites-available/searx.conf:uwsgi b/utils/templates/etc/httpd/sites-available/searx.conf:uwsgi new file mode 100644 index 000000000..ef702de3a --- /dev/null +++ b/utils/templates/etc/httpd/sites-available/searx.conf:uwsgi @@ -0,0 +1,27 @@ +# -*- coding: utf-8; mode: apache -*- + +LoadModule headers_module ${APACHE_MODULES}/mod_headers.so +LoadModule proxy_module ${APACHE_MODULES}/mod_proxy.so +LoadModule proxy_uwsgi_module ${APACHE_MODULES}/mod_proxy_uwsgi.so +# LoadModule setenvif_module ${APACHE_MODULES}/mod_setenvif.so + +# SetEnvIf Request_URI "${SEARX_URL_PATH}" dontlog +# CustomLog /dev/null combined env=dontlog + + + + + SecRuleEngine Off + + + Require all granted + + Order deny,allow + Deny from all + # Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1 + Allow from all + + ProxyPreserveHost On + ProxyPass unix:${SEARX_UWSGI_SOCKET}|uwsgi://uwsgi-uds-searx/ + + -- cgit v1.2.3 From f693149cded4f783380f8f02154bd9288b72cdd5 Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Wed, 8 Apr 2020 18:38:36 +0200 Subject: Changes from the installation tests on (all) LXC containers. Tested and fixed HTTP & uWSGI installation on: ubu1604 ubu1804 ubu1910 ubu2004 fedora31 archlinux Signed-off-by: Markus Heiser --- .../templates/etc/httpd/sites-available/morty.conf | 2 +- .../etc/httpd/sites-available/searx.conf:filtron | 2 +- utils/templates/etc/uwsgi/apps-archlinux/searx.ini | 4 +- .../etc/uwsgi/apps-archlinux/searx.ini:socket | 80 ++++++++++++++++++++++ utils/templates/etc/uwsgi/apps-available/searx.ini | 4 +- .../etc/uwsgi/apps-available/searx.ini:socket | 79 +++++++++++++++++++++ 6 files changed, 165 insertions(+), 6 deletions(-) create mode 100644 utils/templates/etc/uwsgi/apps-archlinux/searx.ini:socket create mode 100644 utils/templates/etc/uwsgi/apps-available/searx.ini:socket (limited to 'utils/templates') diff --git a/utils/templates/etc/httpd/sites-available/morty.conf b/utils/templates/etc/httpd/sites-available/morty.conf index 326fcc755..daeb3635a 100644 --- a/utils/templates/etc/httpd/sites-available/morty.conf +++ b/utils/templates/etc/httpd/sites-available/morty.conf @@ -2,7 +2,7 @@ LoadModule headers_module ${APACHE_MODULES}/mod_headers.so LoadModule proxy_module ${APACHE_MODULES}/mod_proxy.so -LoadModule proxy_module ${APACHE_MODULES}/mod_proxy_http.so +LoadModule proxy_http_module ${APACHE_MODULES}/mod_proxy_http.so #LoadModule setenvif_module ${APACHE_MODULES}/mod_setenvif.so # SetEnvIf Request_URI "${PUBLIC_URL_PATH_MORTY}" dontlog diff --git a/utils/templates/etc/httpd/sites-available/searx.conf:filtron b/utils/templates/etc/httpd/sites-available/searx.conf:filtron index 11dd360bc..379d47e24 100644 --- a/utils/templates/etc/httpd/sites-available/searx.conf:filtron +++ b/utils/templates/etc/httpd/sites-available/searx.conf:filtron @@ -2,7 +2,7 @@ LoadModule headers_module ${APACHE_MODULES}/mod_headers.so LoadModule proxy_module ${APACHE_MODULES}/mod_proxy.so -LoadModule proxy_module ${APACHE_MODULES}/mod_proxy_http.so +LoadModule proxy_http_module ${APACHE_MODULES}/mod_proxy_http.so #LoadModule setenvif_module ${APACHE_MODULES}/mod_setenvif.so # SetEnvIf Request_URI "${FILTRON_URL_PATH}" dontlog diff --git a/utils/templates/etc/uwsgi/apps-archlinux/searx.ini b/utils/templates/etc/uwsgi/apps-archlinux/searx.ini index 8d3349c58..51f659d0f 100644 --- a/utils/templates/etc/uwsgi/apps-archlinux/searx.ini +++ b/utils/templates/etc/uwsgi/apps-archlinux/searx.ini @@ -74,7 +74,7 @@ http = ${SEARX_INTERNAL_HTTP} # # On some distributions you need to create the app folder for the sockets:: # -# mkdir -p /run/uwsgi/app/searx/socket -# chmod -R ${SERVICE_USER}:${SERVICE_GROUP} /run/uwsgi/app/searx/socket +# mkdir -p /run/uwsgi/app/searx +# chown -R ${SERVICE_USER}:${SERVICE_GROUP} /run/uwsgi/app/searx # # socket = /run/uwsgi/app/searx/socket \ No newline at end of file diff --git a/utils/templates/etc/uwsgi/apps-archlinux/searx.ini:socket b/utils/templates/etc/uwsgi/apps-archlinux/searx.ini:socket new file mode 100644 index 000000000..eeabb3715 --- /dev/null +++ b/utils/templates/etc/uwsgi/apps-archlinux/searx.ini:socket @@ -0,0 +1,80 @@ +[uwsgi] + +# uWSGI core +# ---------- +# +# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#uwsgi-core + +# Who will run the code +uid = ${SERVICE_USER} +gid = ${SERVICE_GROUP} + +# chdir to specified directory before apps loading +chdir = ${SEARX_SRC}/searx + +# searx configuration (settings.yml) +env = SEARX_SETTINGS_PATH=${SEARX_SETTINGS_PATH} + +# disable logging for privacy +logger = systemd +disable-logging = true + +# The right granted on the created socket +chmod-socket = 666 + +# Plugin to use and interpretor config +single-interpreter = true + +# enable master process +master = true + +# load apps in each worker instead of the master +lazy-apps = true + +# load uWSGI plugins +plugin = python + +# By default the Python plugin does not initialize the GIL. This means your +# app-generated threads will not run. If you need threads, remember to enable +# them with enable-threads. Running uWSGI in multithreading mode (with the +# threads options) will automatically enable threading support. This *strange* +# default behaviour is for performance reasons. +enable-threads = true + + +# plugin: python +# -------------- +# +# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-python + +# load a WSGI module +module = searx.webapp + +# set PYTHONHOME/virtualenv +virtualenv = ${SEARX_PYENV} + +# add directory (or glob) to pythonpath +pythonpath = ${SEARX_SRC} + + +# speak to upstream +# ----------------- +# +# Activate the 'http' configuration for filtron or activate the 'socket' +# configuration if you setup your HTTP server to use uWSGI protocol via sockets. + +# using IP: +# +# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http +# Native HTTP support: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html + +# http = ${SEARX_INTERNAL_HTTP} + +# using unix-sockets: +# +# On some distributions you need to create the app folder for the sockets:: +# +# mkdir -p /run/uwsgi/app/searx +# chown -R ${SERVICE_USER}:${SERVICE_GROUP} /run/uwsgi/app/searx +# +socket = /run/uwsgi/app/searx/socket \ No newline at end of file diff --git a/utils/templates/etc/uwsgi/apps-available/searx.ini b/utils/templates/etc/uwsgi/apps-available/searx.ini index 806f74439..9785d7cd1 100644 --- a/utils/templates/etc/uwsgi/apps-available/searx.ini +++ b/utils/templates/etc/uwsgi/apps-available/searx.ini @@ -73,7 +73,7 @@ http = ${SEARX_INTERNAL_HTTP} # # On some distributions you need to create the app folder for the sockets:: # -# mkdir -p /run/uwsgi/app/searx/socket -# chmod -R ${SERVICE_USER}:${SERVICE_GROUP} /run/uwsgi/app/searx/socket +# mkdir -p /run/uwsgi/app/searx +# chmod -R ${SERVICE_USER}:${SERVICE_GROUP} /run/uwsgi/app/searx # # socket = /run/uwsgi/app/searx/socket \ No newline at end of file diff --git a/utils/templates/etc/uwsgi/apps-available/searx.ini:socket b/utils/templates/etc/uwsgi/apps-available/searx.ini:socket new file mode 100644 index 000000000..88436e5eb --- /dev/null +++ b/utils/templates/etc/uwsgi/apps-available/searx.ini:socket @@ -0,0 +1,79 @@ +[uwsgi] + +# uWSGI core +# ---------- +# +# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#uwsgi-core + +# Who will run the code +uid = ${SERVICE_USER} +gid = ${SERVICE_GROUP} + +# chdir to specified directory before apps loading +chdir = ${SEARX_SRC}/searx + +# searx configuration (settings.yml) +env = SEARX_SETTINGS_PATH=${SEARX_SETTINGS_PATH} + +# disable logging for privacy +disable-logging = true + +# The right granted on the created socket +chmod-socket = 666 + +# Plugin to use and interpretor config +single-interpreter = true + +# enable master process +master = true + +# load apps in each worker instead of the master +lazy-apps = true + +# load uWSGI plugins +plugin = python3,http + +# By default the Python plugin does not initialize the GIL. This means your +# app-generated threads will not run. If you need threads, remember to enable +# them with enable-threads. Running uWSGI in multithreading mode (with the +# threads options) will automatically enable threading support. This *strange* +# default behaviour is for performance reasons. +enable-threads = true + + +# plugin: python +# -------------- +# +# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-python + +# load a WSGI module +module = searx.webapp + +# set PYTHONHOME/virtualenv +virtualenv = ${SEARX_PYENV} + +# add directory (or glob) to pythonpath +pythonpath = ${SEARX_SRC} + + +# speak to upstream +# ----------------- +# +# Activate the 'http' configuration for filtron or activate the 'socket' +# configuration if you setup your HTTP server to use uWSGI protocol via sockets. + +# using IP: +# +# https://uwsgi-docs.readthedocs.io/en/latest/Options.html#plugin-http +# Native HTTP support: https://uwsgi-docs.readthedocs.io/en/latest/HTTP.html + +# http = ${SEARX_INTERNAL_HTTP} + +# using unix-sockets: +# +# On some distributions you need to create the app folder for the sockets:: +# +# mkdir -p /run/uwsgi/app/searx +# chown -R ${SERVICE_USER}:${SERVICE_GROUP} /run/uwsgi/app/searx +# +socket = /run/uwsgi/app/searx/socket \ No newline at end of file -- cgit v1.2.3 From 58d5da8b57c5aeab92f551e8d175be67537c351c Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Sat, 11 Apr 2020 13:19:11 +0200 Subject: nginx: normalize installation (docs and script)s over all distros This is the revision of the documentation about the varous nginx installation variants. It also implements the nginx installation scripts for morty and filtron. Signed-off-by: Markus Heiser --- .../etc/nginx/default.apps-available/morty.conf | 11 +++++++++++ .../etc/nginx/default.apps-available/searx.conf:filtron | 16 ++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 utils/templates/etc/nginx/default.apps-available/morty.conf create mode 100644 utils/templates/etc/nginx/default.apps-available/searx.conf:filtron (limited to 'utils/templates') diff --git a/utils/templates/etc/nginx/default.apps-available/morty.conf b/utils/templates/etc/nginx/default.apps-available/morty.conf new file mode 100644 index 000000000..e7ffa27e2 --- /dev/null +++ b/utils/templates/etc/nginx/default.apps-available/morty.conf @@ -0,0 +1,11 @@ +# https://example.org/morty + +location /morty { + proxy_pass http://127.0.0.1:3000/; + + proxy_set_header Host \$http_host; + proxy_set_header Connection \$http_connection; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Scheme \$scheme; +} diff --git a/utils/templates/etc/nginx/default.apps-available/searx.conf:filtron b/utils/templates/etc/nginx/default.apps-available/searx.conf:filtron new file mode 100644 index 000000000..d3137e42d --- /dev/null +++ b/utils/templates/etc/nginx/default.apps-available/searx.conf:filtron @@ -0,0 +1,16 @@ +# https://example.org/searx + +location ${SEARX_URL_PATH} { + proxy_pass http://127.0.0.1:4004/; + + proxy_set_header Host \$http_host; + proxy_set_header Connection \$http_connection; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Scheme \$scheme; + proxy_set_header X-Script-Name ${SEARX_URL_PATH}; +} + +location ${SEARX_URL_PATH}/static { + alias ${SEARX_SRC}/searx/static; +} -- cgit v1.2.3 From ea3255835a259516c7a8b62eb319a338cebf7e9f Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Tue, 28 Apr 2020 16:21:45 +0200 Subject: utils/morty.sh: set morty key to avoid service abuse - https://github.com/asciimoo/searx/issues/1871#issuecomment-592459798 make install all generates random MORTY_KEY, install service with that key and sets option in the searx settingy.yml file. Signed-off-by: Markus Heiser --- utils/templates/lib/systemd/system/morty.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'utils/templates') diff --git a/utils/templates/lib/systemd/system/morty.service b/utils/templates/lib/systemd/system/morty.service index d463c5097..25b676b51 100644 --- a/utils/templates/lib/systemd/system/morty.service +++ b/utils/templates/lib/systemd/system/morty.service @@ -10,7 +10,7 @@ Type=simple User=${SERVICE_USER} Group=${SERVICE_GROUP} WorkingDirectory=${SERVICE_HOME} -ExecStart=${SERVICE_HOME}/go-apps/bin/morty -key '' -listen '${MORTY_LISTEN}' -timeout ${MORTY_TIMEOUT} +ExecStart=${SERVICE_HOME}/go-apps/bin/morty -key '${MORTY_KEY}' -listen '${MORTY_LISTEN}' -timeout ${MORTY_TIMEOUT} Restart=always Environment=USER=${SERVICE_USER} HOME=${SERVICE_HOME} DEBUG=${SERVICE_ENV_DEBUG} -- cgit v1.2.3 From 6ff20cef7385d6827042f00d295f51bbc213afab Mon Sep 17 00:00:00 2001 From: Markus Heiser Date: Thu, 18 Jun 2020 18:31:46 +0200 Subject: [fix] indentation of filtron's rules (json) Signed-off-by: Markus Heiser --- utils/templates/etc/filtron/rules.json | 228 +++++++++++++++++---------------- 1 file changed, 115 insertions(+), 113 deletions(-) (limited to 'utils/templates') diff --git a/utils/templates/etc/filtron/rules.json b/utils/templates/etc/filtron/rules.json index 8fbffa937..fff70fa8f 100644 --- a/utils/templates/etc/filtron/rules.json +++ b/utils/templates/etc/filtron/rules.json @@ -1,127 +1,129 @@ [ { - "name": "roboagent limit", - "filters": [ - "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client|Ruby|UniversalFeedParser)" - ], - "limit": 0, - "stop": true, - "actions": [ - { "name": "log"}, - { "name": "block", + "name": "roboagent limit", + "filters": [ + "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client|Ruby|UniversalFeedParser)" + ], + "limit": 0, + "stop": true, + "actions": [ + { "name": "log"}, + { "name": "block", "params": { - "message": "Rate limit exceeded" + "message": "Rate limit exceeded" } - } - ] + } + ] }, { - "name": "botlimit", - "filters": [ - "Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)" - ], - "limit": 0, - "stop": true, - "actions": [ - { "name": "log"}, - { "name": "block", + "name": "botlimit", + "filters": [ + "Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)" + ], + "limit": 0, + "stop": true, + "actions": [ + { "name": "log"}, + { "name": "block", "params": { - "message": "Rate limit exceeded" + "message": "Rate limit exceeded" } - } - ] + } + ] }, - { "name": "suspiciously frequent IP", - "filters": [], - "interval": 600, - "limit": 30, - "aggregations": [ - "Header:X-Forwarded-For" + { + "name": "suspiciously frequent IP", + "filters": [], + "interval": 600, + "limit": 30, + "aggregations": [ + "Header:X-Forwarded-For" ], - "actions":[ - {"name":"log"} + "actions":[ + {"name":"log"} ] }, - { "name": "search request", - "filters": [ - "Param:q", - "Path=^(/|/search)$" - ], - "interval": 61, - "limit": 999, - "subrules": [ - { - "name": "missing Accept-Language", - "filters": ["!Header:Accept-Language"], - "limit": 0, - "stop": true, - "actions": [ - {"name":"log"}, - {"name": "block", - "params": {"message": "Rate limit exceeded"}} - ] - }, - { - "name": "suspiciously Connection=close header", - "filters": ["Header:Connection=close"], - "limit": 0, - "stop": true, - "actions": [ - {"name":"log"}, - {"name": "block", - "params": {"message": "Rate limit exceeded"}} - ] - }, - { - "name": "IP limit", - "interval": 61, - "limit": 9, - "stop": true, - "aggregations": [ - "Header:X-Forwarded-For" - ], - "actions": [ - { "name": "log"}, - { "name": "block", - "params": { - "message": "Rate limit exceeded" - } - } - ] - }, - { - "name": "rss/json limit", - "filters": [ - "Param:format=(csv|json|rss)" - ], - "interval": 121, - "limit": 2, - "stop": true, - "actions": [ - { "name": "log"}, - { "name": "block", - "params": { - "message": "Rate limit exceeded" - } - } - ] - }, - { - "name": "useragent limit", - "interval": 61, - "limit": 199, - "aggregations": [ - "Header:User-Agent" - ], - "actions": [ - { "name": "log"}, - { "name": "block", - "params": { - "message": "Rate limit exceeded" - } - } - ] - } - ] + { + "name": "search request", + "filters": [ + "Param:q", + "Path=^(/|/search)$" + ], + "interval": 61, + "limit": 999, + "subrules": [ + { + "name": "missing Accept-Language", + "filters": ["!Header:Accept-Language"], + "limit": 0, + "stop": true, + "actions": [ + {"name":"log"}, + {"name": "block", + "params": {"message": "Rate limit exceeded"}} + ] + }, + { + "name": "suspiciously Connection=close header", + "filters": ["Header:Connection=close"], + "limit": 0, + "stop": true, + "actions": [ + {"name":"log"}, + {"name": "block", + "params": {"message": "Rate limit exceeded"}} + ] + }, + { + "name": "IP limit", + "interval": 61, + "limit": 9, + "stop": true, + "aggregations": [ + "Header:X-Forwarded-For" + ], + "actions": [ + { "name": "log"}, + { "name": "block", + "params": { + "message": "Rate limit exceeded" + } + } + ] + }, + { + "name": "rss/json limit", + "filters": [ + "Param:format=(csv|json|rss)" + ], + "interval": 121, + "limit": 2, + "stop": true, + "actions": [ + { "name": "log"}, + { "name": "block", + "params": { + "message": "Rate limit exceeded" + } + } + ] + }, + { + "name": "useragent limit", + "interval": 61, + "limit": 199, + "aggregations": [ + "Header:User-Agent" + ], + "actions": [ + { "name": "log"}, + { "name": "block", + "params": { + "message": "Rate limit exceeded" + } + } + ] + } + ] } ] -- cgit v1.2.3