--- search: exclude: true --- # searxng Setup In this tutorial, we're going to setup a Searxng instance using docker-compose and nginx ## **Initial Setup** Clone the repo and edit the docker-compose file: [ nowhere.moe ] [ /dev/pts/10 ] [/srv] → git clone https://github.com/searxng/searxng-docker Cloning into 'searxng-docker'... remote: Enumerating objects: 308, done. remote: Counting objects: 100% (44/44), done. remote: Compressing objects: 100% (34/34), done. remote: Total 308 (delta 20), reused 23 (delta 9), pack-reused 264 Receiving objects: 100% (308/308), 82.98 KiB | 5.53 MiB/s, done. Resolving deltas: 100% (167/167), done. [ nowhere.moe ] [ /dev/pts/10 ] [/srv] → cd searxng-docker [ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker] → vim docker-compose.yaml [ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker] → cat docker-compose.yaml version: "3.7" services: #caddy: # container_name: caddy # image: caddy:2-alpine # network_mode: host # volumes: # - ./Caddyfile:/etc/caddy/Caddyfile:ro # - caddy-data:/data:rw # - caddy-config:/config:rw # environment: # - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80} # - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal} # cap_drop: # - ALL # cap_add: # - NET_BIND_SERVICE redis: container_name: redis image: docker.io/library/redis:alpine command: redis-server --save 30 1 --loglevel warning networks: - searxng volumes: - redis-data:/data cap_drop: - ALL cap_add: - SETGID - SETUID - DAC_OVERRIDE searxng: container_name: searxng image: searxng/searxng:latest networks: - searxng ports: - "127.0.0.1:8877:8080" volumes: - ./searxng:/etc/searxng:rw environment: #- SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME}/ - SEARXNG_BASE_URL=https://search.nowhere.moe/ cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID logging: driver: "json-file" options: max-size: "1m" max-file: "1" networks: searxng: ipam: driver: default volumes: #caddy-data: caddy-config: redis-data: [ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker] → cat searxng/settings.yml # see https://docs.searxng.org/admin/settings/settings.html#settings-use-default-settings use_default_settings: true server: base_url: https://search.nowhere.moe/ #is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml secret_key: "dwaawdwawadwer1312wdracvhbgdtfhre" # change this! limiter: true # can be disabled for a private instance image_proxy: true public_instance: true ui: static_use_hash: true redis: url: redis://redis:6379/0 [ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker] → docker-compose up -d Starting redis ... done Starting searxng ... done Then have the following nginx config: [ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available] → vim search.nowhere.moe.conf root@nowhere.moe /etc/nginx/sites-available # cat search.nowhere.moe.conf server { listen 80; listen [::]:80; server_name search.nowhere.moe; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name search.nowhere.moe; ssl_certificate /etc/acme/certs/search.nowhere.moe/search.nowhere.moe.cer; ssl_certificate_key /etc/acme/certs/search.nowhere.moe/search.nowhere.moe.key; ######## TOR CHANGES ######## listen 4443; listen [::]:4443; server_name search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; add_header Onion-Location "http://search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; ######## TOR CHANGES ######## ssl_protocols TLSv1.3 TLSv1.2; ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_ecdh_curve auto; add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking add_header X-Content-Type-Options "nosniff"; add_header Content-Security-Policy "default-src 'self';"; location / { proxy_pass http://localhost:8877; } } [ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available] → ln -s /etc/nginx/sites-available/search.nowhere.moe.conf ln: failed to create symbolic link './search.nowhere.moe.conf': File exists [ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available] → ln -s /etc/nginx/sites-available/search.nowhere.moe.conf /etc/nginx/sites-enabled [ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available] → nginx -t 2024/02/16 21:07:54 [emerg] 409181#409181: cannot load certificate "/etc/acme/certs/search.nowhere.moe/search.nowhere.moe.cer": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/acme/certs/search.nowhere.moe/search.nowhere.moe.cer, r) error:10000080:BIO routines::no such file) nginx: configuration file /etc/nginx/nginx.conf test failed [ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available] → bash root@nowhere.moe /etc/nginx/sites-available # systemctl stop nginx ; acme.sh --issue --standalone -d search.nowhere.moe -k 4096 ; systemctl start nginx Then simply browse to your instance on the web: ![](1.png) You can also search for something, then right click the search bar to add it as a search engine in firefox. then you can make it your default search enging. ## **Host a public instance** get your instance listed [here](https://github.com/searxng/searx-instances/issues/475) among the other instances on ## **Hardening Setup** To get listed among the public instances, you need to make sure your TLS hardening top notch, as explained below: #for the DNS change for the CAA record, do the following: root@mail-gw:/var/cache/bind# cat db.nowhere.moe | grep search search.nowhere.moe. IN A 37.27.32.233 search.nowhere.moe. IN CAA 0 issue "letsencrypt.org" [ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh] → cat /etc/nginx/sites-available/search.nowhere.moe.conf server { listen 80; listen [::]:80; server_name search.nowhere.moe; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name search.nowhere.moe; ssl_certificate /root/.acme.sh/search.nowhere.moe/fullchain.cer; ssl_certificate_key /root/.acme.sh/search.nowhere.moe/search.nowhere.moe.key; ssl_dhparam /root/.acme.sh/dhparam.pem; ######## TOR CHANGES ######## listen 4443; listen [::]:4443; server_name search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; add_header Onion-Location "http://search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; ######## TOR CHANGES ######## # SSL Settings ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_ecdh_curve auto; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /root/.acme.sh/search.nowhere.moe/fullchain.cer; resolver 1.1.1.1 208.67.222.222; add_header Strict-Transport-Security "max-age=63072000" always; add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking add_header X-Content-Type-Options "nosniff"; add_header Content-Security-Policy "default-src 'self';"; location / { proxy_pass http://localhost:8877; } } To generate the dhparam.pem file you do the following: [ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh] → openssl dhparam -dsaparam -out dhparam.pem 4096 Generating DSA parameters, 4096 bit long prime ....+..+...+....+..+.....+..................+......+.....+............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++* Then reload nginx and check the scores on [mozilla's observatory](https://observatory.mozilla.org/analyze/search.nowhere.moe) and [qualys' TLS checker](https://www.ssllabs.com/ssltest/analyze.html?d=search.nowhere.moe) [ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh] → nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh] → nginx -s reload 2024/02/24 08:24:59 [notice] 3403413#3403413: signal process started