mirror of
http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/selfhosting-blogposts.git
synced 2025-05-16 12:16:59 +00:00
291 lines
10 KiB
Markdown
291 lines
10 KiB
Markdown
---
|
|
search:
|
|
exclude: true
|
|
---
|
|
# searxng Setup
|
|
|
|
|
|
In this tutorial, we're going to setup a Searxng instance using docker-compose and nginx
|
|
|
|
## **Initial Setup**
|
|
|
|
Clone the repo and edit the docker-compose file:
|
|
|
|
|
|
[ nowhere.moe ] [ /dev/pts/10 ] [/srv]
|
|
→ git clone https://github.com/searxng/searxng-docker
|
|
Cloning into 'searxng-docker'...
|
|
remote: Enumerating objects: 308, done.
|
|
remote: Counting objects: 100% (44/44), done.
|
|
remote: Compressing objects: 100% (34/34), done.
|
|
remote: Total 308 (delta 20), reused 23 (delta 9), pack-reused 264
|
|
Receiving objects: 100% (308/308), 82.98 KiB | 5.53 MiB/s, done.
|
|
Resolving deltas: 100% (167/167), done.
|
|
|
|
[ nowhere.moe ] [ /dev/pts/10 ] [/srv]
|
|
→ cd searxng-docker
|
|
|
|
[ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker]
|
|
→ vim docker-compose.yaml
|
|
|
|
[ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker]
|
|
→ cat docker-compose.yaml
|
|
version: "3.7"
|
|
|
|
services:
|
|
#caddy:
|
|
# container_name: caddy
|
|
# image: caddy:2-alpine
|
|
# network_mode: host
|
|
# volumes:
|
|
# - ./Caddyfile:/etc/caddy/Caddyfile:ro
|
|
# - caddy-data:/data:rw
|
|
# - caddy-config:/config:rw
|
|
# environment:
|
|
# - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80}
|
|
# - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
|
|
# cap_drop:
|
|
# - ALL
|
|
# cap_add:
|
|
# - NET_BIND_SERVICE
|
|
|
|
redis:
|
|
container_name: redis
|
|
image: docker.io/library/redis:alpine
|
|
command: redis-server --save 30 1 --loglevel warning
|
|
networks:
|
|
- searxng
|
|
volumes:
|
|
- redis-data:/data
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- SETGID
|
|
- SETUID
|
|
- DAC_OVERRIDE
|
|
|
|
searxng:
|
|
container_name: searxng
|
|
image: searxng/searxng:latest
|
|
networks:
|
|
- searxng
|
|
ports:
|
|
- "127.0.0.1:8877:8080"
|
|
volumes:
|
|
- ./searxng:/etc/searxng:rw
|
|
environment:
|
|
#- SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME}/
|
|
- SEARXNG_BASE_URL=https://search.nowhere.moe/
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- CHOWN
|
|
- SETGID
|
|
- SETUID
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "1m"
|
|
max-file: "1"
|
|
|
|
networks:
|
|
searxng:
|
|
ipam:
|
|
driver: default
|
|
|
|
volumes:
|
|
#caddy-data:
|
|
caddy-config:
|
|
redis-data:
|
|
|
|
[ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker]
|
|
→ cat searxng/settings.yml
|
|
# see https://docs.searxng.org/admin/settings/settings.html#settings-use-default-settings
|
|
use_default_settings: true
|
|
server:
|
|
base_url: https://search.nowhere.moe/ #is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml
|
|
secret_key: "dwaawdwawadwer1312wdracvhbgdtfhre" # change this!
|
|
limiter: true # can be disabled for a private instance
|
|
image_proxy: true
|
|
public_instance: true
|
|
ui:
|
|
static_use_hash: true
|
|
redis:
|
|
url: redis://redis:6379/0
|
|
|
|
[ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker]
|
|
→ docker-compose up -d
|
|
Starting redis ... done
|
|
Starting searxng ... done
|
|
|
|
|
|
|
|
Then have the following nginx config:
|
|
|
|
|
|
[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
|
|
→ vim search.nowhere.moe.conf
|
|
|
|
root@nowhere.moe /etc/nginx/sites-available # cat search.nowhere.moe.conf
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name search.nowhere.moe;
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
server_name search.nowhere.moe;
|
|
|
|
ssl_certificate /etc/acme/certs/search.nowhere.moe/search.nowhere.moe.cer;
|
|
ssl_certificate_key /etc/acme/certs/search.nowhere.moe/search.nowhere.moe.key;
|
|
|
|
######## TOR CHANGES ########
|
|
listen 4443;
|
|
listen [::]:4443;
|
|
server_name search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion;
|
|
add_header Onion-Location "http://search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always;
|
|
######## TOR CHANGES ########
|
|
|
|
ssl_protocols TLSv1.3 TLSv1.2;
|
|
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
ssl_session_tickets off;
|
|
ssl_ecdh_curve auto;
|
|
|
|
add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting
|
|
add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking
|
|
add_header X-Content-Type-Options "nosniff";
|
|
add_header Content-Security-Policy "default-src 'self';";
|
|
|
|
|
|
location / {
|
|
proxy_pass http://localhost:8877;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
|
|
→ ln -s /etc/nginx/sites-available/search.nowhere.moe.conf
|
|
ln: failed to create symbolic link './search.nowhere.moe.conf': File exists
|
|
|
|
[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
|
|
→ ln -s /etc/nginx/sites-available/search.nowhere.moe.conf /etc/nginx/sites-enabled
|
|
|
|
[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
|
|
→ nginx -t
|
|
2024/02/16 21:07:54 [emerg] 409181#409181: cannot load certificate "/etc/acme/certs/search.nowhere.moe/search.nowhere.moe.cer": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/acme/certs/search.nowhere.moe/search.nowhere.moe.cer, r) error:10000080:BIO routines::no such file)
|
|
nginx: configuration file /etc/nginx/nginx.conf test failed
|
|
|
|
[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
|
|
→ bash
|
|
root@nowhere.moe /etc/nginx/sites-available # systemctl stop nginx ; acme.sh --issue --standalone -d search.nowhere.moe -k 4096 ; systemctl start nginx
|
|
|
|
|
|
|
|
Then simply browse to your instance on the web:
|
|
|
|
|
|
|
|
You can also search for something, then right click the search bar to add it as a search engine in firefox. then you can make it your default search enging.
|
|
|
|
## **Host a public instance**
|
|
|
|
get your instance listed [here](https://github.com/searxng/searx-instances/issues/475) among the other instances on <https://searx.space>
|
|
|
|
## **Hardening Setup**
|
|
|
|
To get listed among the public instances, you need to make sure your TLS hardening top notch, as explained below:
|
|
|
|
|
|
#for the DNS change for the CAA record, do the following:
|
|
root@mail-gw:/var/cache/bind# cat db.nowhere.moe | grep search
|
|
search.nowhere.moe. IN A 37.27.32.233
|
|
search.nowhere.moe. IN CAA 0 issue "letsencrypt.org"
|
|
|
|
[ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh]
|
|
→ cat /etc/nginx/sites-available/search.nowhere.moe.conf
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name search.nowhere.moe;
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
server_name search.nowhere.moe;
|
|
|
|
ssl_certificate /root/.acme.sh/search.nowhere.moe/fullchain.cer;
|
|
ssl_certificate_key /root/.acme.sh/search.nowhere.moe/search.nowhere.moe.key;
|
|
ssl_dhparam /root/.acme.sh/dhparam.pem;
|
|
|
|
######## TOR CHANGES ########
|
|
listen 4443;
|
|
listen [::]:4443;
|
|
server_name search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion;
|
|
add_header Onion-Location "http://search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always;
|
|
######## TOR CHANGES ########
|
|
|
|
# SSL Settings
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
ssl_session_tickets off;
|
|
ssl_ecdh_curve auto;
|
|
|
|
# OCSP stapling
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
ssl_trusted_certificate /root/.acme.sh/search.nowhere.moe/fullchain.cer;
|
|
resolver 1.1.1.1 208.67.222.222;
|
|
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
|
|
|
add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting
|
|
add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking
|
|
add_header X-Content-Type-Options "nosniff";
|
|
add_header Content-Security-Policy "default-src 'self';";
|
|
|
|
|
|
location / {
|
|
proxy_pass http://localhost:8877;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
To generate the dhparam.pem file you do the following:
|
|
|
|
|
|
[ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh]
|
|
→ openssl dhparam -dsaparam -out dhparam.pem 4096
|
|
Generating DSA parameters, 4096 bit long prime
|
|
....+..+...+....+..+.....+..................+......+.....+............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
|
|
|
|
|
|
|
|
Then reload nginx and check the scores on [mozilla's observatory](https://observatory.mozilla.org/analyze/search.nowhere.moe) and [qualys' TLS checker](https://www.ssllabs.com/ssltest/analyze.html?d=search.nowhere.moe)
|
|
|
|
|
|
[ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh]
|
|
→ nginx -t
|
|
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
|
|
nginx: configuration file /etc/nginx/nginx.conf test is successful
|
|
|
|
[ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh]
|
|
→ nginx -s reload
|
|
2024/02/24 08:24:59 [notice] 3403413#3403413: signal process started
|
|
|
|
|
|
|