search

searxng / searxng-docker

The docker-compose files for setting up a SearXNG instance with docker.
GNU Affero General Public License v3.0
1.28k stars 302 forks source link

Issues configuring nginx with searxng, header issues and CSP blocked on /static #93

Closed y0nei closed 1 year ago

y0nei commented 1 year ago

Hello, im running docker with searxng and i want to make nginx work properly on it but i keep getting thrown off by wierd issues. I have searched searxng/searxng-docker, searxng/searxng and the documentation and every single one of those recommend a diffirent method and config for setting nginx. The way i want to do it is have a static configuration for nginx and reverse proxy searxng with it.

I am aware that #15 shows how to set up nginx with searxng but i cant seem to figure out how and which configuration to use, caddyfile adds headers, and none of these are mentioned in issue #15

heres is how my nginx.conf looks like (and excuse my intendtation in the post)

#user searxng;   <= if i use anything else it will just throw an error
worker_processes 1;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;

events {
    worker_connections 768;
}

http {

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    client_max_body_size 0;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    #access_log /config/log/nginx/access.log;
    #error_log /config/log/nginx/error.log;
    access_log /dev/null;
        error_log  /dev/null;

    include /etc/nginx/http.d/*.conf;
    include /config/nginx/site-confs/*;
    #Removed lua. Do not remove this comment

    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_min_length 10240;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;

    server {
        listen  80;
        server_name  searx.zimro.xyz;

    location / {

            set $target http://192.168.1.200:8080;  <= 127.0.0.1:8080 has not worked

            #add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com" always;
            add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()" always;
            add_header Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" always;
            add_header X-Robots-Tag "noindex, noarchive, nofollow" always;
            add_header Referrer-Policy "no-referrer" always;
            add_header Cache-Control "no-cache, no-store" always;
            add_header Pragma "no-cache" always;
            add_header X-Frame-Options SAMEORIGIN always;

            #proxy_set_header Host $host;
            proxy_set_header Host             $target;
            proxy_set_header Connection       $http_connection;

            # see flaskfix.py
        proxy_set_header X-Scheme         $scheme;
            proxy_set_header X-Script-Name    $target;
            # see limiter.py
            proxy_set_header X-Real-IP        $remote_addr;
            proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;

            proxy_pass $target;
        }

        location /stats/errors {
            add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
        add_header Access-Control-Allow-Origin  "*" always;
        }

        location /stats/checker {
            add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
        add_header Access-Control-Allow-Origin  "*" always;
        }

       location /image_proxy {
        add_header Content-Security-Policy "default-src 'none'; img-src 'self' data:" always;
       }
     }
}  
#daemon off; <= also throws an error when not commented

all the add_header options in location / i have added from caddyconfig, previously i had them running on nginx proxy manager and worked just fine. But once the instance has gone public, it would constantly return too many requests

I have tried this solution from Originally posted by @return42 in https://github.com/searxng/searxng-docker/issues/55#issuecomment-1209446559

    # see limiter.py
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

It works fine in nginx itself but sadly it wouldnt work in nginx proxy manager.

Theres also an issue with /static that cant load any resources because of the Content-Security-Policy header in the / location\ without this, it loads fine, thats why i have it commented out above

for .env i have SEARXNG_HOSTNAME=searx.zimro.xyz and my docker-compose.yml looks like this

version: '3.7'

services:
  nginx:
    image: nginx:alpine
    container_name: searxng-nginx
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
    ports:
      - 7880:80
    networks:
      - searxng
      - nginx-proxy
    restart: always

  redis:
    container_name: redis
    image: "redis:alpine"
    command: redis-server --save "" --appendonly "no"
    networks:
      - searxng
    tmpfs:
      - /var/lib/redis
    cap_drop:
      - ALL
    cap_add:
      - SETGID
      - SETUID
      - DAC_OVERRIDE
    restart: always

  searxng:
    container_name: searxng
    image: searxng/searxng:latest
    networks:
      - searxng
    ports:
     - "8080:8080"
    volumes:
      - ./searxng:/etc/searxng:rw
    environment:
     - SEARXNG_BASE_URL=https://searx.zimro.xyz
    #  - SEARXNG_BASE_URL=https://127.0.0.1:8080
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
      - DAC_OVERRIDE
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"
    restart: always

networks:
  searxng:
    ipam:
      driver: default
  nginx-proxy:
    name: nginx-proxy-manager_default

and yes, im not setting ssl inside my nginx.conf since i use nginx proxy manager to reverse proxy it. (i know its pointless and i can just use npm to manage the nginx config but its cleaner for me that way)

y0nei commented 1 year ago

after looking into this comment on this issue, i have added the headers listed in there, seems to fix the too many requests error

return42 commented 1 year ago

after looking into this comment on this issue, i have added the headers listed in there, seems to fix the too many requests error

Yes, you have to set the HTTP headers / its now documented here https://docs.searxng.org/src/searx.botdetection.html#x-forwarded-for