Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ubuntu 18.04 + Docker + Apache2 #1798

Open
iamdoubz opened this issue Jan 7, 2020 · 2 comments
Open

Ubuntu 18.04 + Docker + Apache2 #1798

iamdoubz opened this issue Jan 7, 2020 · 2 comments
Labels
doc

Comments

@iamdoubz
Copy link

@iamdoubz iamdoubz commented Jan 7, 2020

Here is a way to install searx in 5 minutes and wanted to post this somewhere. This is not a bug, this is a guide.

Requirements

  1. You have docker running already
  2. You have several websites already being served by Apache (we will be using a subdomain)
  3. Apache2 version >= 2.4.17 < 2.4.36
  4. You are using certbot for ssl certs
  5. Need to use TLS1.2 (TLS1.3 not implemented until Apache2 >= 2.4.36)

Updated for @dalf comment below

  1. Add ability not to log anything (recommended reverse proxy setup)
  2. I used docker repo wonderfall/searx as that was stated in the install here. but is out of date so updated to searx/searx
  3. Removed old CSP sha-256 as it was not needed for updated docker image
  4. Added more "default" requirements
  5. Removed <FilesMatch "\.(cgi|shtml|phtml|php)$"> and <Directory /usr/lib/cgi-bin> as they are not needed for using docker.

Guide

Grab the docker code

  1. sudo docker pull searx/searx
    Start searx docker image listening on port 9999 (note, you can change this to whatever you want!)
  2. sudo docker run -i -t -d --restart=always -p 127.0.0.1:9999:8888 searx/searx
  3. Open up a browser and navigate to http://localhost:9999/
    If you see the searx logo, you may continue. If not, check to see if anything is running on port 9999 with sudo netstat -peanut | grep :9999
  4. Create a new apache config file called searx.conf with the following content:
    Note: if you are not using port 9999, change it in the apache conf file!
    DEFINE searx_url 127.0.0.1
    DEFINE searx_port 9999
    DEFINE public_url searx.sub.domain
    DEFINE email webadmin@searx.sub.domain
    ServerTokens Prod
    SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
    SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)"
    SSLSessionCacheTimeout 300
### If you have Google's Mod PageSpeed, disable it
    ModPagespeed Off
<VirtualHost *:80>
    ServerName ${public_url}
    DocumentRoot /var/www/offline
    ServerAdmin ${email}
    ErrorLog ${APACHE_LOG_DIR}/web.error.log
    CustomLog ${APACHE_LOG_DIR}/web.access.log combined
 ###If you don't want logs
    #ErrorLog /dev/null
    #CustomLog /dev/null combined
    RewriteEngine On
    RewriteCond %{SERVER_NAME}=${public_url}
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
    ServerName ${public_url}
    DocumentRoot /var/www/offline
    ServerAdmin ${email}
    ErrorLog ${APACHE_LOG_DIR}/web.error.log
    CustomLog ${APACHE_LOG_DIR}/web.access.log combined
 ###If you don't want logs
    #ErrorLog /dev/null
    #CustomLog /dev/null combined
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/${public_url}/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/${public_url}/privkey.pem
    #Include /etc/letsencrypt/options-ssl-apache.conf
### Forbid the http1.0 protocol ###
    Protocols h2 http/1.1
    Timeout 360
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyTimeout 600
    ProxyReceiveBufferSize 4096
    SSLProxyEngine On
    RequestHeader set Front-End-Https "On"
    ServerSignature Off
    SSLCompression Off
    SSLUseStapling On
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors Off
    SSLSessionTickets Off
    RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
    Header always set Strict-Transport-Security "max-age=15552000; preload"
    Header always set X-Content-Type-Options nosniff
    Header always set X-Robots-Tag none
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Content-Security-Policy "default-src 'self' https:; font-src 'self' data: ${searx_url} ${public_url}; media-src 'self' blob: data: https: ${searx_url} ${public_url}; script-src 'self' ${searx_url} ${public_url}; img-src 'self' data: https: blob: ${searx_url} ${public_url}"
    Header always set Feature-Policy "geolocation 'self'; midi 'self'; sync-xhr 'self'; microphone 'self'; camera 'self'; magnetometer 'self'; gyroscope 'self'; speaker 'self'; fullscreen 'self'; payment 'self'"
    SSLHonorCipherOrder Off
### Use next two for very secure connections ###
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
### Use next two for secure connections and supports more endpoints ###
    #SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
    #SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
### Actually proxy the traffic and really the only important part ###
    ProxyPass / http://${searx_url}:${searx_port}/
    ProxyPassReverse / http://${searx_url}:${searx_port}/
### Additional suggestions: https://github.com/asciimoo/searx/wiki/How-to-create-and-configure-SSL ###
    BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
  1. Enable the new site: sudo a2ensite searx.conf
  2. Reload and restart apache service: sudo service apache2 reload && sudo service apache2 restart

Congrats!

Wasn't that easy?

Comments? Questions? Complaints? Grievances?

Go ahead and leave a comment below.

@dalf

This comment has been minimized.

Copy link
Collaborator

@dalf dalf commented Jan 7, 2020

Thank you, some comments:

  • wonderfall/searx hasn't been update for 7 months (hoellen/searx and searx/searx are up to date)
  • Content-Security-Policy contains an unknown value: sha256-LIWrG6emw8QcIrrsxKwHRTZeHabvoWo08i03XaSQu7M=
  • the current configuration will log all GET/POST requests.
  • it requires certbot integration.
  • <FilesMatch "\.(cgi|shtml|phtml|php)$"> and <Directory /usr/lib/cgi-bin> won't be use.
  • it would be better to have filtron between apache and searx.

I guess you already know:

@iamdoubz

This comment has been minimized.

Copy link
Author

@iamdoubz iamdoubz commented Jan 7, 2020

Updated for @dalf comment above

  1. Add ability not to log anything (recommended reverse proxy setup)
  2. I used docker repo wonderfall/searx as that was stated in the install here. but is out of date so updated to searx/searx
  3. Removed old CSP sha-256 as it was not needed for updated docker image
  4. Added more "default" requirements
  5. Removed <FilesMatch "\.(cgi|shtml|phtml|php)$"> and <Directory /usr/lib/cgi-bin> as they are not needed for using docker.
@return42 return42 added the doc label Jan 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.