mirrors/searxng
1
0
Fork 0
mirror of https://github.com/searxng/searxng.git synced 2024-05-20 12:28:05 +00:00
Code Issues Projects Releases Wiki Activity
searxng/docs
History
Robin Schneider a1d9c81915
Fix Nginx subdir URL install docs which allowed download of settings.yml 
Closes: #1617

There is an issue with the setup example in https://asciimoo.github.io/searx/dev/install/installation.html#installation for subdirectory URL deployments:

```nginx
root /usr/local/searx;

location = /searx { rewrite ^ /searx/; }
        try_files $uri @searx;
}
location @searx {
        uwsgi_param SCRIPT_NAME /searx;
        include uwsgi_params;
        uwsgi_modifier1 30;
        uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
```

`try_files` causes Nginx to search for files in the server root first. If it matches a file, it is returned. Only if no file matched, the request is passed to uwsgi. The worst consequence I can think of is that  `settings.yml` can be downloaded without authentication (where secrets and configuration details are stored).

To fix this, I propose:

```nginx
location = /searx {
        rewrite ^ /searx/;
}

location /searx/static {
}

location /searx {
        uwsgi_param SCRIPT_NAME /searx;
        include uwsgi_params;
        uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
```

And add

```
route-run = fixpathinfo:
```

to `/etc/uwsgi/apps-available/searx.ini` because `uwsgi_modifier1 30` is apparently deprecated. Ref: https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.11.html#fixpathinfo-routing-action

I assume this issue exists because some uwsgi upstream docs also use the `try_files` construct (at least I have seen this somewhere in the docs or somewhere else on the Internet but cannot find it right now again).

https://uwsgi-docs.readthedocs.io/en/latest/Nginx.html#hosting-multiple-apps-in-the-same-process-aka-managing-script-name-and-path-info also warns about this:

> If used incorrectly a configuration like this may cause security problems. For your sanity’s sake, double-triple-quadruple check that your application files, configuration files and any other sensitive files are outside of the root of the static files.
2019-12-31 14:24:27 +01:00
..
_themes/searx docs(css): render HTML rst-example slightly more discreet 2019-12-28 01:26:24 +01:00
admin Fix Nginx subdir URL install docs which allowed download of settings.yml 2019-12-31 14:24:27 +01:00
blog doc: moved reST sources in the right folder (much clearer) 2019-12-12 19:48:42 +01:00
dev docs(dev): add more markups to reST primer 2019-12-28 01:01:11 +01:00
static/img [enh] initial structure 2015-11-17 23:38:22 +01:00
user doc: moved reST sources in the right folder (much clearer) 2019-12-12 19:48:42 +01:00
conf.py docs(admin): add article 'Buildhosts' with system requirements 2019-12-28 01:25:16 +01:00
index.rst doc: moved reST sources in the right folder (much clearer) 2019-12-12 19:48:42 +01:00