mirrors/searxng
1
0
Fork 0
mirror of https://github.com/searxng/searxng.git synced 2024-06-02 21:39:22 +00:00
Code Issues Projects Releases Wiki Activity
searxng/docs/admin/installation.rst
Robin Schneider a1d9c81915
Fix Nginx subdir URL install docs which allowed download of settings.yml 
Closes: #1617

There is an issue with the setup example in https://asciimoo.github.io/searx/dev/install/installation.html#installation for subdirectory URL deployments:

```nginx
root /usr/local/searx;

location = /searx { rewrite ^ /searx/; }
        try_files $uri @searx;
}
location @searx {
        uwsgi_param SCRIPT_NAME /searx;
        include uwsgi_params;
        uwsgi_modifier1 30;
        uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
```

`try_files` causes Nginx to search for files in the server root first. If it matches a file, it is returned. Only if no file matched, the request is passed to uwsgi. The worst consequence I can think of is that  `settings.yml` can be downloaded without authentication (where secrets and configuration details are stored).

To fix this, I propose:

```nginx
location = /searx {
        rewrite ^ /searx/;
}

location /searx/static {
}

location /searx {
        uwsgi_param SCRIPT_NAME /searx;
        include uwsgi_params;
        uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
```

And add

```
route-run = fixpathinfo:
```

to `/etc/uwsgi/apps-available/searx.ini` because `uwsgi_modifier1 30` is apparently deprecated. Ref: https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.11.html#fixpathinfo-routing-action

I assume this issue exists because some uwsgi upstream docs also use the `try_files` construct (at least I have seen this somewhere in the docs or somewhere else on the Internet but cannot find it right now again).

https://uwsgi-docs.readthedocs.io/en/latest/Nginx.html#hosting-multiple-apps-in-the-same-process-aka-managing-script-name-and-path-info also warns about this:

> If used incorrectly a configuration like this may cause security problems. For your sanity’s sake, double-triple-quadruple check that your application files, configuration files and any other sensitive files are outside of the root of the static files.
2019-12-31 14:24:27 +01:00

6.6 KiB
Raw Blame History

Installation

Basic installation

Step by step installation for Debian/Ubuntu with virtualenv. For Ubuntu, be sure to have enable universe repository.

Install packages:

$ sudo -H apt-get install \
       git build-essential libxslt-dev \
   python-dev python-virtualenv python-babel \
   zlib1g-dev libffi-dev libssl-dev

Install searx:

cd /usr/local
sudo -H git clone https://github.com/asciimoo/searx.git
sudo -H useradd searx -d /usr/local/searx
sudo -H chown searx:searx -R /usr/local/searx

Install dependencies in a virtualenv:

cd /usr/local/searx
sudo -H -u searx -i
(searx)$ virtualenv searx-ve
(searx)$ . ./searx-ve/bin/activate
(searx)$ ./manage.sh update_packages

Configuration

sed -i -e "s/ultrasecretkey/`openssl rand -hex 16`/g" searx/settings.yml

Edit searx/settings.yml if necessary.

Check

Start searx:

python searx/webapp.py

Go to http://localhost:8888

If everything works fine, disable the debug option in settings.yml:

sed -i -e "s/debug : True/debug : False/g" searx/settings.yml

At this point searx is not demonized ; uwsgi allows this.

You can exit the virtualenv and the searx user bash (enter exit command twice).

uwsgi

Install packages:

sudo -H apt-get install \
     uwsgi uwsgi-plugin-python

Create the configuration file /etc/uwsgi/apps-available/searx.ini with this content:

[uwsgi]
# Who will run the code
uid = searx
gid = searx

# disable logging for privacy
disable-logging = true

# Number of workers (usually CPU count)
workers = 4

# The right granted on the created socket
chmod-socket = 666

# Plugin to use and interpretor config
single-interpreter = true
master = true
plugin = python
lazy-apps = true
enable-threads = true

# Module to import
module = searx.webapp

# Support running the module from a webserver subdirectory.
route-run = fixpathinfo:

# Virtualenv and python path
virtualenv = /usr/local/searx/searx-ve/
pythonpath = /usr/local/searx/
chdir = /usr/local/searx/searx/

Activate the uwsgi application and restart:

cd /etc/uwsgi/apps-enabled
ln -s ../apps-available/searx.ini
/etc/init.d/uwsgi restart

Web server

with nginx

If nginx is not installed (uwsgi will not work with the package nginx-light):

sudo -H apt-get install nginx

Hosted at /

Create the configuration file /etc/nginx/sites-available/searx with this content:

server {
    listen 80;
    server_name searx.example.com;
    root /usr/local/searx;

    location / {
            include uwsgi_params;
            uwsgi_pass unix:/run/uwsgi/app/searx/socket;
    }
}

Create a symlink to sites-enabled:

sudo -H ln -s /etc/nginx/sites-available/searx /etc/nginx/sites-enabled/searx

Restart service:

sudo -H service nginx restart
sudo -H service uwsgi restart

from subdirectory URL (/searx)

Add this configuration in the server config file /etc/nginx/sites-enabled/default:

location = /searx {
        rewrite ^ /searx/;
}

location /searx/static {
}

location /searx {
        uwsgi_param SCRIPT_NAME /searx;
        include uwsgi_params;
        uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}

OR using reverse proxy (Please, note that reverse proxy advised to be used in case of single-user or low-traffic instances.)

location /searx {
    proxy_pass http://127.0.0.1:8888;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Scheme $scheme;
    proxy_set_header X-Script-Name /searx;
    proxy_buffering off;
}

Enable base_url in searx/settings.yml

base_url : http://your.domain.tld/searx/

Restart service:

sudo -H service nginx restart
sudo -H service uwsgi restart
disable logs

for better privacy you can disable nginx logs about searx.

how to proceed: below uwsgi_pass in /etc/nginx/sites-available/default add:

access_log /dev/null;
error_log /dev/null;

Restart service:

sudo -H service nginx restart

with apache

Add wsgi mod:

sudo -H apt-get install libapache2-mod-uwsgi
sudo -H a2enmod uwsgi

Add this configuration in the file /etc/apache2/apache2.conf:

<Location />
    Options FollowSymLinks Indexes
    SetHandler uwsgi-handler
    uWSGISocket /run/uwsgi/app/searx/socket
</Location>

Note that if your instance of searx is not at the root, you should change <Location /> by the location of your instance, like <Location /searx>.

Restart Apache:

sudo -H /etc/init.d/apache2 restart

disable logs

For better privacy you can disable Apache logs.

Warning

You can only disable logs for the whole (virtual) server not for a specific path.

Go back to /etc/apache2/apache2.conf and above <Location /> add:

CustomLog /dev/null combined

Restart Apache:

sudo -H /etc/init.d/apache2 restart

How to update

cd /usr/local/searx
sudo -H -u searx -i
(searx)$ . ./searx-ve/bin/activate
(searx)$ git stash
(searx)$ git pull origin master
(searx)$ git stash apply
(searx)$ ./manage.sh update_packages
sudo -H service uwsgi restart

Docker

Make sure you have installed Docker. For instance, you can deploy searx like this:

docker pull wonderfall/searx
docker run -d --name searx -p $PORT:8888 wonderfall/searx

Go to http://localhost:$PORT.

See https://hub.docker.com/r/wonderfall/searx/ for more informations. It's also possible to build searx from the embedded Dockerfile.

git clone https://github.com/asciimoo/searx.git
cd searx
docker build -t whatever/searx .

References