searx-docker icon indicating copy to clipboard operation
searx-docker copied to clipboard

Published 20 hours ago verified publisher icon searx

make repo compatible with http-only upstream TLS

Open spwoodcock opened this issue 3 years ago • 2 comments

There is a lack of documentation around making this compatible with reverse proxies; a HTTP server, with TLS termination provided upstream (see #63).

This PR adds some additional configuration to make the repo compatible with both full HTTPS and HTTP-only version of Searx, plus some minor edits in other places:

  • No need for network: host in Caddy container.
    • Port mapping can be used instead for 80 and 443. This also allows users to map to any arbitrary port.
  • As this is a compose stack, services can be referenced by their name. Edited reverse_proxy directives in Caddyfile to reflect this.
    • Consequently, ports do not need to be mapped for filtron or morty (4041 was kept for the rules API).
  • Added searx-checker service.
  • Permissions-Policy in the Caddyfile has a structured syntax that needed updating (tested with MS Edge):

image

spwoodcock avatar Jul 20 '21 22:07 spwoodcock

We won't accept this PR because the network host is necessary for listening on IPv6 for Caddy because Docker doesn't provide IPv6 connectivity out of the box. Unless you can come up with a fix for listening on IPv6 and IPv4 at the same time for Caddy we won't merge this PR.

unixfox avatar Jul 21 '21 07:07 unixfox

Docker recently added support for forwarding IPv6 traffic to containers & it seems to be stable now, albeit under experimental features (moby/moby#41622).

It requires Docker 20.10.2 or later & modifying /etc/docker/daemon.json file with:

{
	"ipv6": true,
	"fixed-cidr-v6": "fd00:ffff::/80",
	"ip6tables": true,
	"experimental": true
}

$ sudo service docker restart

As of now, docker swarm does not support IPv6 and hence, the enable_ipv6 directive is only available for docker-compose file format versions below 3, e.g. 2.4.

So we would need a separate docker-compose.yaml file, with networks defined as:

version: '2.4'

networks:
  searx:
    enable_ipv6: true
    ipam:
      driver: default
      config: 
        - subnet: fd00:6f74:69d7::/80
          gateway: fd00:6f74:69d7::1

The ULA was generated for the project with: echo searx | shasum | cut -c1-8 This must be defined.

I'm more than happy to add a separate docker-compose.yaml and documentation to the README, or merge into the main docker-compose.yaml (with a requirement for edits to daemon.json specified), depending on the preferred approach.

Or I can modify this PR to revert to the network_mode: "host" directive for Caddy & only keep the changes for HTTPS-->HTTP.

spwoodcock avatar Jul 21 '21 10:07 spwoodcock