searxng-docker
searxng-docker copied to clipboard
searxng
Traefik v2 instead of Caddy
Hello,
I'm running Traefik v2 on my server to serve a dozen of container without problems. But i'm facing of a "Bad gateway" with the Searxng container.
I've no error in Traefik logs, neither in Searxng logs. And the Traefik's dashboard is happy too.
My docker-compose.yml :
...
searxng:
container_name: searxng
image: searxng/searxng:latest
hostname: searxng
restart: always
ports:
- "127.0.0.1:9999:8080"
volumes:
- /app/searxng:/etc/searxng:rw
environment:
- SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- DAC_OVERRIDE
networks:
- traefik
...
And my searx.yml is similar to others :
http:
services:
searxng:
loadBalancer:
servers:
- url: "http://searxng:9999"
routers:
searxng:
rule: "Host(`domain.tld`)"
entryPoints:
- "web"
middlewares:
- "redirect-to-https@file"
service: "noop@internal"
searxng-secure:
rule: "Host(`domain.tld`)"
entryPoints:
- "websecure"
middlewares:
- "hsts@file"
- "security@file"
- "compression@file"
service: "searxng@file"
tls:
certResolver: letsencrypt-ecdsa
options: mintls13
Is someone manages to operate Searxng with Traefik v2 ?
for reference check out my traefik config file for my searxng fork: https://github.com/paulgoio/searxng/blob/main/docker-compose.yml
for reference check out my traefik config file for my searxng fork: https://github.com/paulgoio/searxng/blob/main/docker-compose.yml
Thx for your reply. Your docker-compose put me on the trail : i don't need to expose any ports.
Here is my finale docker-compose.yml :
searxng:
container_name: searxng
image: searxng/searxng:latest
hostname: searxng
restart: always
volumes:
- /app/searxng:/etc/searxng:rw
environment:
- SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
- TZ=Europe/Paris
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- DAC_OVERRIDE
networks:
- traefik
And the searx.yml
http:
services:
searxng:
loadBalancer:
servers:
- url: "http://searxng:8080"
routers:
searxng:
rule: "Host(`domain.tld`)"
entryPoints:
- "web"
middlewares:
- "redirect-to-https@file"
service: "noop@internal"
searxng-secure:
rule: "Host(`domain.tld`)"
entryPoints:
- "websecure"
middlewares:
- "hsts@file"
- "security@file"
- "compression@file"
service: "searxng@file"
tls:
certResolver: letsencrypt-ecdsa
options: mintls13
Thx again @mrpaulblack :+1:
@mrwormo Please may I have the content of your middlewares.yml file. I am getting error regarding compression. I am using Traefik V2. Many thanks.
@mrwormo Please may I have the content of your middlewares.yml file. I am getting error regarding compression. I am using Traefik V2. Many thanks.
Here is my compression.yml :
http:
middlewares:
compression:
compress:
excludedContentTypes:
- "text/event-stream"
Have you tried to comment compression@file ?
@mrwormo Thank you. It's all running ok now. I use a middlewares-chain.yml file and created a middleware-chain for searx as below using your snippet code:
chain-searx: chain: middlewares: - "middlewares-rate-limit" - "middlewares-secure-headers" - "middlewares-searx-compression" - This is then referenced in the compose file as:
- "traefik.http.routers.searxng.middlewares=chain-searx@file"
Im going to throw in my configuration, i had big troubles getting this configured right because i just picked up traefik, but managed to get it working well, with an A+ grade
I also added a label traefik.enable=true in searxng's docker-compose.yml
I got it working with something like this:
searxng.yml
http:
services:
searxng:
loadBalancer:
servers:
- url: "http://searxng:8080"
routers:
searxng:
rule: "Host(`amongus.sus`) && Method(`GET`,`POST`,`HEAD`)"
middlewares:
- general_security
- searxng_headers
service: searxng
entryPoints:
- "websecure"
tls:
certResolver: production
middlewares:
general_security:
headers:
stsSeconds: 31536000
stsIncludeSubdomains: true
stsPreload: true
browserXssFilter: true
contentTypeNosniff: true
referrerPolicy: "no-referrer"
searxng_headers:
headers:
customResponseHeaders:
X-Robots-Tag: "noindex, noarchive, nofollow"
Content-Security-Policy: "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
Permissions-Policy: "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
where certResolver: production points to this in traefik.yml
certificatesResolvers:
production:
acme:
email: [email protected]
storage: /etc/traefik/certs/acme.json
caServer: "https://acme-v02.api.letsencrypt.org/directory"
httpChallenge:
entryPoint: web
i also have set a default option for minimum tls version in the same traefik.yml file like this:
tls:
# ...
options:
default:
minVersion: VersionTLS12
for HTTP -> HTTPS redirecting i have this in entryPoints in traefik.yml
entryPoints:
web:
address: :80
# (Optional) Redirect to HTTPS
# ---
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
Additional note from me; If you want the best TLS score, add this to your traefik.yml:
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
related issue (#391) on searxng/searx-instances