In this tutorial, we're going to setup a Searxng instance using docker-compose and nginx
Clone the repo and edit the docker-compose file:
[ nowhere.moe ] [ /dev/pts/10 ] [/srv]
→ git clone https://github.com/searxng/searxng-docker
Cloning into 'searxng-docker'...
remote: Enumerating objects: 308, done.
remote: Counting objects: 100% (44/44), done.
remote: Compressing objects: 100% (34/34), done.
remote: Total 308 (delta 20), reused 23 (delta 9), pack-reused 264
Receiving objects: 100% (308/308), 82.98 KiB | 5.53 MiB/s, done.
Resolving deltas: 100% (167/167), done.
[ nowhere.moe ] [ /dev/pts/10 ] [/srv]
→ cd searxng-docker
[ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker]
→ vim docker-compose.yaml
[ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker]
→ cat docker-compose.yaml
version: "3.7"
services:
#caddy:
# container_name: caddy
# image: caddy:2-alpine
# network_mode: host
# volumes:
# - ./Caddyfile:/etc/caddy/Caddyfile:ro
# - caddy-data:/data:rw
# - caddy-config:/config:rw
# environment:
# - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80}
# - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
# cap_drop:
# - ALL
# cap_add:
# - NET_BIND_SERVICE
redis:
container_name: redis
image: docker.io/library/redis:alpine
command: redis-server --save 30 1 --loglevel warning
networks:
- searxng
volumes:
- redis-data:/data
cap_drop:
- ALL
cap_add:
- SETGID
- SETUID
- DAC_OVERRIDE
searxng:
container_name: searxng
image: searxng/searxng:latest
networks:
- searxng
ports:
- "127.0.0.1:8877:8080"
volumes:
- ./searxng:/etc/searxng:rw
environment:
#- SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME}/
- SEARXNG_BASE_URL=https://search.nowhere.moe/
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
logging:
driver: "json-file"
options:
max-size: "1m"
max-file: "1"
networks:
searxng:
ipam:
driver: default
volumes:
#caddy-data:
caddy-config:
redis-data:
[ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker]
→ cat searxng/settings.yml
# see https://docs.searxng.org/admin/settings/settings.html#settings-use-default-settings
use_default_settings: true
server:
base_url: https://search.nowhere.moe/ #is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml
secret_key: "dwaawdwawadwer1312wdracvhbgdtfhre" # change this!
limiter: true # can be disabled for a private instance
image_proxy: true
public_instance: true
ui:
static_use_hash: true
redis:
url: redis://redis:6379/0
[ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker]
→ docker-compose up -d
Starting redis ... done
Starting searxng ... done
Then have the following nginx config:
[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
→ vim search.nowhere.moe.conf
root@nowhere.moe /etc/nginx/sites-available # cat search.nowhere.moe.conf
server {
listen 80;
listen [::]:80;
server_name search.nowhere.moe;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name search.nowhere.moe;
ssl_certificate /etc/acme/certs/search.nowhere.moe/search.nowhere.moe.cer;
ssl_certificate_key /etc/acme/certs/search.nowhere.moe/search.nowhere.moe.key;
######## TOR CHANGES ########
listen 4443;
listen [::]:4443;
server_name search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion;
add_header Onion-Location "http://search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always;
######## TOR CHANGES ########
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
ssl_ecdh_curve auto;
add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting
add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src 'self';";
location / {
proxy_pass http://localhost:8877;
}
}
[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
→ ln -s /etc/nginx/sites-available/search.nowhere.moe.conf
ln: failed to create symbolic link './search.nowhere.moe.conf': File exists
[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
→ ln -s /etc/nginx/sites-available/search.nowhere.moe.conf /etc/nginx/sites-enabled
[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
→ nginx -t
2024/02/16 21:07:54 [emerg] 409181#409181: cannot load certificate "/etc/acme/certs/search.nowhere.moe/search.nowhere.moe.cer": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/acme/certs/search.nowhere.moe/search.nowhere.moe.cer, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed
[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
→ bash
root@nowhere.moe /etc/nginx/sites-available # systemctl stop nginx ; acme.sh --issue --standalone -d search.nowhere.moe -k 4096 ; systemctl start nginx
Then simply browse to your instance on the web:
You can also search for something, then right click the search bar to add it as a search engine in firefox. then you can make it your default search enging.
get your instance listed here among the other instances on https://searx.space
To get listed among the public instances, you need to make sure your TLS hardening top notch, as explained below:
#for the DNS change for the CAA record, do the following:
root@mail-gw:/var/cache/bind# cat db.nowhere.moe | grep search
search.nowhere.moe. IN A 37.27.32.233
search.nowhere.moe. IN CAA 0 issue "letsencrypt.org"
[ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh]
→ cat /etc/nginx/sites-available/search.nowhere.moe.conf
server {
listen 80;
listen [::]:80;
server_name search.nowhere.moe;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name search.nowhere.moe;
ssl_certificate /root/.acme.sh/search.nowhere.moe/fullchain.cer;
ssl_certificate_key /root/.acme.sh/search.nowhere.moe/search.nowhere.moe.key;
ssl_dhparam /root/.acme.sh/dhparam.pem;
######## TOR CHANGES ########
listen 4443;
listen [::]:4443;
server_name search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion;
add_header Onion-Location "http://search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always;
######## TOR CHANGES ########
# SSL Settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
ssl_ecdh_curve auto;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /root/.acme.sh/search.nowhere.moe/fullchain.cer;
resolver 1.1.1.1 208.67.222.222;
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting
add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src 'self';";
location / {
proxy_pass http://localhost:8877;
}
}
To generate the dhparam.pem file you do the following:
[ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh]
→ openssl dhparam -dsaparam -out dhparam.pem 4096
Generating DSA parameters, 4096 bit long prime
....+..+...+....+..+.....+..................+......+.....+............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
Then reload nginx and check the scores on mozilla's observatory and qualys' TLS checker
[ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh]
→ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh]
→ nginx -s reload
2024/02/24 08:24:59 [notice] 3403413#3403413: signal process started
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8