The Nihilism Opsec Blog
Previous Page

root@Datura - 2024-02-16

searxng Setup

In this tutorial, we're going to setup a Searxng instance using docker-compose and nginx

Initial Setup

Clone the repo and edit the docker-compose file:


[ nowhere.moe ] [ /dev/pts/10 ] [/srv]
→ git clone https://github.com/searxng/searxng-docker
Cloning into 'searxng-docker'...
remote: Enumerating objects: 308, done.
remote: Counting objects: 100% (44/44), done.
remote: Compressing objects: 100% (34/34), done.
remote: Total 308 (delta 20), reused 23 (delta 9), pack-reused 264
Receiving objects: 100% (308/308), 82.98 KiB | 5.53 MiB/s, done.
Resolving deltas: 100% (167/167), done.

[ nowhere.moe ] [ /dev/pts/10 ] [/srv]
→ cd searxng-docker

[ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker]
→ vim docker-compose.yaml

[ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker]
→ cat docker-compose.yaml
version: "3.7"

services:
  #caddy:
  #  container_name: caddy
  #  image: caddy:2-alpine
  #  network_mode: host
  #  volumes:
  #    - ./Caddyfile:/etc/caddy/Caddyfile:ro
  #    - caddy-data:/data:rw
  #    - caddy-config:/config:rw
  #  environment:
  #    - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80}
  #    - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
  #  cap_drop:
  #    - ALL
  #  cap_add:
  #    - NET_BIND_SERVICE

  redis:
    container_name: redis
    image: docker.io/library/redis:alpine
    command: redis-server --save 30 1 --loglevel warning
    networks:
      - searxng
    volumes:
      - redis-data:/data
    cap_drop:
      - ALL
    cap_add:
      - SETGID
      - SETUID
      - DAC_OVERRIDE

  searxng:
    container_name: searxng
    image: searxng/searxng:latest
    networks:
      - searxng
    ports:
      - "127.0.0.1:8877:8080"
    volumes:
      - ./searxng:/etc/searxng:rw
    environment:
      #- SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME}/
      - SEARXNG_BASE_URL=https://search.nowhere.moe/
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"

networks:
  searxng:
    ipam:
      driver: default

volumes:
  #caddy-data:
  caddy-config:
  redis-data:

[ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker]
→ cat searxng/settings.yml
# see https://docs.searxng.org/admin/settings/settings.html#settings-use-default-settings
use_default_settings: true
server:
  base_url: https://search.nowhere.moe/  #is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml
  secret_key: "dwaawdwawadwer1312wdracvhbgdtfhre"  # change this!
  limiter: true  # can be disabled for a private instance
  image_proxy: true
  public_instance: true
ui:
  static_use_hash: true
redis:
  url: redis://redis:6379/0

[ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker]
→ docker-compose up -d
Starting redis   ... done
Starting searxng ... done

Then have the following nginx config:


[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
→ vim search.nowhere.moe.conf

root@nowhere.moe /etc/nginx/sites-available # cat search.nowhere.moe.conf
server {
        listen 80;
        listen [::]:80;
        server_name search.nowhere.moe;
        return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name search.nowhere.moe;

    ssl_certificate /etc/acme/certs/search.nowhere.moe/search.nowhere.moe.cer;
    ssl_certificate_key /etc/acme/certs/search.nowhere.moe/search.nowhere.moe.key;

    ######## TOR CHANGES ########
    listen 4443;
    listen [::]:4443;
    server_name search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion;
    add_header Onion-Location "http://search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always;
    ######## TOR CHANGES ########

        ssl_protocols TLSv1.3 TLSv1.2;
        ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_session_tickets off;
        ssl_ecdh_curve auto;

        add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting
        add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking
        add_header X-Content-Type-Options "nosniff";
        add_header Content-Security-Policy "default-src 'self';";


    location / {
        proxy_pass http://localhost:8877;
    }
}



[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
→ ln -s /etc/nginx/sites-available/search.nowhere.moe.conf
ln: failed to create symbolic link './search.nowhere.moe.conf': File exists

[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
→ ln -s /etc/nginx/sites-available/search.nowhere.moe.conf /etc/nginx/sites-enabled

[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
→ nginx -t
2024/02/16 21:07:54 [emerg] 409181#409181: cannot load certificate "/etc/acme/certs/search.nowhere.moe/search.nowhere.moe.cer": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/acme/certs/search.nowhere.moe/search.nowhere.moe.cer, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
→ bash
root@nowhere.moe /etc/nginx/sites-available # systemctl stop nginx ; acme.sh --issue --standalone -d search.nowhere.moe -k 4096 ;  systemctl start nginx

Then simply browse to your instance on the web:

You can also search for something, then right click the search bar to add it as a search engine in firefox. then you can make it your default search enging.

Host a public instance



get your instance listed here among the other instances on https://searx.space

Hardening Setup



To get listed among the public instances, you need to make sure your TLS hardening top notch, as explained below:


#for the DNS change for the CAA record, do the following:
root@mail-gw:/var/cache/bind# cat db.nowhere.moe | grep search
search.nowhere.moe.                  IN      A     37.27.32.233
search.nowhere.moe.                  IN      CAA     0 issue "letsencrypt.org"

[ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh]
→ cat /etc/nginx/sites-available/search.nowhere.moe.conf
server {
        listen 80;
        listen [::]:80;
        server_name search.nowhere.moe;
        return 301 https://$server_name$request_uri;
}

server {
        listen 443 ssl;
        server_name search.nowhere.moe;

        ssl_certificate /root/.acme.sh/search.nowhere.moe/fullchain.cer;
                ssl_certificate_key /root/.acme.sh/search.nowhere.moe/search.nowhere.moe.key;
                ssl_dhparam     /root/.acme.sh/dhparam.pem;

                ######## TOR CHANGES ########
                listen 4443;
                listen [::]:4443;
                server_name search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion;
                add_header Onion-Location "http://search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always;
                ######## TOR CHANGES ########

                # SSL Settings
                ssl_protocols TLSv1.2 TLSv1.3;
                ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
                ssl_prefer_server_ciphers on;


                ssl_session_cache shared:SSL:10m;
                ssl_session_timeout 10m;
                ssl_session_tickets off;
                ssl_ecdh_curve auto;

                # OCSP stapling
                ssl_stapling on;
                ssl_stapling_verify on;
                ssl_trusted_certificate /root/.acme.sh/search.nowhere.moe/fullchain.cer;
                resolver 1.1.1.1 208.67.222.222;

                add_header Strict-Transport-Security "max-age=63072000" always;


                add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting
                add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking
                add_header X-Content-Type-Options "nosniff";
                add_header Content-Security-Policy "default-src 'self';";


        location / {
                proxy_pass http://localhost:8877;
        }
}

To generate the dhparam.pem file you do the following:


[ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh]
→ openssl dhparam -dsaparam -out  dhparam.pem 4096
Generating DSA parameters, 4096 bit long prime
....+..+...+....+..+.....+..................+......+.....+............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*

Then reload nginx and check the scores on mozilla's observatory and qualys' TLS checker


[ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh]
→ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh]
→ nginx -s reload
2024/02/24 08:24:59 [notice] 3403413#3403413: signal process started

Nihilism

Until there is Nothing left.



Creative Commons Zero: No Rights Reserved

My Links

RSS Feed
SimpleX Chat

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8