Searx » Historique » Révision 11
Révision 10 (sacha, 10/03/2019 13:49) → Révision 11/15 (mathias.bert-barbedienne, 30/04/2019 17:47)
# Searx ## Installation https://github.com/asciimoo/searx https://asciimoo.github.io/searx/ Installation: https://asciimoo.github.io/searx/dev/install/installation.html a2enmod remoteip /etc/apache2/conf-available/remoteip.conf RemoteIPHeader X-Forwarded-For RemoteIPTrustedProxy 127.0.0.1 ::1 a2enconf remoteip service apache2 reload /etc/apache2/sites-available/searx.aquilenet.fr <VirtualHost *:80> ServerName searx.aquilenet.fr DocumentRoot /srv/www/aquilenet.fr/searx <Directory> /srv/www/aquilenet.fr/searx> # RewriteEngine On # RewriteCond %{HTTPS} !=on # RewriteRule ^/?(.*) https://pad.aquilenet.fr/$1 [R,L] Redirect permanent / https://searx.aquilenet.fr/ Require all granted </Directory> Alias /.well-known/acme-challenge /srv/letsencrypt/challenges/searx.aquilenet.fr <Directory /srv/letsencrypt/challenges/searx.aquilenet.fr> Require all granted </Directory> </VirtualHost> <VirtualHost *:443> DocumentRoot /srv/www/aquilenet.fr/searx ServerName searx.aquilenet.fr AllowEncodedSlashes On SSLEngine on SSLCompression off SSLCipherSuite "HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128" SSLHonorCipherOrder on SSLProtocol TLSv1.2 #SSLCertificateFile /etc/letsencrypt/live/searx.aquilenet.fr/fullchain.pem #SSLCertificateKeyFile /etc/letsencrypt/live/searx.aquilenet.fr/privkey.pem SSLCertificateFile /srv/letsencrypt/pem/searx.aquilenet.fr.pem SSLCertificateKeyFile /srv/letsencrypt/private/searx.aquilenet.fr.key # SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem" ErrorLog /var/log/apache2/searx.aqln.error.log LogLevel warn CustomLog /var/log/apache2/searx.aqln.access.log combined <FilesMatch \.xml$> SetEnv no-gzip 1 </FilesMatch> <Proxy http://127.0.0.1:4004/*> Allow from all </Proxy> <Location /> Options FollowSymlinks Indexes ProxyPass http://127.0.0.1:4004/ ProxyPassReverse http://127.0.0.1:4004/ SetHandler uwsgi-handler uWSGISocket /run/uwsgi/app/searx/socket </location> <Location /.well-known> SetHandler none </location> <Directory /> Options FollowSymLinks AllowOverride None Require all granted </Directory> Alias /.well-known/acme-challenge /srv/letsencrypt/challenges/searx.aquilenet.fr <Directory /srv/letsencrypt/challenges/searx.aquilenet.fr> Require all granted </Directory> </VirtualHost> /etc/uwsgi/apps-available/searx.ini [uwsgi] # Quel est l'utilisateur qui fera tourner le code uid = searx gid = searx # No log + la vie privée = <3 disable-logging = true # Nombre de workers (habituellement, on met le nombre de processeurs de la machine) workers = 4 # Quels sont les droits sur le socket créé chmod-socket = 666 # Plugin à utiliser et configuration de l'interpréteur single-interpreter = true master = true plugin = python # Module à importer module = searx.webapp #base = /srv/www/aquilenet.fr/searx # Chemin du virtualenv virtualenv = /srv/www/aquilenet.fr/searx/searx/searx-ve/ pythonpath = /srv/www/aquilenet.fr/searx/searx/ #chdir = /srv/www/aquilenet.fr/searx/searx/ #callable = app # Socket #socket = /run/uwsgi/app/searx/socket #add-header = Content-Security-Policy: default-src 'self' #add-header = X-Content-Security-Policy: default-src 'self' #add-header = X-WebKit-CSP: default-src 'self' #add-header = X-Content-Type-Options: nosniff #add-header = X-XSS-Protection: 1; mode=block #add-header = X-Frame-Options: DENY #add-header = Strict-Transport-Security: max-age=631138519; includeSubDomains #filtron http = 127.0.0.1:8888 ## Anti bot Pour éviter de se faire pourrir par les bots: https://asciimoo.github.io/searx/admin/filtron.html cat /srv/www/aquilenet.fr/searx/gocode/filtron/rules.json [ { "name": "search request", "filters": ["Param:q", "Path=^(/|/search)$"], "interval": 60, "limit": 10, "actions": [{"name": "log"}], "subrules": [ { "name": "roboagent limit", "interval": 60, "limit": 10, "filters": ["Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client)"], "actions": [ {"name": "block", "params": {"message": "Rate limit exceeded"}} ] }, { "name": "botlimit", "limit": 0, "stop": true, "filters": ["Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)"], "actions": [ {"name": "block", "params": {"message": "Rate limit exceeded"}} ] }, { "name": "IP limit", "interval": 60, "limit": 2, 10, "stop": true, "aggregations": ["Header:X-Forwarded-For"], "actions": [ {"name": "log", "params": {"destination": "stderr"}}, {"name": "block", "params": {"message": "IP-Blocked"}} "Rate limit exceeded"}} ] }, { "name": "rss/json limit", "interval": 60, "limit": 10, "stop": true, "filters": ["Param:format=(csv|json|rss)"], "actions": [ {"name": "block", "params": {"message": "Rate limit exceeded"}} ] }, { "name": "useragent limit", "interval": 60, "limit": 10, "aggregations": ["Header:User-Agent"], "actions": [ {"name": "block", "params": {"message": "Rate limit exceeded"}} ] } ] } ] creation d'un beuk-systemd service filtron /etc/systemd/system/filtron.service [Unit] Description=Filtron anti flood for searx Daemon After=network-online.target [Service] Type=simple User=searx Group=searx UMask=007 ExecStart=/srv/www/aquilenet.fr/searx/gocode/filtron/bin/filtron -rules /srv/www/aquilenet.fr/searx/gocode/filtron/rules.json Restart=on-failure # Configures the time to wait before service is stopped forcefully. TimeoutStopSec=300 [Install] WantedBy=multi-user.target Un peu de cli systemd: systemctl daemon-reload systemctl enable filtron.service systemctl start filtron systemctl status filtron ## Mise à jour cd /srv/www/aquilenet.fr/searx/searx sudo -u searx -i . ./searx-ve/bin/activate git stash git pull origin master git stash apply ./manage.sh update_packages sudo service uwsgi restart