Projet

Général

Profil

Searx » Historique » Version 15

habib.belaribi, 15/04/2021 17:00

1 9 sacha
# Searx
2 8
3 15 habib.belaribi
## Installation #1
4 9 sacha
5
https://github.com/asciimoo/searx  
6 8
https://asciimoo.github.io/searx/
7
8
Installation: https://asciimoo.github.io/searx/dev/install/installation.html
9
10 9 sacha
    a2enmod remoteip
11 8
12
/etc/apache2/conf-available/remoteip.conf
13
14 9 sacha
    RemoteIPHeader X-Forwarded-For
15
    RemoteIPTrustedProxy 127.0.0.1 ::1
16 8
17 9 sacha
    a2enconf remoteip
18
    service apache2 reload
19
20 8
/etc/apache2/sites-available/searx.aquilenet.fr
21
22 9 sacha
    <VirtualHost *:80>
23
            ServerName searx.aquilenet.fr
24
            DocumentRoot /srv/www/aquilenet.fr/searx
25
            <Directory> /srv/www/aquilenet.fr/searx>
26
    #       RewriteEngine On
27
    #       RewriteCond %{HTTPS} !=on
28
    #       RewriteRule ^/?(.*) https://pad.aquilenet.fr/$1 [R,L]
29
            Redirect permanent / https://searx.aquilenet.fr/
30 8
            Require all granted
31 9 sacha
            </Directory>
32
            Alias /.well-known/acme-challenge /srv/letsencrypt/challenges/searx.aquilenet.fr
33
            <Directory /srv/letsencrypt/challenges/searx.aquilenet.fr>
34
                Require all granted
35
            </Directory>
36
    </VirtualHost>
37
    
38
    <VirtualHost *:443>
39
            DocumentRoot /srv/www/aquilenet.fr/searx
40
            ServerName searx.aquilenet.fr
41
            AllowEncodedSlashes On
42
    
43
            SSLEngine on
44
            SSLCompression off
45
            SSLCipherSuite "HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128"
46
            SSLHonorCipherOrder on
47
            SSLProtocol TLSv1.2
48
            #SSLCertificateFile /etc/letsencrypt/live/searx.aquilenet.fr/fullchain.pem
49
            #SSLCertificateKeyFile /etc/letsencrypt/live/searx.aquilenet.fr/privkey.pem
50
            SSLCertificateFile /srv/letsencrypt/pem/searx.aquilenet.fr.pem
51
            SSLCertificateKeyFile /srv/letsencrypt/private/searx.aquilenet.fr.key
52
    #       SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"
53
    
54
            ErrorLog /var/log/apache2/searx.aqln.error.log
55
            LogLevel warn
56
            CustomLog /var/log/apache2/searx.aqln.access.log combined
57
    
58
            <FilesMatch \.xml$>
59
            SetEnv no-gzip 1
60
            </FilesMatch>
61
    
62
            <Proxy http://127.0.0.1:4004/*>
63
            Allow from all
64
            </Proxy>
65
    
66
            <Location />
67
            Options FollowSymlinks Indexes
68
            ProxyPass http://127.0.0.1:4004/
69
            ProxyPassReverse http://127.0.0.1:4004/
70
            SetHandler uwsgi-handler
71
            uWSGISocket /run/uwsgi/app/searx/socket
72
    
73
            </location>
74
            <Location /.well-known>
75
            SetHandler none
76
            </location>
77
    
78
            <Directory />
79
            Options FollowSymLinks
80
            AllowOverride None
81 8
            Require all granted
82 9 sacha
            </Directory>
83
    
84
            Alias /.well-known/acme-challenge /srv/letsencrypt/challenges/searx.aquilenet.fr
85
            <Directory /srv/letsencrypt/challenges/searx.aquilenet.fr>
86
                Require all granted
87
            </Directory>
88
    
89
    </VirtualHost>
90 8
91
/etc/uwsgi/apps-available/searx.ini
92
93 9 sacha
    [uwsgi]
94
    # Quel est l'utilisateur qui fera tourner le code
95
    uid = searx
96
    gid = searx
97
    
98
    # No log + la vie privée = <3
99
    disable-logging = true
100
    
101
    # Nombre de workers (habituellement, on met le nombre de processeurs de la machine)
102
    workers = 4
103
    
104
    # Quels sont les droits sur le socket créé
105
    chmod-socket = 666
106
    
107
    # Plugin à utiliser et configuration de l'interpréteur
108
    single-interpreter = true
109
    master = true
110
    plugin = python
111
    
112
    # Module à importer
113
    module = searx.webapp
114
    
115
    #base = /srv/www/aquilenet.fr/searx
116
    
117
    # Chemin du virtualenv
118 10 sacha
    virtualenv = /srv/www/aquilenet.fr/searx/searx/searx-ve/
119 9 sacha
    pythonpath = /srv/www/aquilenet.fr/searx/searx/
120
    #chdir = /srv/www/aquilenet.fr/searx/searx/
121
    
122
    #callable = app
123
    
124
    # Socket
125
    #socket = /run/uwsgi/app/searx/socket
126
    
127
    #add-header = Content-Security-Policy: default-src 'self'
128
    #add-header = X-Content-Security-Policy: default-src 'self'
129
    #add-header = X-WebKit-CSP: default-src 'self'
130
    #add-header = X-Content-Type-Options: nosniff
131
    #add-header = X-XSS-Protection: 1; mode=block
132
    #add-header = X-Frame-Options: DENY 
133
    #add-header = Strict-Transport-Security: max-age=631138519; includeSubDomains
134
    
135
    #filtron
136
    http = 127.0.0.1:8888
137 8
138 9 sacha
## Anti bot  
139
Pour éviter de se faire pourrir par les bots: https://asciimoo.github.io/searx/admin/filtron.html
140 8
141 9 sacha
    cat /srv/www/aquilenet.fr/searx/gocode/filtron/rules.json 
142
    [
143
        {
144
            "name": "search request",
145
            "filters": ["Param:q", "Path=^(/|/search)$"],
146
            "interval": 60,
147
            "limit": 10,
148
            "actions": [{"name": "log"}],
149
            "subrules": [
150
                {
151
                    "name": "roboagent limit",
152
                    "interval": 60, 
153
                    "limit": 10,
154
                    "filters": ["Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client)"],
155
                    "actions": [
156
                        {"name": "block",
157
                         "params": {"message": "Rate limit exceeded"}}
158
                    ]
159
                },
160
                {
161
                    "name": "botlimit",
162
                    "limit": 0,
163
                    "stop": true,
164
                    "filters": ["Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)"],
165
                    "actions": [
166
                        {"name": "block",
167
                         "params": {"message": "Rate limit exceeded"}}
168
                    ]
169
                },
170
                {
171
                    "name": "IP limit",
172 11 mathias.bert-barbedienne
                            "interval": 60,
173 13 mathias.bert-barbedienne
                            "limit": 2,
174 11 mathias.bert-barbedienne
                            "stop": true,
175
                            "aggregations": ["Header:X-Forwarded-For"],
176
                            "actions": [
177
                                {"name": "block",
178
                                 "params": {"message": "IP-Blocked"}}
179
                             ]
180 9 sacha
                },
181 8
                {
182 9 sacha
                    "name": "rss/json limit",
183
                    "interval": 60,
184 13 mathias.bert-barbedienne
                    "limit": 2,
185 9 sacha
                    "stop": true,
186
                    "filters": ["Param:format=(csv|json|rss)"],
187
                    "actions": [
188
                        {"name": "block",
189
                         "params": {"message": "Rate limit exceeded"}}
190
                    ]
191
                },
192
                {
193
                    "name": "useragent limit",
194
                    "interval": 60,
195
                    "limit": 10,
196
                    "aggregations": ["Header:User-Agent"],
197
                    "actions": [
198
                        {"name": "block",
199
                         "params": {"message": "Rate limit exceeded"}}
200
                    ]
201
                }
202
            ]
203
        }
204
    ]
205 8
206 9 sacha
creation d'un beuk-systemd service filtron
207 8
208 9 sacha
    /etc/systemd/system/filtron.service
209
    [Unit]
210
    Description=Filtron anti flood for searx Daemon
211
    After=network-online.target
212
    
213
    [Service]
214
    Type=simple
215
    
216
    User=searx
217
    Group=searx
218
    UMask=007
219
    
220
    ExecStart=/srv/www/aquilenet.fr/searx/gocode/filtron/bin/filtron -rules /srv/www/aquilenet.fr/searx/gocode/filtron/rules.json
221
    
222
    Restart=on-failure
223
    
224
    # Configures the time to wait before service is stopped forcefully.
225
    TimeoutStopSec=300
226
    
227
    [Install]
228 8
    WantedBy=multi-user.target
229 9 sacha
230 8
Un peu de cli systemd:
231 9 sacha
232
    systemctl daemon-reload
233
    systemctl enable filtron.service
234
    systemctl start filtron
235 8
    systemctl status filtron
236
237 15 habib.belaribi
## Mise à jour #1
238 8
239 9 sacha
cd /srv/www/aquilenet.fr/searx/searx
240
sudo -u searx -i
241
. ./searx-ve/bin/activate
242
git stash
243
git pull origin master
244
git stash apply
245 8
./manage.sh update_packages
246
sudo service uwsgi restart
247
248 15 habib.belaribi
## Installation #2
249 8
250 15 habib.belaribi
* Instance disponible sur : https://searx-adsillh.melisse.org (nécessite une adresse ipv6 publique depuis son client).
251 14 habib.belaribi
252 15 habib.belaribi
* Contacts : cyril.millet@aquilenet.fr et habib.belaribi@aquilenet.fr
253
254
* **Rapport technique** (installation et contribution au projet Searx sur github.com/searx/searx ) sous licence CCO au format pdf, dans le menu "Fichiers" (auteurs : Cyril Millet, Guzel Katnik, Habib Belaribi, Marc Cenon, Pierre Chevalier).
255
256
* Prochaine étape visée : installation d'une nouvelle instance Searx sur Gaia.