Searx » Historique » Version 15
habib.belaribi, 15/04/2021 17:00
| 1 | 9 | sacha | # Searx |
|---|---|---|---|
| 2 | 8 | ||
| 3 | 15 | habib.belaribi | ## Installation #1 |
| 4 | 9 | sacha | |
| 5 | https://github.com/asciimoo/searx |
||
| 6 | 8 | https://asciimoo.github.io/searx/ |
|
| 7 | |||
| 8 | Installation: https://asciimoo.github.io/searx/dev/install/installation.html |
||
| 9 | |||
| 10 | 9 | sacha | a2enmod remoteip |
| 11 | 8 | ||
| 12 | /etc/apache2/conf-available/remoteip.conf |
||
| 13 | |||
| 14 | 9 | sacha | RemoteIPHeader X-Forwarded-For |
| 15 | RemoteIPTrustedProxy 127.0.0.1 ::1 |
||
| 16 | 8 | ||
| 17 | 9 | sacha | a2enconf remoteip |
| 18 | service apache2 reload |
||
| 19 | |||
| 20 | 8 | /etc/apache2/sites-available/searx.aquilenet.fr |
|
| 21 | |||
| 22 | 9 | sacha | <VirtualHost *:80> |
| 23 | ServerName searx.aquilenet.fr |
||
| 24 | DocumentRoot /srv/www/aquilenet.fr/searx |
||
| 25 | <Directory> /srv/www/aquilenet.fr/searx> |
||
| 26 | # RewriteEngine On |
||
| 27 | # RewriteCond %{HTTPS} !=on |
||
| 28 | # RewriteRule ^/?(.*) https://pad.aquilenet.fr/$1 [R,L] |
||
| 29 | Redirect permanent / https://searx.aquilenet.fr/ |
||
| 30 | 8 | Require all granted |
|
| 31 | 9 | sacha | </Directory> |
| 32 | Alias /.well-known/acme-challenge /srv/letsencrypt/challenges/searx.aquilenet.fr |
||
| 33 | <Directory /srv/letsencrypt/challenges/searx.aquilenet.fr> |
||
| 34 | Require all granted |
||
| 35 | </Directory> |
||
| 36 | </VirtualHost> |
||
| 37 | |||
| 38 | <VirtualHost *:443> |
||
| 39 | DocumentRoot /srv/www/aquilenet.fr/searx |
||
| 40 | ServerName searx.aquilenet.fr |
||
| 41 | AllowEncodedSlashes On |
||
| 42 | |||
| 43 | SSLEngine on |
||
| 44 | SSLCompression off |
||
| 45 | SSLCipherSuite "HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128" |
||
| 46 | SSLHonorCipherOrder on |
||
| 47 | SSLProtocol TLSv1.2 |
||
| 48 | #SSLCertificateFile /etc/letsencrypt/live/searx.aquilenet.fr/fullchain.pem |
||
| 49 | #SSLCertificateKeyFile /etc/letsencrypt/live/searx.aquilenet.fr/privkey.pem |
||
| 50 | SSLCertificateFile /srv/letsencrypt/pem/searx.aquilenet.fr.pem |
||
| 51 | SSLCertificateKeyFile /srv/letsencrypt/private/searx.aquilenet.fr.key |
||
| 52 | # SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem" |
||
| 53 | |||
| 54 | ErrorLog /var/log/apache2/searx.aqln.error.log |
||
| 55 | LogLevel warn |
||
| 56 | CustomLog /var/log/apache2/searx.aqln.access.log combined |
||
| 57 | |||
| 58 | <FilesMatch \.xml$> |
||
| 59 | SetEnv no-gzip 1 |
||
| 60 | </FilesMatch> |
||
| 61 | |||
| 62 | <Proxy http://127.0.0.1:4004/*> |
||
| 63 | Allow from all |
||
| 64 | </Proxy> |
||
| 65 | |||
| 66 | <Location /> |
||
| 67 | Options FollowSymlinks Indexes |
||
| 68 | ProxyPass http://127.0.0.1:4004/ |
||
| 69 | ProxyPassReverse http://127.0.0.1:4004/ |
||
| 70 | SetHandler uwsgi-handler |
||
| 71 | uWSGISocket /run/uwsgi/app/searx/socket |
||
| 72 | |||
| 73 | </location> |
||
| 74 | <Location /.well-known> |
||
| 75 | SetHandler none |
||
| 76 | </location> |
||
| 77 | |||
| 78 | <Directory /> |
||
| 79 | Options FollowSymLinks |
||
| 80 | AllowOverride None |
||
| 81 | 8 | Require all granted |
|
| 82 | 9 | sacha | </Directory> |
| 83 | |||
| 84 | Alias /.well-known/acme-challenge /srv/letsencrypt/challenges/searx.aquilenet.fr |
||
| 85 | <Directory /srv/letsencrypt/challenges/searx.aquilenet.fr> |
||
| 86 | Require all granted |
||
| 87 | </Directory> |
||
| 88 | |||
| 89 | </VirtualHost> |
||
| 90 | 8 | ||
| 91 | /etc/uwsgi/apps-available/searx.ini |
||
| 92 | |||
| 93 | 9 | sacha | [uwsgi] |
| 94 | # Quel est l'utilisateur qui fera tourner le code |
||
| 95 | uid = searx |
||
| 96 | gid = searx |
||
| 97 | |||
| 98 | # No log + la vie privée = <3 |
||
| 99 | disable-logging = true |
||
| 100 | |||
| 101 | # Nombre de workers (habituellement, on met le nombre de processeurs de la machine) |
||
| 102 | workers = 4 |
||
| 103 | |||
| 104 | # Quels sont les droits sur le socket créé |
||
| 105 | chmod-socket = 666 |
||
| 106 | |||
| 107 | # Plugin à utiliser et configuration de l'interpréteur |
||
| 108 | single-interpreter = true |
||
| 109 | master = true |
||
| 110 | plugin = python |
||
| 111 | |||
| 112 | # Module à importer |
||
| 113 | module = searx.webapp |
||
| 114 | |||
| 115 | #base = /srv/www/aquilenet.fr/searx |
||
| 116 | |||
| 117 | # Chemin du virtualenv |
||
| 118 | 10 | sacha | virtualenv = /srv/www/aquilenet.fr/searx/searx/searx-ve/ |
| 119 | 9 | sacha | pythonpath = /srv/www/aquilenet.fr/searx/searx/ |
| 120 | #chdir = /srv/www/aquilenet.fr/searx/searx/ |
||
| 121 | |||
| 122 | #callable = app |
||
| 123 | |||
| 124 | # Socket |
||
| 125 | #socket = /run/uwsgi/app/searx/socket |
||
| 126 | |||
| 127 | #add-header = Content-Security-Policy: default-src 'self' |
||
| 128 | #add-header = X-Content-Security-Policy: default-src 'self' |
||
| 129 | #add-header = X-WebKit-CSP: default-src 'self' |
||
| 130 | #add-header = X-Content-Type-Options: nosniff |
||
| 131 | #add-header = X-XSS-Protection: 1; mode=block |
||
| 132 | #add-header = X-Frame-Options: DENY |
||
| 133 | #add-header = Strict-Transport-Security: max-age=631138519; includeSubDomains |
||
| 134 | |||
| 135 | #filtron |
||
| 136 | http = 127.0.0.1:8888 |
||
| 137 | 8 | ||
| 138 | 9 | sacha | ## Anti bot |
| 139 | Pour éviter de se faire pourrir par les bots: https://asciimoo.github.io/searx/admin/filtron.html |
||
| 140 | 8 | ||
| 141 | 9 | sacha | cat /srv/www/aquilenet.fr/searx/gocode/filtron/rules.json |
| 142 | [ |
||
| 143 | { |
||
| 144 | "name": "search request", |
||
| 145 | "filters": ["Param:q", "Path=^(/|/search)$"], |
||
| 146 | "interval": 60, |
||
| 147 | "limit": 10, |
||
| 148 | "actions": [{"name": "log"}], |
||
| 149 | "subrules": [ |
||
| 150 | { |
||
| 151 | "name": "roboagent limit", |
||
| 152 | "interval": 60, |
||
| 153 | "limit": 10, |
||
| 154 | "filters": ["Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client)"], |
||
| 155 | "actions": [ |
||
| 156 | {"name": "block", |
||
| 157 | "params": {"message": "Rate limit exceeded"}} |
||
| 158 | ] |
||
| 159 | }, |
||
| 160 | { |
||
| 161 | "name": "botlimit", |
||
| 162 | "limit": 0, |
||
| 163 | "stop": true, |
||
| 164 | "filters": ["Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)"], |
||
| 165 | "actions": [ |
||
| 166 | {"name": "block", |
||
| 167 | "params": {"message": "Rate limit exceeded"}} |
||
| 168 | ] |
||
| 169 | }, |
||
| 170 | { |
||
| 171 | "name": "IP limit", |
||
| 172 | 11 | mathias.bert-barbedienne | "interval": 60, |
| 173 | 13 | mathias.bert-barbedienne | "limit": 2, |
| 174 | 11 | mathias.bert-barbedienne | "stop": true, |
| 175 | "aggregations": ["Header:X-Forwarded-For"], |
||
| 176 | "actions": [ |
||
| 177 | {"name": "block", |
||
| 178 | "params": {"message": "IP-Blocked"}} |
||
| 179 | ] |
||
| 180 | 9 | sacha | }, |
| 181 | 8 | { |
|
| 182 | 9 | sacha | "name": "rss/json limit", |
| 183 | "interval": 60, |
||
| 184 | 13 | mathias.bert-barbedienne | "limit": 2, |
| 185 | 9 | sacha | "stop": true, |
| 186 | "filters": ["Param:format=(csv|json|rss)"], |
||
| 187 | "actions": [ |
||
| 188 | {"name": "block", |
||
| 189 | "params": {"message": "Rate limit exceeded"}} |
||
| 190 | ] |
||
| 191 | }, |
||
| 192 | { |
||
| 193 | "name": "useragent limit", |
||
| 194 | "interval": 60, |
||
| 195 | "limit": 10, |
||
| 196 | "aggregations": ["Header:User-Agent"], |
||
| 197 | "actions": [ |
||
| 198 | {"name": "block", |
||
| 199 | "params": {"message": "Rate limit exceeded"}} |
||
| 200 | ] |
||
| 201 | } |
||
| 202 | ] |
||
| 203 | } |
||
| 204 | ] |
||
| 205 | 8 | ||
| 206 | 9 | sacha | creation d'un beuk-systemd service filtron |
| 207 | 8 | ||
| 208 | 9 | sacha | /etc/systemd/system/filtron.service |
| 209 | [Unit] |
||
| 210 | Description=Filtron anti flood for searx Daemon |
||
| 211 | After=network-online.target |
||
| 212 | |||
| 213 | [Service] |
||
| 214 | Type=simple |
||
| 215 | |||
| 216 | User=searx |
||
| 217 | Group=searx |
||
| 218 | UMask=007 |
||
| 219 | |||
| 220 | ExecStart=/srv/www/aquilenet.fr/searx/gocode/filtron/bin/filtron -rules /srv/www/aquilenet.fr/searx/gocode/filtron/rules.json |
||
| 221 | |||
| 222 | Restart=on-failure |
||
| 223 | |||
| 224 | # Configures the time to wait before service is stopped forcefully. |
||
| 225 | TimeoutStopSec=300 |
||
| 226 | |||
| 227 | [Install] |
||
| 228 | 8 | WantedBy=multi-user.target |
|
| 229 | 9 | sacha | |
| 230 | 8 | Un peu de cli systemd: |
|
| 231 | 9 | sacha | |
| 232 | systemctl daemon-reload |
||
| 233 | systemctl enable filtron.service |
||
| 234 | systemctl start filtron |
||
| 235 | 8 | systemctl status filtron |
|
| 236 | |||
| 237 | 15 | habib.belaribi | ## Mise à jour #1 |
| 238 | 8 | ||
| 239 | 9 | sacha | cd /srv/www/aquilenet.fr/searx/searx |
| 240 | sudo -u searx -i |
||
| 241 | . ./searx-ve/bin/activate |
||
| 242 | git stash |
||
| 243 | git pull origin master |
||
| 244 | git stash apply |
||
| 245 | 8 | ./manage.sh update_packages |
|
| 246 | sudo service uwsgi restart |
||
| 247 | |||
| 248 | 15 | habib.belaribi | ## Installation #2 |
| 249 | 8 | ||
| 250 | 15 | habib.belaribi | * Instance disponible sur : https://searx-adsillh.melisse.org (nécessite une adresse ipv6 publique depuis son client). |
| 251 | 14 | habib.belaribi | |
| 252 | 15 | habib.belaribi | * Contacts : cyril.millet@aquilenet.fr et habib.belaribi@aquilenet.fr |
| 253 | |||
| 254 | * **Rapport technique** (installation et contribution au projet Searx sur github.com/searx/searx ) sous licence CCO au format pdf, dans le menu "Fichiers" (auteurs : Cyril Millet, Guzel Katnik, Habib Belaribi, Marc Cenon, Pierre Chevalier). |
||
| 255 | |||
| 256 | * Prochaine étape visée : installation d'une nouvelle instance Searx sur Gaia. |