Version 8 - Historique - Searx - Services - L'atelier d'Aquilenet

1

h1. Searx

2

3

https://github.com/asciimoo/searx

4

https://asciimoo.github.io/searx/

5

6

Installation: https://asciimoo.github.io/searx/dev/install/installation.html

7

8

<pre>

9

a2enmod remoteip

10

</pre>

11

12

/etc/apache2/conf-available/remoteip.conf

13

<pre>

14

RemoteIPHeader X-Forwarded-For

15

RemoteIPTrustedProxy 127.0.0.1 ::1

16

</pre>

17

18

<pre>

19

a2enconf remoteip

20

service apache2 reload

21

</pre>

22

23

/etc/apache2/sites-available/searx.aquilenet.fr

24

25

<pre>

26

<VirtualHost *:80>

27

        ServerName searx.aquilenet.fr

28

        DocumentRoot /srv/www/aquilenet.fr/searx

29

        <Directory> /srv/www/aquilenet.fr/searx>

30

#       RewriteEngine On

31

#       RewriteCond %{HTTPS} !=on

32

#       RewriteRule ^/?(.*) https://pad.aquilenet.fr/$1 [R,L]

33

        Redirect permanent / https://searx.aquilenet.fr/

34

        Require all granted

35

        </Directory>

36

        Alias /.well-known/acme-challenge /srv/letsencrypt/challenges/searx.aquilenet.fr

37

        <Directory /srv/letsencrypt/challenges/searx.aquilenet.fr>

38

            Require all granted

39

        </Directory>

40

</VirtualHost>

41

42

<VirtualHost *:443>

43

        DocumentRoot /srv/www/aquilenet.fr/searx

44

        ServerName searx.aquilenet.fr

45

        AllowEncodedSlashes On

46

47

        SSLEngine on

48

        SSLCompression off

49

        SSLCipherSuite "HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128"

50

        SSLHonorCipherOrder on

51

        SSLProtocol TLSv1.2

52

        #SSLCertificateFile /etc/letsencrypt/live/searx.aquilenet.fr/fullchain.pem

53

        #SSLCertificateKeyFile /etc/letsencrypt/live/searx.aquilenet.fr/privkey.pem

54

        SSLCertificateFile /srv/letsencrypt/pem/searx.aquilenet.fr.pem

55

        SSLCertificateKeyFile /srv/letsencrypt/private/searx.aquilenet.fr.key

56

#       SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"

57

58

        ErrorLog /var/log/apache2/searx.aqln.error.log

59

        LogLevel warn

60

        CustomLog /var/log/apache2/searx.aqln.access.log combined

61

62

        <FilesMatch \.xml$>

63

        SetEnv no-gzip 1

64

        </FilesMatch>

65

66

        <Proxy http://127.0.0.1:4004/*>

67

        Allow from all

68

        </Proxy>

69

70

        <Location />

71

        Options FollowSymlinks Indexes

72

        ProxyPass http://127.0.0.1:4004/

73

        ProxyPassReverse http://127.0.0.1:4004/

74

        SetHandler uwsgi-handler

75

        uWSGISocket /run/uwsgi/app/searx/socket

76

77

        </location>

78

        <Location /.well-known>

79

        SetHandler none

80

        </location>

81

82

        <Directory />

83

        Options FollowSymLinks

84

        AllowOverride None

85

        Require all granted

86

        </Directory>

87

88

        Alias /.well-known/acme-challenge /srv/letsencrypt/challenges/searx.aquilenet.fr

89

        <Directory /srv/letsencrypt/challenges/searx.aquilenet.fr>

90

            Require all granted

91

        </Directory>

92

93

</VirtualHost>

94

95

</pre>

96

97

/etc/uwsgi/apps-available/searx.ini

98

99

<pre>

100

[uwsgi]

101

# Quel est l'utilisateur qui fera tourner le code

102

uid = searx

103

gid = searx

104

105

# No log + la vie privée = <3

106

disable-logging = true

107

108

# Nombre de workers (habituellement, on met le nombre de processeurs de la machine)

109

workers = 4

110

111

# Quels sont les droits sur le socket créé

112

chmod-socket = 666

113

114

# Plugin à utiliser et configuration de l'interpréteur

115

single-interpreter = true

116

master = true

117

plugin = python

118

119

# Module à importer

120

module = searx.webapp

121

122

#base = /srv/www/aquilenet.fr/searx

123

124

# Chemin du virtualenv

125

virtualenv = /srv/www/aquilenet.fr/searx/searx-ve/

126

pythonpath = /srv/www/aquilenet.fr/searx/searx/

127

#chdir = /srv/www/aquilenet.fr/searx/searx/

128

129

#callable = app

130

131

# Socket

132

#socket = /run/uwsgi/app/searx/socket

133

134

#add-header = Content-Security-Policy: default-src 'self'

135

#add-header = X-Content-Security-Policy: default-src 'self'

136

#add-header = X-WebKit-CSP: default-src 'self'

137

#add-header = X-Content-Type-Options: nosniff

138

#add-header = X-XSS-Protection: 1; mode=block

139

#add-header = X-Frame-Options: DENY

140

#add-header = Strict-Transport-Security: max-age=631138519; includeSubDomains

141

142

#filtron

143

http = 127.0.0.1:8888

144

</pre>

145

146

h2. Anti bot

147

Pour éviter de se faire pourrir par les bots: https://asciimoo.github.io/searx/admin/filtron.html

148

149

<pre>

150

cat /srv/www/aquilenet.fr/searx/gocode/filtron/rules.json

151

152

153

        "name": "search request",

154

        "filters": ["Param:q", "Path=^(/|/search)$"],

155

        "interval": 60,

156

        "limit": 10,

157

        "actions": [{"name": "log"}],

158

        "subrules": [

159

160

                "name": "roboagent limit",

161

                "interval": 60,

162

                "limit": 10,

163

                "filters": ["Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client)"],

164

                "actions": [

165

                    {"name": "block",

166

                     "params": {"message": "Rate limit exceeded"}}

167

168

},

169

170

                "name": "botlimit",

171

                "limit": 0,

172

                "stop": true,

173

                "filters": ["Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)"],

174

                "actions": [

175

                    {"name": "block",

176

                     "params": {"message": "Rate limit exceeded"}}

177

178

},

179

180

                "name": "IP limit",

181

                "interval": 60,

182

                "limit": 10,

183

                "stop": true,

184

                "aggregations": ["Header:X-Forwarded-For"],

185

                "actions": [

186

                    {"name": "block",

187

                     "params": {"message": "Rate limit exceeded"}}

188

189

},

190

191

                "name": "rss/json limit",

192

                "interval": 60,

193

                "limit": 10,

194

                "stop": true,

195

                "filters": ["Param:format=(csv|json|rss)"],

196

                "actions": [

197

                    {"name": "block",

198

                     "params": {"message": "Rate limit exceeded"}}

199

200

},

201

202

                "name": "useragent limit",

203

                "interval": 60,

204

                "limit": 10,

205

                "aggregations": ["Header:User-Agent"],

206

                "actions": [

207

                    {"name": "block",

208

                     "params": {"message": "Rate limit exceeded"}}

209

210

211

212

213

214

</pre>

215

216

creation d'un beuk-systemd service filtron

217

218

<pre>

219

/etc/systemd/system/filtron.service

220

[Unit]

221

Description=Filtron anti flood for searx Daemon

222

After=network-online.target

223

224

[Service]

225

Type=simple

226

227

User=searx

228

Group=searx

229

UMask=007

230

231

ExecStart=/srv/www/aquilenet.fr/searx/gocode/filtron/bin/filtron -rules /srv/www/aquilenet.fr/searx/gocode/filtron/rules.json

232

233

Restart=on-failure

234

235

# Configures the time to wait before service is stopped forcefully.

236

TimeoutStopSec=300

237

238

[Install]

239

WantedBy=multi-user.target

240

</pre>

241

242

Un peu de cli systemd:

243

<pre>

244

systemctl daemon-reload

245

systemctl enable filtron.service

246

systemctl start filtron

247

systemctl status filtron

248

</pre>

Projet

Général

Profil

Aquilenet » Services

Searx » Historique » Version 8