Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make repo compatible with http-only upstream TLS #98

Closed
wants to merge 2 commits into from
Closed

make repo compatible with http-only upstream TLS #98

wants to merge 2 commits into from

Conversation

spwoodcock
Copy link

There is a lack of documentation around making this compatible with reverse proxies; a HTTP server, with TLS termination provided upstream (see #63).

This PR adds some additional configuration to make the repo compatible with both full HTTPS and HTTP-only version of Searx, plus some minor edits in other places:

  • No need for network: host in Caddy container.
    • Port mapping can be used instead for 80 and 443. This also allows users to map to any arbitrary port.
  • As this is a compose stack, services can be referenced by their name. Edited reverse_proxy directives in Caddyfile to reflect this.
    • Consequently, ports do not need to be mapped for filtron or morty (4041 was kept for the rules API).
  • Added searx-checker service.
  • Permissions-Policy in the Caddyfile has a structured syntax that needed updating (tested with MS Edge):

image

@unixfox
Copy link
Member

unixfox commented Jul 21, 2021
edited
Loading

We won't accept this PR because the network host is necessary for listening on IPv6 for Caddy because Docker doesn't provide IPv6 connectivity out of the box.
Unless you can come up with a fix for listening on IPv6 and IPv4 at the same time for Caddy we won't merge this PR.

@spwoodcock
Copy link
Author

Docker recently added support for forwarding IPv6 traffic to containers & it seems to be stable now, albeit under experimental features (moby/moby#41622).

It requires Docker 20.10.2 or later & modifying /etc/docker/daemon.json file with:

{
	"ipv6": true,
	"fixed-cidr-v6": "fd00:ffff::/80",
	"ip6tables": true,
	"experimental": true
}

$ sudo service docker restart

As of now, docker swarm does not support IPv6 and hence, the enable_ipv6 directive is only available for docker-compose file format versions below 3, e.g. 2.4.

So we would need a separate docker-compose.yaml file, with networks defined as:

version: '2.4'

networks:
  searx:
    enable_ipv6: true
    ipam:
      driver: default
      config: 
        - subnet: fd00:6f74:69d7::/80
          gateway: fd00:6f74:69d7::1

The ULA was generated for the project with:
echo searx | shasum | cut -c1-8
This must be defined.

I'm more than happy to add a separate docker-compose.yaml and documentation to the README, or merge into the main docker-compose.yaml (with a requirement for edits to daemon.json specified), depending on the preferred approach.

Or I can modify this PR to revert to the network_mode: "host" directive for Caddy & only keep the changes for HTTPS-->HTTP.

@spwoodcock spwoodcock closed this Jul 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@spwoodcock @unixfox