Refactor Caddyfile for SearXNG configuration

- Cleaned up and organized the SearXNG section by removing commented-out code and ensuring proper indentation. - Added routing and caching policies for API, search, image proxy, and static content. - Implemented security headers including Content-Security-Policy and Strict-Transport-Security. - Configured reverse proxy settings for SearXNG service.
2026-03-07 22:33:11 +00:00 · 2025-06-28 15:04:23 -06:00
parent 50d83ccd24
commit 215fe644a2
1 changed files with 58 additions and 62 deletions
--- a/120
+++ b/120
@@ -73,71 +73,67 @@ https://{$NEO4J_HOSTNAME}:7687 {
    reverse_proxy neo4j:7687
 }

-# SearXNG
+import /etc/caddy/addons/*.conf
+
+# # SearXNG
 {$SEARXNG_HOSTNAME} {
    basic_auth { 
        {$SEARXNG_USERNAME} {$SEARXNG_PASSWORD_HASH}
    }
+
    encode zstd gzip
+    
+    @api {
+        path /config
+        path /healthz
+        path /stats/errors
+        path /stats/checker
+    }
+    @search {
+        path /search
+    }
+    @imageproxy {
+        path /image_proxy
+    }
+    @static {
+        path /static/*
+    }
+    
+    header {
+        # CSP (https://content-security-policy.com)
+        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src * data:; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com;"
+        # Disable some browser features
+        Permissions-Policy "accelerometer=(),camera=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),payment=(),usb=()"
+        # Set referrer policy
+        Referrer-Policy "no-referrer"
+        # Force clients to use HTTPS
+        Strict-Transport-Security "max-age=31536000"
+        # Prevent MIME type sniffing from the declared Content-Type
+        X-Content-Type-Options "nosniff"
+        # X-Robots-Tag (comment to allow site indexing)
+        X-Robots-Tag "noindex, noarchive, nofollow"
+        # Remove "Server" header
+        -Server
+    }
+    
+    header @api {
+        Access-Control-Allow-Methods "GET, OPTIONS"
+        Access-Control-Allow-Origin "*"
+    }
+    
+    route {
+        # Cache policy
+        header Cache-Control "max-age=0, no-store"
+        header @search Cache-Control "max-age=5, private"
+        header @imageproxy Cache-Control "max-age=604800, public"
+        header @static Cache-Control "max-age=31536000, public, immutable"
+    }
+    
+    # SearXNG (uWSGI)
+    reverse_proxy searxng:8080 {
+        header_up X-Forwarded-Port {http.request.port}
+        header_up X-Real-IP {http.request.remote.host}
+        # https://github.com/searx/searx-docker/issues/24
+        header_up Connection "close"
+    }
 }
-
-import /etc/caddy/addons/*.conf
-
-# # SearXNG
-# {$SEARXNG_HOSTNAME} {
-#     encode zstd gzip
-    
-#     @api {
-#         path /config
-#         path /healthz
-#         path /stats/errors
-#         path /stats/checker
-#     }
-#     @search {
-#         path /search
-#     }
-#     @imageproxy {
-#         path /image_proxy
-#     }
-#     @static {
-#         path /static/*
-#     }
-    
-#     header {
-#         # CSP (https://content-security-policy.com)
-#         Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src * data:; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com;"
-#         # Disable some browser features
-#         Permissions-Policy "accelerometer=(),camera=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),payment=(),usb=()"
-#         # Set referrer policy
-#         Referrer-Policy "no-referrer"
-#         # Force clients to use HTTPS
-#         Strict-Transport-Security "max-age=31536000"
-#         # Prevent MIME type sniffing from the declared Content-Type
-#         X-Content-Type-Options "nosniff"
-#         # X-Robots-Tag (comment to allow site indexing)
-#         X-Robots-Tag "noindex, noarchive, nofollow"
-#         # Remove "Server" header
-#         -Server
-#     }
-    
-#     header @api {
-#         Access-Control-Allow-Methods "GET, OPTIONS"
-#         Access-Control-Allow-Origin "*"
-#     }
-    
-#     route {
-#         # Cache policy
-#         header Cache-Control "max-age=0, no-store"
-#         header @search Cache-Control "max-age=5, private"
-#         header @imageproxy Cache-Control "max-age=604800, public"
-#         header @static Cache-Control "max-age=31536000, public, immutable"
-#     }
-    
-#     # SearXNG (uWSGI)
-#     reverse_proxy searxng:8080 {
-#         header_up X-Forwarded-Port {http.request.port}
-#         header_up X-Real-IP {http.request.remote.host}
-#         # https://github.com/searx/searx-docker/issues/24
-#         header_up Connection "close"
-#     }
-# }