add an example for reverse proxy

[FarisZR]

hi i have been trying to deploy this behind an apache2 reverse proxy a couple times, and still cant get it to work with caddy, and if i use filtron directly all files are using localhost instead of the real domain.

can you please add a new docker-compose file for reverse proxies?

with no https and a simple setting to change the output port and the base domain.

and without the need to create a systemd service

[FarisZR]

something like this but based on the official searx image

version: '3.3'

services:
  searx:
    image: hoellen/searx:master
    container_name: searx
    restart: unless-stopped
    networks:
      - searx
    environment:
      - BASE_URL="https://domain.tld"
      - IMAGE_PROXY=True
    volumes:
      - ./searx/settings.yml:/usr/local/searx/searx/settings.yml # enable custom settings.yml

  filtron:
    container_name: filtron
    image: dalf/filtron
    restart: unless-stopped
    ports:
      - 127.0.0.1:8004:8004
      - 127.0.0.1:8005:8005
    networks:
      - searx
    command: -listen 0.0.0.0:8004 -api 0.0.0.0:8005 -target searx:8888
    volumes:
      - ./filtron:/etc/filtron # mount rules.json
    read_only: true


  morty:
    container_name: morty
    image: dalf/morty
    restart: always
    ports:
      - "127.0.0.1:8006:8006" # reverse proxy on a seprate subdomain
    networks:
      - searx
    command: -timeout 6
    environment:
      - MORTY_KEY=key
      - MORTY_ADDRESS=0.0.0.0:8006
    logging:
      driver: none
    read_only: true
    cap_drop:
      - ALL

  searx-checker:
    container_name: searx-checker
    image: searx/searx-checker
    restart: always
    networks:
      - searx
    command: -cron -o html/data/status.json http://searx:8888
    volumes:
      - searx-checker:/usr/local/searx-checker/html/data:rw

networks:
  searx:

volumes: 
  searx-checker:

[unixfox]

There is no need to complicate the things. Just set SEARX_HOSTNAME in .env to a localhost hostname like http://localhost:8081 and this will allow you to proxy to http://localhost:8081 using apache.

[FarisZR]

it didnt work

[unixfox]

You are right, I just tested and it didn't work without modifying the direct docker-compose.yml.
It's one simple change though because BASE_URL in Searx should not be https by default and allow for another custom hostname.

[Flunkyball]

Setting SEARX_HOSTNAME=http://localhost:8081 and changing docker-compose.yaml s BASE_URL to http only does not do the trick. Apache shows a blank page using Proxypass http://localhost:8081

[Flunkyball]

any progress here ? I still could not manage to get it working with the following changes:

In .env:
Set SEARS_HOSTNAME=http://localhost:8081

In docker-compose-yaml:
Set BASE_URL=http://domain.com

In Apache2 config:
ProxyPass http://localhost:8081

I just land on a blank page when trying to access searx instance.

[FarisZR]

any progress here ? I still could not manage to get it working with the following changes:

In .env:
Set SEARS_HOSTNAME=http://localhost:8081

In docker-compose-yaml:
Set BASE_URL=http://domain.com

In Apache2 config:
ProxyPass http://localhost:8081

I just land on a blank page when trying to access searx instance.

use the docker compose example i listed before.
its working really well, with all the addons.

[Flunkyball]

@fareszr
Thanks for the heads up. However your sample is based on v3.3 whereas the latest config file is v3.7. 3.3 does lead to a not working configuration on my side where none of the services is able to start.

@unixfox
Could you elaborate the changes you were referring to in order to get it working ?

[FarisZR]

@fareszr
Thanks for the heads up. However your sample is based on v3.3 whereas the latest config file is v3.7. 3.3 does lead to a not working configuration on my side where none of the services is able to start.

@unixfox
Could you elaborate the changes you were referring to in order to get it working ?

i don't think the version matters, as i don't use any 3.x specific feature.
it should work on all 3.x versions.

[Flunkyball]

Well, it does not:
filtron | 2020/12/13 18:25:20 Cannot parse rules: open /etc/filtron/rules.json: no such file or directory morty | WARNING: no logs are available with the 'none' log driver searx-checker | Sleep 73 seconds searx | searx version searx | searx | Create /etc/searx/uwsgi.ini searx | Create /etc/searx/settings.yml searx | Listen on 0.0.0.0:8080 searx | [uWSGI] getting INI configuration from /etc/searx/uwsgi.ini searx | [uwsgi-static] added mapping for /static => /usr/local/searx/searx/static morty exited with code 1 filtron exited with code 1 morty | WARNING: no logs are available with the 'none' log driver filtron exited with code 1 morty | WARNING: no logs are available with the 'none' log driver morty exited with code 1 morty exited with code 1 filtron exited with code 1 morty | WARNING: no logs are available with the 'none' log driver morty exited with code 1 filtron exited with code 1

[FarisZR]

Well, it does not:
filtron | 2020/12/13 18:25:20 Cannot parse rules: open /etc/filtron/rules.json: no such file or directory morty | WARNING: no logs are available with the 'none' log driver searx-checker | Sleep 73 seconds searx | searx version searx | searx | Create /etc/searx/uwsgi.ini searx | Create /etc/searx/settings.yml searx | Listen on 0.0.0.0:8080 searx | [uWSGI] getting INI configuration from /etc/searx/uwsgi.ini searx | [uwsgi-static] added mapping for /static => /usr/local/searx/searx/static morty exited with code 1 filtron exited with code 1 morty | WARNING: no logs are available with the 'none' log driver filtron exited with code 1 morty | WARNING: no logs are available with the 'none' log driver morty exited with code 1 morty exited with code 1 filtron exited with code 1 morty | WARNING: no logs are available with the 'none' log driver morty exited with code 1 filtron exited with code 1

well that's because you dot have the rule.json file needed for filtron to work. you have to create filtron/rules.json in the same folder where the docker compose file is.

for searx its the same issue i mounted the settings.yml file to allow for custom settings. you should create searx/settings.yml in the same folder where the docker compose file is.

if you don't want custom settings.yml you can comment the volumes sections in the searx container, however morty wouldnt work since you have to enable it manually.

as for filtron, rules.json is essential.

[Flunkyball]

I see then this is the difference between the 3.3 and the 3.7 config file as the rule.json as well as the rest of the necessary files are created when the launch script runs.

[FarisZR]

I see then this is the difference between the 3.3 and the 3.7 config file as the rule.json as well as the rest of the necessary files are created when the launch script runs.

No, this is a common mistake, when mounting specific files, if they don't exist before the container starts, docker will create a directory instead of a file.
anyway the problem you showed is with missing files, please make sure you have all the files with correct settings.

[Flunkyball]

@fareszr
The files are all there. Anyway, thank you for pointing me into the right direction as the searx settings.yml has an hardcoded base url - therefore the changes in the docker-compose.yaml are ignored and it does not work.

Summing up, @unixfox solution with v3.7 works just fine if you proceed as follows:

In .env:
Set SEARS_HOSTNAME=http://localhost:8081

In docker-compose-yaml within searx section:
Set BASE_URL=https://domain.com/
Set MORTY_URL=https://domain.com/morty/

In /searx/settings.yml under server section:
Set base_url : False

In Apache2 config:
ProxyPass http://localhost:8081/

[FarisZR]

@fareszr
The files are all there. Anyway, thank you for pointing me into the right direction as the searx settings.yml has an hardcoded base url - therefore the changes in the docker-compose.yaml are ignored and it does not work.

Summing up, @unixfox solution with v3.7 works just fine if you proceed as follows:

In .env:
Set SEARS_HOSTNAME=http://localhost:8081

In docker-compose-yaml within searx section:
Set BASE_URL=https://domain.com/
Set MORTY_URL=https://domain.com/morty/

In /searx/settings.yml under server section: Set base_url : False

In Apache2 config:
ProxyPass http://localhost:8081/

wait, you were trying these options on the official image ?.
the example docker-compose config was built on hoellen/searx:master

[Flunkyball]

wait, you were trying these options on the official image ?.
the example docker-compose config was built on hoellen/searx:master

Yes, cause this is the github repo for the official image.

[Flunkyball]

A short update:
If I set "ProxyPreserveHost On" within the apache2 config I am left with a blank page. If I set "ProxyPreserveHost Off" I get information within searx displayed like: []https://i.imgur.com/Aiu5xr2.png(url)
If I bypass Caddy and reverse proxy directly to Morty on 4040 I can enable the PreserveHost option and the URL gets translated fine.

[stefanorossiti]

I'd like, too, the option to have a container that is forwardable. I want to add searx to my private server wich is already forwarded with nginx. Installing this container doesnt work because it conflicts with the standard ports used by nginx. Not being familiar with this stack i have no confidence changing any setting.

P.S. Solutions posted here didn't work for me.

[otary]

@fareszr

version: '3.3'

services:
  searx:
    image: hoellen/searx:master
    container_name: searx
    restart: unless-stopped
    networks:
      - searx  
    environment:
      - BASE_URL="http://localhost"
      - IMAGE_PROXY=True
    #volumes:
    #  - ./searx/settings.yml:/usr/local/searx/searx/settings.yml # enable custom settings.yml

  filtron:
    container_name: filtron
    image: dalf/filtron
    restart: unless-stopped
    ports:
      - 127.0.0.1:8004:8004
      - 127.0.0.1:8005:8005
    networks:
      - searx
    command: -listen 0.0.0.0:8004 -api 0.0.0.0:8005 -target searx:8888
    volumes:
      - ./filtron:/etc/filtron # mount rules.json
    read_only: true


  morty:
    container_name: morty
    image: dalf/morty
    restart: always
    ports:
      - "127.0.0.1:8006:8006" # reverse proxy on a seprate subdomain
    networks:
      - searx
    command: -timeout 6
    environment:
      - MORTY_KEY=key
      - MORTY_ADDRESS=0.0.0.0:8006
    logging:
      driver: none
    read_only: true
    cap_drop:
      - ALL

  searx-checker:
    container_name: searx-checker
    image: searx/searx-checker
    restart: always
    networks:
      - searx
    command: -cron -o html/data/status.json http://searx:8888
    volumes:
      - searx-checker:/usr/local/searx-checker/html/data:rw

networks:
  searx:

volumes: 
  searx-checker:

I use your docker-compose.yml, but it dose not work well.

I try access url http://localhost or http://localhost:8888, but fail, searx dose not expose port, why we can access in browser?

[FarisZR]

@fareszr

version: '3.3'

services:
  searx:
    image: hoellen/searx:master
    container_name: searx
    restart: unless-stopped
    networks:
      - searx  
    environment:
      - BASE_URL="http://localhost"
      - IMAGE_PROXY=True
    #volumes:
    #  - ./searx/settings.yml:/usr/local/searx/searx/settings.yml # enable custom settings.yml

  filtron:
    container_name: filtron
    image: dalf/filtron
    restart: unless-stopped
    ports:
      - 127.0.0.1:8004:8004
      - 127.0.0.1:8005:8005
    networks:
      - searx
    command: -listen 0.0.0.0:8004 -api 0.0.0.0:8005 -target searx:8888
    volumes:
      - ./filtron:/etc/filtron # mount rules.json
    read_only: true


  morty:
    container_name: morty
    image: dalf/morty
    restart: always
    ports:
      - "127.0.0.1:8006:8006" # reverse proxy on a seprate subdomain
    networks:
      - searx
    command: -timeout 6
    environment:
      - MORTY_KEY=key
      - MORTY_ADDRESS=0.0.0.0:8006
    logging:
      driver: none
    read_only: true
    cap_drop:
      - ALL

  searx-checker:
    container_name: searx-checker
    image: searx/searx-checker
    restart: always
    networks:
      - searx
    command: -cron -o html/data/status.json http://searx:8888
    volumes:
      - searx-checker:/usr/local/searx-checker/html/data:rw

networks:
  searx:

volumes: 
  searx-checker:

I use your docker-compose.yml, but it dose not work well.

I try access url http://localhost or http://localhost:8888, but fail, searx dose not expose port, why we can access in browser?

its 8004/8005

[otary]

@fareszr

version: '3.3'

services:
  searx:
    image: hoellen/searx:master
    container_name: searx
    restart: unless-stopped
    networks:
      - searx  
    environment:
      - BASE_URL="http://localhost"
      - IMAGE_PROXY=True
    #volumes:
    #  - ./searx/settings.yml:/usr/local/searx/searx/settings.yml # enable custom settings.yml

  filtron:
    container_name: filtron
    image: dalf/filtron
    restart: unless-stopped
    ports:
      - 127.0.0.1:8004:8004
      - 127.0.0.1:8005:8005
    networks:
      - searx
    command: -listen 0.0.0.0:8004 -api 0.0.0.0:8005 -target searx:8888
    volumes:
      - ./filtron:/etc/filtron # mount rules.json
    read_only: true


  morty:
    container_name: morty
    image: dalf/morty
    restart: always
    ports:
      - "127.0.0.1:8006:8006" # reverse proxy on a seprate subdomain
    networks:
      - searx
    command: -timeout 6
    environment:
      - MORTY_KEY=key
      - MORTY_ADDRESS=0.0.0.0:8006
    logging:
      driver: none
    read_only: true
    cap_drop:
      - ALL

  searx-checker:
    container_name: searx-checker
    image: searx/searx-checker
    restart: always
    networks:
      - searx
    command: -cron -o html/data/status.json http://searx:8888
    volumes:
      - searx-checker:/usr/local/searx-checker/html/data:rw

networks:
  searx:

volumes: 
  searx-checker:

I use your docker-compose.yml, but it dose not work well.


I try access url http://localhost or http://localhost:8888, but fail, searx dose not expose port, why we can access in browser?

its 8004/8005

no, I access http://localhost:8004 or http://localhost:8005, but it return nothing, how you access it?

[tomlawesome]

This is something I'm trying to accomplish too, and it's frankly impossible without changing parts of the docker-compose.yml && the Caddyfile. I've managed to get it forwarded to the front end loads but it won't query as it says it's 'rate limit exceeded'.

Is Caddy actually required here at all? Just wondering if this container setup would be relatively easy to strip Caddy out of leaving just a direct connection to Filtron/morty using an existing reverse proxy? I am of course making an assumption here, but I can't imagine many people have a use case where the only thing on their domain that they're self-hosting is searx.

Locally it functions perfectly well (for me) at the root of the local IP, but if you want to run TLS between the two containers, it gets gnarly.

I find Caddy an odd choice too -- it's a great bit of kit, but it seems relatively new and there's little documentation on the web for users to self-help.

[Flunkyball]

This is something I'm trying to accomplish too, and it's frankly impossible without changing parts of the docker-compose.yml && the Caddyfile. I've managed to get it forwarded to the front end loads but it won't query as it says it's 'rate limit exceeded'.

Is Caddy actually required here at all? Just wondering if this container setup would be relatively easy to strip Caddy out of leaving just a direct connection to Filtron/morty using an existing reverse proxy? I am of course making an assumption here, but I can't imagine many people have a use case where the only thing on their domain that they're self-hosting is searx.

I found myself in the same spot. However, leaving Caddy just aside and directly reverse proxy to Filtron works perfectly fine for me.
The only change in compose-docker.yaml then is to set BASE_URL and MORTY_URL correctly as they are available by through the reverse proxy.

[akanealw]

So this is what works for you? What local ip and port do you forward in the proxy?

services:

  filtron:
    container_name: filtron
    image: dalf/filtron
    restart: always
    ports:
      - "127.0.0.1:4040:4040"
      - "127.0.0.1:4041:4041"
    networks:
      - searx
    command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searx:8080
    volumes:
      - /mnt/data/docker/appdata/filtron/rules.json:/etc/filtron/rules.json:rw
    read_only: true
    cap_drop:
      - ALL

  searx:
    container_name: searx
    image: searx/searx:latest
    restart: always
    networks:
      - searx
    command: ${SEARX_COMMAND:-}
    volumes:
      - /mnt/data/docker/appdata/searx:/etc/searx:rw
    environment:
      - BIND_ADDRESS=0.0.0.0:8080
      - BASE_URL=https://searx.mydomain.com/
      - MORTY_URL=https://searx.mydomain.com/morty/
      - MORTY_KEY=${MORTY_KEY}
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
      - DAC_OVERRIDE

  morty:
    container_name: morty
    image: dalf/morty
    restart: always
    ports:
      - "127.0.0.1:3000:3000"
    networks:
      - searx
    command: -timeout 6 -ipv6
    environment:
      - MORTY_KEY=${MORTY_KEY}
      - MORTY_ADDRESS=0.0.0.0:3000
    logging:
      driver: none
    read_only: true
    cap_drop:
      - ALL

networks:
  searx:
    ipam:
      driver: default

[Flunkyball]

@akanealw
Exactly. Despite BASE_URL and MORTY_URL I did not modify the compose file.

The relevant apache2 reverse proxy config part looks like this:

        ProxyPreserveHost On
        ProxyRequests Off

        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set X-Forwarded-Port "443"
        
        <Location />
                ProxyPass  http://127.0.0.1:4040/
                ProxyPassReverse http://127.0.0.1:4040/
        </Location>

        <Location /morty>
                ProxyPass  http://127.0.0.1:3000
                ProxyPassReverse http://127.0.0.1:3000
        </Location>

[fuzunspm]

@Flunkyball could you please share all apache conf file?

[Mythbusters123]

I have followed all steps and am still revieving an "Rate Limit exceeded" error

[FarisZR]

enable websockets. filtron requires websockets. users without websockets will get rate limited.

…

On Sun, Jan 30 2022 at 04:50:22 PM -0000, searx/searx-docker - reply+aipxadsqo5b3iasvfhzlyd6aakrmxevbnhhcztc7me at reply.github.com ***@***.***> wrote: I have followed all steps and am still revieving an "Rate Limit exceeded" error — Reply to this email directly, [view it on GitHub](#63 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AIPXADVJEWEXQUJ67DFBARLUYVT4XANCNFSM4UDXPL7A). Triage notifications on the go with GitHub Mobile for [iOS](https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675) or [Android](https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub). You are receiving this because you were mentioned.Message ID: ***@***.***>

[Mythbusters123]

How would I add a websocket for this using NGinX?

[unixfox]

enable websockets. filtron requires websockets. users without websockets will get rate limited.

Filtron doesn't need websockets, that's not true.

[firestrife23]

I have followed all steps and am still revieving an "Rate Limit exceeded" error

I got it working with nginx and here's the temporary workaround by changing filtron's rules.json to this:

[]

You'll lose filtron's protection, but my instance is not exposed to the internet, since I added certain rules to only allow connection from the local network and VPN clients.

EDITED: including my docker-compose.yml

Make sure your filtron container is reachable by your reverse proxy container since this compose does not expose ports outside of the container's network for security reasons. However, this compose work with multiple stacks of containers and networks that were created beforehand.

version: '3'
services:
  filtron:
    container_name: filtron
    image: dalf/filtron:latest
    restart: always
    command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searx:8888
    volumes:
      - /usr/share/filtron/rules.json:/etc/filtron/rules.json:rw
    read_only: true
    cap_drop:
      - ALL
  searx:
    container_name: searx
    image: searx/searx:latest
    restart: unless-stopped
    depends_on:
      - morty
      - filtron
    command: -f
    volumes:
      - /usr/share/searx:/etc/searx:rw
    environment:
      - BIND_ADDRESS=0.0.0.0:8888
      - BASE_URL=https://searx.example.com/
      - MORTY_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      - MORTY_ADDRESS=morty:3000
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
      - DAC_OVERRIDE
  morty:
    container_name: morty
    image: dalf/morty:latest
    restart: always
    command: -timeout 6 -ipv6
    environment:
      - MORTY_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      - MORTY_ADDRESS=0.0.0.0:3000
    logging:
      driver: none
    read_only: true
    cap_drop:
      - ALL

networks:
  default: 
    external: true
    name: intra_network 

This one is all in one solution if running standalone searx server which is a good example of how to run searx with reverse proxy.

version: '3'
services:
  filtron:
    container_name: filtron
    image: dalf/filtron:latest
    restart: always
    command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searx:8888
    volumes:
      - /usr/share/filtron/rules.json:/etc/filtron/rules.json:rw
    read_only: true
    cap_drop:
      - ALL
  searx:
    container_name: searx
    image: searx/searx:latest
    restart: unless-stopped
    depends_on:
      - nginx
      - morty
      - filtron
    command: -f
    volumes:
      - /usr/share/searx:/etc/searx:rw
    environment:
      - BIND_ADDRESS=0.0.0.0:8888
      - BASE_URL=https://searx.example.com/
      - MORTY_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      - MORTY_ADDRESS=morty:3000
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
      - DAC_OVERRIDE
  morty:
    container_name: morty
    image: dalf/morty:latest
    restart: always
    command: -timeout 6 -ipv6
    environment:
      - MORTY_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      - MORTY_ADDRESS=0.0.0.0:3000
    logging:
      driver: none
    read_only: true
    cap_drop:
      - ALL
  nginx:
    container_name: nginx
    image: lscr.io/linuxserver/nginx:latest
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Chicago
    ports:
      - 80:80
      - 443:443
    volumes:
      - /usr/share/nginx:/config
    restart: unless-stopped

[pdolinic]

Hi, here is a full TLS config in case anyone needs for redirecting from a docker containers 8080 to the hosts 3030 (without TLS) and then forwarding to 443 with TLS:

1. The docker container would be

docker run -d --name searxng --restart always \
	     -p 3030:8080 \
             -v "/home/searxng:/etc/searxng" \
             -e "INSTANCE_NAME=your.instance" \
             searxng/searxng

2. Generate your keys

• Private Key

openssl genpkey -algorithm RSA -out privatekey.pem -pkeyopt rsa_keygen_bits:4096

• Cert

openssl req -new -x509 -key privatekey.pem -out certificate.pem -days 3650

3. This is your Nginx-Conf adapted from here: https://docs.searxng.org/admin/installation-nginx.html

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name your.instance;

    ssl_certificate /etc/nginx/certificate.pem;
    ssl_certificate_key /etc/nginx/privatekey.pem;
    access_log  off;
    error_log off;

    location / {
        proxy_pass http://yourip.yourip.yourip.yourip:3030;

        proxy_set_header   Host             $host;
        proxy_set_header   Connection       $http_connection;

        # see flaskfix.py
        proxy_set_header   X-Scheme         $scheme;
    #    proxy_set_header   X-Script-Name    /searxng;

        # see limiter.py
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

        # proxy_buffering  off;
        # proxy_request_buffering off;
        # proxy_buffer_size 8k;
    }

#    location /searxng/static/ {
#        alias /usr/local/searxng/searxng-src/searx/static/;
#    }
}

In the browser you would set: https://your.instance/search?q=
In mobile you would set: https://your.instance/search?q=%s

If I did something is suboptimal let me know, just here to help out.