forked from zaclys/searxng
		
	Fix Nginx subdir URL install docs which allowed download of settings.yml
Closes: #1617 There is an issue with the setup example in https://asciimoo.github.io/searx/dev/install/installation.html#installation for subdirectory URL deployments: ```nginx root /usr/local/searx; location = /searx { rewrite ^ /searx/; } try_files $uri @searx; } location @searx { uwsgi_param SCRIPT_NAME /searx; include uwsgi_params; uwsgi_modifier1 30; uwsgi_pass unix:/run/uwsgi/app/searx/socket; } ``` `try_files` causes Nginx to search for files in the server root first. If it matches a file, it is returned. Only if no file matched, the request is passed to uwsgi. The worst consequence I can think of is that `settings.yml` can be downloaded without authentication (where secrets and configuration details are stored). To fix this, I propose: ```nginx location = /searx { rewrite ^ /searx/; } location /searx/static { } location /searx { uwsgi_param SCRIPT_NAME /searx; include uwsgi_params; uwsgi_pass unix:/run/uwsgi/app/searx/socket; } ``` And add ``` route-run = fixpathinfo: ``` to `/etc/uwsgi/apps-available/searx.ini` because `uwsgi_modifier1 30` is apparently deprecated. Ref: https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.11.html#fixpathinfo-routing-action I assume this issue exists because some uwsgi upstream docs also use the `try_files` construct (at least I have seen this somewhere in the docs or somewhere else on the Internet but cannot find it right now again). https://uwsgi-docs.readthedocs.io/en/latest/Nginx.html#hosting-multiple-apps-in-the-same-process-aka-managing-script-name-and-path-info also warns about this: > If used incorrectly a configuration like this may cause security problems. For your sanity’s sake, double-triple-quadruple check that your application files, configuration files and any other sensitive files are outside of the root of the static files.
This commit is contained in:
		
							parent
							
								
									754a10c1c1
								
							
						
					
					
						commit
						a1d9c81915
					
				
					 1 changed files with 10 additions and 6 deletions
				
			
		|  | @ -114,6 +114,9 @@ content: | ||||||
|     # Module to import |     # Module to import | ||||||
|     module = searx.webapp |     module = searx.webapp | ||||||
| 
 | 
 | ||||||
|  |     # Support running the module from a webserver subdirectory. | ||||||
|  |     route-run = fixpathinfo: | ||||||
|  | 
 | ||||||
|     # Virtualenv and python path |     # Virtualenv and python path | ||||||
|     virtualenv = /usr/local/searx/searx-ve/ |     virtualenv = /usr/local/searx/searx-ve/ | ||||||
|     pythonpath = /usr/local/searx/ |     pythonpath = /usr/local/searx/ | ||||||
|  | @ -180,14 +183,16 @@ Add this configuration in the server config file | ||||||
| 
 | 
 | ||||||
| .. code:: nginx | .. code:: nginx | ||||||
| 
 | 
 | ||||||
|     location = /searx { rewrite ^ /searx/; } |     location = /searx { | ||||||
|     location /searx { |             rewrite ^ /searx/; | ||||||
|             try_files $uri @searx; |  | ||||||
|     } |     } | ||||||
|     location @searx { | 
 | ||||||
|  |     location /searx/static { | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     location /searx { | ||||||
|             uwsgi_param SCRIPT_NAME /searx; |             uwsgi_param SCRIPT_NAME /searx; | ||||||
|             include uwsgi_params; |             include uwsgi_params; | ||||||
|             uwsgi_modifier1 30; |  | ||||||
|             uwsgi_pass unix:/run/uwsgi/app/searx/socket; |             uwsgi_pass unix:/run/uwsgi/app/searx/socket; | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|  | @ -338,4 +343,3 @@ References | ||||||
| 
 | 
 | ||||||
| * How to: `Setup searx in a couple of hours with a free SSL certificate | * How to: `Setup searx in a couple of hours with a free SSL certificate | ||||||
|   <https://www.reddit.com/r/privacytoolsIO/comments/366kvn/how_to_setup_your_own_privacy_respecting_search/>`__ |   <https://www.reddit.com/r/privacytoolsIO/comments/366kvn/how_to_setup_your_own_privacy_respecting_search/>`__ | ||||||
| 
 |  | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		
		Reference in a new issue
	
	 Robin Schneider
						Robin Schneider