Commit Graph

4516 Commits

Author SHA1 Message Date
Markus Heiser 80aaef6c95
Merge pull request #2357 / limiter -> botdetection
The monolithic implementation of the limiter was divided into methods and
implemented in the Python package searx.botdetection.  Detailed documentation on
the methods has been added.

The methods are divided into two groups:

1. Probe HTTP headers

- Method http_accept
- Method http_accept_encoding
- Method http_accept_language
- Method http_connection
- Method http_user_agent

2. Rate limit:

- Method ip_limit
- Method link_token (new)

The (reduced) implementation of the limiter is now in the module
searx.botdetection.limiter.  The first group was transferred unchanged to this
module.  The ip_limit contains the sliding windows implemented by the limiter so
far.

This merge also fixes some long outstandig issue:

- limiter does not evaluate the Accept-Language correct [1]
- limiter needs a IPv6 prefix to block networks instead of IPs [2]

Without additional configuration the limiter works as before (apart from the
bugfixes).  For the commissioning of additional methods (link_toke), a
configuration must be made in an additional configuration file.  Without this
configuration, the limiter runs as before (zero configuration).

The ip_limit Method implements the sliding windows of the vanilla limiter,
additionally the link_token method can be used in this method.  The link_token
method can be used to investigate whether a request is suspicious. To activate
the link_token method in the ip_limit method add the following to your
/etc/searxng/limiter.toml::

    [botdetection.ip_limit]
    link_token = true


[1] https://github.com/searxng/searxng/issues/2455
[2] https://github.com/searxng/searxng/issues/2477
2023-06-03 06:00:15 +02:00
Markus Heiser 1a1ab34d9d [fix] URL percent-encoding in translations fail in babel
Closes: https://github.com/searxng/searxng/issues/2482
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-06-02 20:30:41 +02:00
Markus Heiser b867c39ce0 [build] /static 2023-06-02 19:05:43 +02:00
Markus Heiser 2149e88bdd [mod] template preferences: split into elements (no functional change)
HINT: this patch has no functional change / it is the preparation for following
      changes and bugfixes

Over the years, the preferences template became an unmanageable beast.  To make
the source code more readable the monolith is splitted into elements.  The
splitting into elements also has the advantage that a new template can make use
of them.

The reversed checkbox is a quirk that is only used in the prefereces and must be
eliminated in the long term.  For this the macro 'checkbox_onoff_reversed' was
added to the preferences.html template.  The 'checkbox' macro is also a quirk of
the preferences.html we don't want to use in other templates (it is an
input-checkbox in a HTML form that was misused for status display).

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-06-02 19:05:43 +02:00
searxng-bot 789b43ab60 [translations] update from Weblate
5344314f - 2023-05-30 - return42 <markus.heiser@darmarit.de>
ee8fd955 - 2023-06-01 - BBTranslate <357835338@qq.com>
1ce31caf - 2023-05-29 - return42 <markus.heiser@darmarit.de>
fe75c53d - 2023-05-29 - return42 <markus.heiser@darmarit.de>
ca60af52 - 2023-05-30 - return42 <markus.heiser@darmarit.de>
f34b88f3 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
22d76a26 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
43d8c982 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
43a92e85 - 2023-05-30 - return42 <markus.heiser@darmarit.de>
2bfc12dd - 2023-05-29 - return42 <markus.heiser@darmarit.de>
e2b5fb5f - 2023-05-29 - return42 <markus.heiser@darmarit.de>
9f088420 - 2023-05-30 - return42 <markus.heiser@darmarit.de>
bdf81b4c - 2023-05-29 - return42 <markus.heiser@darmarit.de>
f6a24c5d - 2023-05-30 - return42 <markus.heiser@darmarit.de>
01bcea56 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
8c0209f8 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
c629c610 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
a4e4945d - 2023-05-29 - return42 <markus.heiser@darmarit.de>
96bad166 - 2023-06-01 - mradalbert <mister.adalbert@gmail.com>
b0032d90 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
366adaef - 2023-05-29 - return42 <markus.heiser@darmarit.de>
2e4271bf - 2023-05-29 - return42 <markus.heiser@darmarit.de>
c5856fd6 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
790b5a6f - 2023-05-29 - return42 <markus.heiser@darmarit.de>
6c9f92a9 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
f5a6a35d - 2023-05-29 - return42 <markus.heiser@darmarit.de>
4c8eeb32 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
7b8c0618 - 2023-05-30 - nicfab <nicfab@icloud.com>
4e851dd4 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
0fa6006e - 2023-05-29 - return42 <markus.heiser@darmarit.de>
877f4396 - 2023-05-30 - return42 <markus.heiser@darmarit.de>
c3bb1da7 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
e66e6fae - 2023-05-30 - return42 <markus.heiser@darmarit.de>
1cac4771 - 2023-05-30 - return42 <markus.heiser@darmarit.de>
949e994f - 2023-05-28 - ghose <correo@xmgz.eu>
8b181582 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
65f8fb93 - 2023-05-30 - return42 <markus.heiser@darmarit.de>
e5088e1c - 2023-05-29 - return42 <markus.heiser@darmarit.de>
f151100c - 2023-05-29 - return42 <markus.heiser@darmarit.de>
51d169fa - 2023-05-29 - return42 <markus.heiser@darmarit.de>
e68ac961 - 2023-05-30 - return42 <markus.heiser@darmarit.de>
c336c5a1 - 2023-05-31 - dom1torii <djmdmitri.a@gmail.com>
88bda0d0 - 2023-05-30 - Fijxu <fijxu@zzls.xyz>
6a57c29a - 2023-05-29 - return42 <markus.heiser@darmarit.de>
0c585b4d - 2023-05-30 - return42 <markus.heiser@darmarit.de>
e8ca9891 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
817b2da4 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
6b2508aa - 2023-05-29 - return42 <markus.heiser@darmarit.de>
3a5b1842 - 2023-05-30 - return42 <markus.heiser@darmarit.de>
fd826ab8 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
a3938c43 - 2023-05-30 - return42 <markus.heiser@darmarit.de>
30cad6b2 - 2023-05-30 - Ivan Gabaldon <admin@inetol.net>
e997055f - 2023-05-30 - return42 <markus.heiser@darmarit.de>
de6bd3d8 - 2023-05-30 - return42 <markus.heiser@darmarit.de>
ba5e0129 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
e48fd248 - 2023-05-29 - return42 <markus.heiser@darmarit.de>
b0e7d3f1 - 2023-05-30 - return42 <markus.heiser@darmarit.de>
2023-06-02 09:34:36 +02:00
Markus Heiser 80af38d37b [mod] increase SUSPICIOUS_IP_WINDOW from one day to 30 days
In my tests I see bots rotating IPs (with endless IP lists).  If such a bot has
100 IPs and has three attempts (SUSPICIOUS_IP_MAX = 3) then it can successfully
send up to 300 requests in one day while rotating the IP.  To block the bots for
a longer period of time the SUSPICIOUS_IP_WINDOW, as the time period in which an
IP is observed, must be increased.

For normal WEB-browsers this is no problem, because the SUSPICIOUS_IP_WINDOW is
deleted as soon as the CSS with the token is loaded.

SUSPICIOUS_IP_WINDOW = 3600 * 24 * 30
  Time (sec) before sliding window for one suspicious IP expires.

SUSPICIOUS_IP_MAX = 3
  Maximum requests from one suspicious IP in the :py:obj:`SUSPICIOUS_IP_WINDOW`."""

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-06-01 16:00:49 +02:00
Markus Heiser 281e36f4b7 [fix] limiter: replace real_ip by IPv4/v6 network
Closes: https://github.com/searxng/searxng/issues/2477
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-06-01 15:51:14 +02:00
Markus Heiser 38431d2e14 [fix] correct determination of the IP for the request
For correct determination of the IP to the request the function
botdetection.get_real_ip() is implemented.  This fonction is used in the
ip_limit and link_token method of the botdetection and it is used in the
self_info plugin.

A documentation about the X-Forwarded-For header has been added.

[1] https://github.com/searxng/searxng/pull/2357#issuecomment-1566211059

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-06-01 14:38:53 +02:00
Markus Heiser b8c7c2c9aa [mod] botdetection - improve ip_limit and link_token methods
- counting requests in LONG_WINDOW and BURST_WINDOW is not needed when the
  request is validated by the link_token method [1]

- renew a ping-key on validation [2], this is needed for infinite scrolling,
  where no new token (CSS) is loaded. / this does not fix the BURST_MAX issue in
  the vanilla limiter

- normalize the counter names of the ip_limit method to 'ip_limit.*'

- just integrate the ip_limit method straight forward in the limiter plugin /
  non intermediate code --> ip_limit now returns None or a werkzeug.Response
  object that can be passed by the plugin to the flask application / non
  intermediate code that returns a tuple

[1] https://github.com/searxng/searxng/pull/2357#issuecomment-1566113277
[2] https://github.com/searxng/searxng/pull/2357#discussion_r1208542206
[3] https://github.com/searxng/searxng/pull/2357#issuecomment-1566125979

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-06-01 14:38:53 +02:00
Markus Heiser 52f1452c09 [mod] limiter: ip_limt - monitore suspicious IPs
To intercept bots that get their IPs from a range of IPs, there is a
``SUSPICIOUS_IP_WINDOW``.  In this window the suspicious IPs are stored for a
longer time.  IPs stored in this sliding window have a maximum of
``SUSPICIOUS_IP_MAX`` accesses before they are blocked.  As soon as the IP makes
a request that is not suspicious, the sliding window for this IP is droped.

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-06-01 14:38:53 +02:00
Markus Heiser 9d7456fd6c [fix] limiter.toml: botdetection.ip_limit turn off link_token by default
To activate the ``link_token`` method in the ``ip_limit`` method add the
following to your ``/etc/searxng/limiter.toml``::

   [botdetection.ip_limit]
   link_token = true

Related: https://github.com/searxng/searxng/pull/2357#issuecomment-1554116941
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-06-01 14:38:53 +02:00
Markus Heiser 66fdec0eb9 [mod] limiter: add config file /etc/searxng/limiter.toml
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-06-01 14:38:53 +02:00
Markus Heiser 1ec325adcc [mod] limiter -> botdetection: modularization and documentation
In order to be able to meet the outstanding requirements, the implementation is
modularized and supplemented with documentation.

This patch does not contain functional change, except it fixes issue #2455

----

Aktivate limiter in the settings.yml and simulate a bot request by::

    curl -H 'Accept-Language: de-DE,en-US;q=0.7,en;q=0.3' \
         -H 'Accept: text/html'
         -H 'User-Agent: xyz' \
         -H 'Accept-Encoding: gzip' \
         'http://127.0.0.1:8888/search?q=foo'

In the LOG:

    DEBUG   searx.botdetection.link_token : missing ping for this request: .....

Since ``BURST_MAX_SUSPICIOUS = 2`` you can repeat the query above two time
before you get a "Too Many Requests" response.

Closes: https://github.com/searxng/searxng/issues/2455
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-05-29 14:54:56 +02:00
Markus Heiser 5226044c13 [mod] limiter: add random token to the limiter URL
By adding a random component in the limiter URL a bot can no longer send a ping
by request a static URL.

Related: https://github.com/searxng/searxng/pull/2357#issuecomment-1518525094
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-05-29 14:54:56 +02:00
Markus Heiser dba569462d [mod] limiter: reduce request rates for requests without a ping
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-05-29 14:54:56 +02:00
dalf c1b5ff7e1c Update searx.data - update_engine_descriptions.py 2023-05-29 07:28:50 +02:00
dalf 2ba50d392e Update searx.data - update_currencies.py 2023-05-29 07:28:18 +02:00
dalf cb843ef13c Update searx.data - update_engine_traits.py 2023-05-29 07:27:40 +02:00
dalf 512e001277 Update searx.data - update_firefox_version.py 2023-05-29 07:27:07 +02:00
dalf f03ac9b152 Update searx.data - update_wikidata_units.py 2023-05-29 07:26:47 +02:00
dalf e12e350f7f Update searx.data - update_ahmia_blacklist.py 2023-05-29 07:26:20 +02:00
Markus Heiser 3ca97cf5e3 [fix] simple theme: move engine alerts in case of no results into sidebar
If there were no results but errors in the engines then the error dialogs of the
engines was displayed in the result list.

With the new design errors of the engines should only be displayed in the
sidebar and at the same time duplications of the (template) code will be
avoided.

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-05-28 12:19:32 +02:00
mrpaulblack 60b94dfdca [build] /static 2023-05-28 12:19:32 +02:00
mrpaulblack f087959b02 [mod] simple theme: build design for details (collapsables)
* set border top and bottom on sidebar collasables
* inrease peading on summary so its easier to click on mobile
* remove margins and add flex wrapper to normalize elements in sidebar
2023-05-28 12:19:32 +02:00
Markus Heiser b7e315563d [mod] simple theme: collaps/expand elements in the sidebar
Make elements in the sidebar collapse able.  Except infoboxes all elements in
the sidebar are collapsed by default.

By folding out the sidebar elements, the UI looks less cluttered.  Especially on
small devices like smartphones, where the sidebar is above the results list, the
UX should be improved [1].

[1] https://github.com/searxng/searxng/issues/2140

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-05-28 12:19:32 +02:00
searxng-bot e8054026fb [translations] update from Weblate
69171f12 - 2023-05-25 - fabiosantoscode <fabiosantosart@gmail.com>
2caaed0a - 2023-05-23 - trmx <borcan.cristian1@gmail.com>
84d1702b - 2023-05-21 - return42 <markus.heiser@darmarit.de>
65cc6eb8 - 2023-05-21 - return42 <markus.heiser@darmarit.de>
e0ab3383 - 2023-05-22 - return42 <markus.heiser@darmarit.de>
23e87f15 - 2023-05-21 - return42 <markus.heiser@darmarit.de>
14f0fc6b - 2023-05-21 - return42 <markus.heiser@darmarit.de>
5b7c7b7d - 2023-05-21 - return42 <markus.heiser@darmarit.de>
c725b38d - 2023-05-21 - return42 <markus.heiser@darmarit.de>
2023-05-26 07:08:21 +00:00
Markus Heiser ebe22a4319 [fix] typo: dues --> does
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-05-22 13:18:22 +02:00
Markus Heiser bc647fabaf [fix] ClientPref - don't raise exception if Accept-Language is invalid
If the Accept-Language header [1] is set but empty or holds a value that is
unknown to babel, an excpetion is raised::

    $ curl --header 'Accept-Language: xyz' 'http://127.0.0.1:8888/search?q=foo'
    ...
    Traceback (most recent call last):
      File "searx/preferences.py", line 335, in from_http_request
        return cls(locale=pairs[0][0])
    IndexError: list index out of range

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language

Reported by: @Eolien55 in https://github.com/searxng/searxng/issues/2434#issuecomment-1556199789
Closes: https://github.com/searxng/searxng/issues/2434
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-05-22 12:38:59 +02:00
Markus Heiser bab730c8a8
Merge pull request #2446 from searxng/translations_update
Update translations
2023-05-19 19:59:58 +02:00
pankaj 4900c091a6 use logger.warning
logger.warn() is depricated.
logger.warning is already being used in some files.
2023-05-19 19:35:29 +05:30
searxng-bot 23b53a03c2 [translations] update from Weblate
2eeec66c - 2023-05-13 - return42 <markus.heiser@darmarit.de>
87058e51 - 2023-05-13 - return42 <markus.heiser@darmarit.de>
2023-05-19 07:07:56 +00:00
Markus Heiser 007a615ffa [mod] donation_url: disable by default
SearXNG's donation campaign has been ended.

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-05-15 09:19:17 +02:00
Markus Heiser 6625b6193e
Merge pull request #2420 from searxng/translations_update
Update translations
2023-05-13 06:06:07 +02:00
Markus Heiser caebd297e9 [fix] engine ddg: minor change in the API of ddg
Closes: https://github.com/searxng/searxng/issues/2419
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-05-12 18:58:49 +02:00
searxng-bot f5c407eaa0 [translations] update from Weblate
df7e1be3 - 2023-05-10 - return42 <markus.heiser@darmarit.de>
7ae9877e - 2023-05-08 - return42 <markus.heiser@darmarit.de>
c2fe5131 - 2023-05-07 - KDesp73 <kdesp2003@gmail.com>
2023-05-12 07:07:40 +00:00
Markus Heiser a60851bd59 [fix] version format string generated by 'git show'
Newer versions of git [1] do no longer support a format string that includes a minus
to remove leading zeros [2].  The format string '%Y.%m.%d'  is more version rod.

[1] https://github.com/searxng/searxng/issues/2413#issuecomment-1542320387
[2] https://github.com/searxng/searxng/pull/2122/files

Closes: https://github.com/searxng/searxng/issues/2413
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-05-10 18:33:45 +02:00
Markus Heiser db95c4713b
Merge pull request #2406 from searxng/dependabot/npm_and_yarn/searx/static/themes/simple/master/grunt-contrib-cssmin-5.0.0
Bump grunt-contrib-cssmin from 4.0.0 to 5.0.0 in /searx/static/themes/simple
2023-05-06 05:54:15 +02:00
dependabot[bot] 673837f83e
Bump grunt-contrib-cssmin in /searx/static/themes/simple
Bumps [grunt-contrib-cssmin](https://github.com/gruntjs/grunt-contrib-cssmin) from 4.0.0 to 5.0.0.
- [Release notes](https://github.com/gruntjs/grunt-contrib-cssmin/releases)
- [Changelog](https://github.com/gruntjs/grunt-contrib-cssmin/blob/main/CHANGELOG)
- [Commits](https://github.com/gruntjs/grunt-contrib-cssmin/compare/v4.0.0...v5.0.0)

---
updated-dependencies:
- dependency-name: grunt-contrib-cssmin
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-05 07:57:12 +00:00
searxng-bot 54c4d08167 [translations] update from Weblate
70336613 - 2023-05-03 - return42 <markus.heiser@darmarit.de>
55d82b96 - 2023-05-03 - artnay <jiri.gronroos@iki.fi>
3911fe35 - 2023-05-03 - return42 <markus.heiser@darmarit.de>
81b6ebd1 - 2023-05-03 - return42 <markus.heiser@darmarit.de>
6655ac63 - 2023-05-01 - return42 <markus.heiser@darmarit.de>
3b9cccb8 - 2023-04-30 - return42 <markus.heiser@darmarit.de>
51601c0b - 2023-04-30 - return42 <markus.heiser@darmarit.de>
2023-05-05 07:07:41 +00:00
Markus Heiser 823c490c84 [mod] limiter: block requests from PetalBot
Block requests from PetalBlock.  Normally robots.txt is enough to stop
PetalBlock from making requests [1].  However, if SearXNG is offered below a
path (example.org/search), then the robots.txt is not available in the root
paths of the domain / subdomain.

[1] https://webmaster.petalsearch.com/site/petalbot

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2023-04-30 09:49:26 +02:00
Markus Heiser 7b43f98ebb
Merge pull request #2382 from searxng/translations_update
Update translations
2023-04-30 08:11:00 +02:00
Markus Heiser e0c8e1923d
Merge pull request #2390 from searxng/update_data_update_wikidata_units.py
Update searx.data - update_wikidata_units.py
2023-04-30 07:16:31 +02:00
Markus Heiser d63dbb10fc
Merge pull request #2391 from searxng/update_data_update_firefox_version.py
Update searx.data - update_firefox_version.py
2023-04-30 07:15:55 +02:00
Markus Heiser e9fdfab76e
Merge pull request #2392 from searxng/update_data_update_currencies.py
Update searx.data - update_currencies.py
2023-04-30 07:15:28 +02:00
Markus Heiser 836827517d
Merge pull request #2393 from searxng/update_data_update_ahmia_blacklist.py
Update searx.data - update_ahmia_blacklist.py
2023-04-30 07:14:53 +02:00
Markus Heiser cfc01ea068
Merge pull request #2394 from searxng/update_data_update_engine_traits.py
Update searx.data - update_engine_traits.py
2023-04-30 07:14:23 +02:00
dalf c2fbace534 Update searx.data - update_engine_descriptions.py 2023-04-29 00:24:27 +00:00
dalf 4f31ab7d4b Update searx.data - update_engine_traits.py 2023-04-29 00:14:09 +00:00
dalf df4cc070ec Update searx.data - update_ahmia_blacklist.py 2023-04-29 00:13:21 +00:00
dalf 5b93f97fb2 Update searx.data - update_currencies.py 2023-04-29 00:13:19 +00:00