searxngRebrandZaclys/docs/admin/installation-apache.rst

14 KiB

Install with apache

Contents


Install apache searx site using filtron.sh <filtron.sh overview>

$ sudo -H ./utils/filtron.sh apache install

Install apache searx site using morty.sh <morty.sh overview>

$ sudo -H ./utils/morty.sh apache install

The apache HTTP server

If Apache is not installed, install it now. If apache is new to you, the Getting Started, Configuration Files and Terms Used to Describe Directives documentation gives first orientation. There is also a list of Apache directives to keep in the pocket.

Ubuntu / debian

sudo -H apt-get install apache2

Arch Linux

sudo -H pacman -S apache
sudo -H systemctl enable httpd
sudo -H systemctl start http

Fedora / RHEL

sudo -H dnf install httpd
sudo -H systemctl enable httpd
sudo -H systemctl start httpd

Now at http://localhost you should see any kind of Welcome or Test page. How this default intro site is configured, depends on the linux distribution (compare Apache directives).

Ubuntu / debian

less /etc/apache2/sites-enabled/000-default.conf

In this file, there is a line setting the DocumentRoot directive:

DocumentRoot /var/www/html

And the welcome page is the HTML file at /var/www/html/index.html.

Arch Linux

less /etc/httpd/conf/httpd.conf

In this file, there is a line setting the DocumentRoot directive:

DocumentRoot "/srv/http"
<Directory "/srv/http">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

The welcome page of Arch Linux is a page showing directory located at DocumentRoot. This is directory page is generated by the Module mod_autoindex:

LoadModule autoindex_module modules/mod_autoindex.so
...
Include conf/extra/httpd-autoindex.conf

Fedora / RHEL

less /etc/httpd/conf/httpd.conf

In this file, there is a line setting the DocumentRoot directive:

DocumentRoot "/var/www/html"
...
<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

On fresh installations, the /var/www is empty and the default welcome page is shown, the configuration is located at:

less /etc/httpd/conf.d/welcome.conf

Apache Reverse Proxy

public to the internet?

If your SearXNG instance is public, stop here and first install filtron reverse proxy <filtron.sh> and result proxy morty <morty.sh>, see installation scripts. If already done, follow setup: SearXNG via filtron plus morty.

To setup a Apache revers proxy you have to enable the headers and proxy modules and create a Location configuration for the SearXNG site. In most distributions you have to un-comment the lines in the main configuration file, except in The Debian Layout.

Ubuntu / debian

In the Apache setup, enable headers and proxy modules:

sudo -H a2enmod headers
sudo -H a2enmod proxy
sudo -H a2enmod proxy_http

In The Debian Layout you create a searx.conf with the <Location /searx > directive and save this file in the sites available folder at /etc/apache2/sites-available. To enable the searx.conf use a2ensite:

sudo -H a2ensite searx.conf

Arch Linux

In the /etc/httpd/conf/httpd.conf file, activate headers and proxy modules (LoadModule):

FIXME needs test

LoadModule headers_module modules/mod_headers.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so

Fedora / RHEL

In the /etc/httpd/conf/httpd.conf file, activate headers and proxy modules (LoadModule):

FIXME needs test

LoadModule headers_module modules/mod_headers.so

LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so

With ProxyPreserveHost the incoming Host HTTP request header is passed to the proxied host.

SearXNG via filtron plus morty

Use this setup, if your instance is public to the internet, compare figure: architecture <arch public> and installation scripts.

  1. Configure a reverse proxy for filtron <filtron.sh>, listening on localhost 4004 (filtron route request):
<Location /searx >

    # SetEnvIf Request_URI "/searx" dontlog
    # CustomLog /dev/null combined env=dontlog

    Require all granted

    Order deny,allow
    Deny from all
    #Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1
    Allow from all

    ProxyPreserveHost On
    ProxyPass http://127.0.0.1:4004
    RequestHeader set X-Script-Name /searx

</Location>

2. Configure reverse proxy for morty <searx morty>, listening on localhost 3000

ProxyPreserveHost On

<Location /morty >

    # SetEnvIf Request_URI "/morty" dontlog
    # CustomLog /dev/null combined env=dontlog

    Require all granted

    Order deny,allow
    Deny from all
    #Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1
    Allow from all

    ProxyPass http://127.0.0.1:3000
    RequestHeader set X-Script-Name /morty

</Location>

For a fully result proxification add morty's <searx morty> public URL to your searx/settings.yml:

result_proxy:
    # replace example.org with your server's public name
    url : https://example.org/morty
    key : !!binary "insert_your_morty_proxy_key_here"

server:
    image_proxy : True

uWSGI support

Be warned, with this setup, your instance isn't protected <searx filtron>, nevertheless it is good enough for intranet usage. In modern Linux distributions, the mod_proxy_uwsgi is compiled into the normal apache package and you need to install only the uWSGI <searx uwsgi> package:

Ubuntu / debian

sudo -H apt-get install uwsgi

# Ubuntu =< 18.04
sudo -H apt-get install libapache2-mod-proxy-uwsgi

Arch Linux

sudo -H pacman -S uwsgi

Fedora / RHEL

sudo -H dnf install uwsgi

The next example shows a configuration using the uWSGI Apache support via unix sockets and mod_proxy_uwsgi.

For socket communication, you have to activate socket = /run/uwsgi/app/searx/socket and comment out the http = 127.0.0.1:8888 configuration in your uwsgi ini file <uwsgi configuration>. If not already exists, create a folder for the unix sockets, which can be used by the searx account (see create searx user):

sudo -H mkdir -p /run/uwsgi/app/searx/
sudo -H chown -R searx:searx /run/uwsgi/app/searx/

If the server is public; to limit access to your intranet replace Allow from all directive and replace 192.168.0.0/16 with your subnet IP/class.

Ubuntu / debian

LoadModule headers_module /usr/lib/apache2/mod_headers.so LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so LoadModule proxy_uwsgi_module /usr/lib/apache2/modules/mod_proxy_uwsgi.so

# SetEnvIf Request_URI /searx dontlog # CustomLog /dev/null combined env=dontlog

<Location /searx>

Require all granted Order deny,allow Deny from all # Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1 Allow from all

ProxyPreserveHost On ProxyPass unix:/run/uwsgi/app/searx/socket|uwsgi://uwsgi-uds-searx/

</Location>

Arch Linux

FIXME needs test

LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so

# SetEnvIf Request_URI /searx dontlog # CustomLog /dev/null combined env=dontlog

<Location /searx>

Require all granted Order deny,allow Deny from all # Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1 Allow from all

ProxyPreserveHost On ProxyPass unix:/run/uwsgi/app/searx/socket|uwsgi://uwsgi-uds-searx/

</Location>

Fedora / RHEL

FIXME needs test

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so <IfModule proxy_uwsgi_module>

# SetEnvIf Request_URI /searx dontlog # CustomLog /dev/null combined env=dontlog

<Location /searx>

Require all granted Order deny,allow Deny from all # Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1 Allow from all

ProxyPreserveHost On ProxyPass unix:/run/uwsgi/app/searx/socket|uwsgi://uwsgi-uds-searx/

</Location>

</IfModule>

old mod_wsgi

We show this only for historical reasons, DON'T USE mod_uwsgi. ANYMORE!

<IfModule mod_uwsgi.c>

    # SetEnvIf Request_URI "/searx" dontlog
    # CustomLog /dev/null combined env=dontlog

    <Location /searx >

        Require all granted

        Options FollowSymLinks Indexes
        SetHandler uwsgi-handler
        uWSGISocket /run/uwsgi/app/searx/socket

        Order deny,allow
        Deny from all
        # Allow from fd00::/8 192.168.0.0/16 fe80::/10 127.0.0.0/8 ::1
        Allow from all

    </Location>

</IfModule>

Restart service

Ubuntu / debian

sudo -H systemctl restart apache2
sudo -H service uwsgi restart searx

Arch Linux

sudo -H systemctl restart httpd
sudo -H systemctl restart uwsgi@searx

Fedora / RHEL

sudo -H systemctl restart httpd
sudo -H touch /etc/uwsgi.d/searxng.ini

disable logs

For better privacy you can disable Apache logs. In the examples above activate one of the lines and restart apache:

# SetEnvIf Request_URI "/searx" dontlog
# CustomLog /dev/null combined env=dontlog

The CustomLog directive disable logs for the whole (virtual) server, use it when the URL of the service does not have a path component (/searx) / is located at root (/).

The Debian Layout

Be aware that the Debian layout is quite different from the standard Apache configuration. For details look at the README.Debian (/usr/share/doc/apache2/README.Debian.gz). Some commands you should know on Debian:

  • apache2ctl: Apache HTTP server control interface
  • a2enmod, a2dismod: switch on/off modules
  • a2enconf, a2disconf: switch on/off configurations
  • a2ensite, a2dissite: switch on/off sites