zaclys
/
searxng
mirror of https://github.com/searxng/searxng.git
1
0
Fork 1
Code Issues Packages Projects Releases Wiki Activity
SearXNG is a free internet metasearch engine which aggregates results from various search services and databases. Users are neither tracked nor profiled.
2,910 Commits 5 Branches 17 Tags 71 MiB
Python 73.9%
Shell 10.6%
HTML 6.2%
Less 5.1%
JavaScript 2.8%
Other 1.3%
Go to file
Robin Schneider a1d9c81915
Fix Nginx subdir URL install docs which allowed download of settings.yml 
Closes: #1617

There is an issue with the setup example in https://asciimoo.github.io/searx/dev/install/installation.html#installation for subdirectory URL deployments:

```nginx
root /usr/local/searx;

location = /searx { rewrite ^ /searx/; }
        try_files $uri @searx;
}
location @searx {
        uwsgi_param SCRIPT_NAME /searx;
        include uwsgi_params;
        uwsgi_modifier1 30;
        uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
```

`try_files` causes Nginx to search for files in the server root first. If it matches a file, it is returned. Only if no file matched, the request is passed to uwsgi. The worst consequence I can think of is that  `settings.yml` can be downloaded without authentication (where secrets and configuration details are stored).

To fix this, I propose:

```nginx
location = /searx {
        rewrite ^ /searx/;
}

location /searx/static {
}

location /searx {
        uwsgi_param SCRIPT_NAME /searx;
        include uwsgi_params;
        uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
```

And add

```
route-run = fixpathinfo:
```

to `/etc/uwsgi/apps-available/searx.ini` because `uwsgi_modifier1 30` is apparently deprecated. Ref: https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.11.html#fixpathinfo-routing-action

I assume this issue exists because some uwsgi upstream docs also use the `try_files` construct (at least I have seen this somewhere in the docs or somewhere else on the Internet but cannot find it right now again).

https://uwsgi-docs.readthedocs.io/en/latest/Nginx.html#hosting-multiple-apps-in-the-same-process-aka-managing-script-name-and-path-info also warns about this:

> If used incorrectly a configuration like this may cause security problems. For your sanity’s sake, double-triple-quadruple check that your application files, configuration files and any other sensitive files are outside of the root of the static files.
 		2019-12-31 14:24:27 +01:00
dockerfiles 🐳 Config for instance name and autocomplete 2019-10-14 02:02:41 +02:00
docs Fix Nginx subdir URL install docs which allowed download of settings.yml 2019-12-31 14:24:27 +01:00
examples Fix whitespaces 2016-07-11 18:52:37 +07:00
searx Merge branch 'master' into fix-engine-spotify 2019-12-29 09:47:06 +01:00
tests [mod] remove useless engine unit tests 2019-12-21 21:15:09 +01:00
utils makefile.sphinx: fix gh-pages / pull before add commits 2019-12-22 23:28:07 +01:00
.codecov.yml codecov : update the commit status 2017-09-28 19:43:58 +02:00
.coveragerc Cover searx.utils 2014-07-12 15:46:55 +02:00
.dir-locals.el .dir-locals.el: add some comments about jedi & EPC 2019-11-29 13:15:15 +01:00
.dockerignore Update Docker image 2019-07-13 15:49:59 +02:00
.gitattributes [enh] add simple theme (WIP) 2017-08-06 16:04:21 +02:00
.gitignore gh-pages - build docs & deploy on gh-pages branch 2019-12-12 14:15:41 +01:00
.landscape.yaml Add landscape.io configuration 2014-07-09 22:49:38 +02:00
.pylintrc boilerplate: add pylint / WIP: balance linting with pylint 2019-11-28 20:07:10 +01:00
.travis.yml .travis.yml: robot tests: remove the xvfb dependency 2019-07-13 15:49:59 +02:00
AUTHORS.rst [enh] add @pofilo & @return42 to maintainers 2019-12-09 18:10:03 +01:00
CHANGELOG.rst update changelog and version.py 2019-01-06 21:59:59 +01:00
Dockerfile Merge pull request #1680 from robbyoconnor/patch-1 2019-12-02 13:42:33 +00:00
LICENSE [fix] full AGPLv3+ license according to #382 2015-07-04 18:23:54 +02:00
Makefile doc: describe Makefile targets 2019-12-18 16:11:05 +01:00
README.rst Update README.rst 2019-10-01 10:56:40 +10:00
babel.cfg [enh] babel.cfg added 2014-01-22 00:15:42 +01:00
manage.sh Merge pull request #1457 from hobbestigrou/force_upgrade_requirements 2019-12-17 13:55:13 +00:00
requirements-dev.txt doc(dev): reST/sphinx add tabbed views extension (sphinx_tabs.tabs) 2019-12-26 10:26:12 +01:00
requirements.txt [enh] Add Interlingua locale (requires requirements update) 2019-07-15 13:38:51 -05:00
setup.py seatup.py: fix [dev_]requirements and open file with context 2019-11-28 19:22:03 +01:00
tox.ini [enh] tox.ini added to rewrite standard pep8 rules 2015-01-02 12:26:21 +01:00

README.rst

searx

A privacy-respecting, hackable metasearch engine.

Pronunciation: səːks

List of running instances.

See the documentation and the wiki for more information.

OpenCollective searx backers OpenCollective searx sponsors

Installation

With Docker ------Go to the searx-docker project.

Without Docker ------For all of the details, follow this step by step installation.

Note: the documentation needs to be updated.

If you are in a hurry ------- clone the source: git clone https://github.com/asciimoo/searx.git && cd searx - install dependencies: ./manage.sh update_packages - edit your settings.yml (set your secret_key!) - run python searx/webapp.py to start the application

Bugs

Bugs or suggestions? Visit the issue tracker.

License

More about searx