From a1d9c81915b169272cf26139445f3e08e9b689b9 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Tue, 31 Dec 2019 14:24:27 +0100
Subject: [PATCH 1/3] Fix Nginx subdir URL install docs which allowed download
 of settings.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes: #1617

There is an issue with the setup example in https://asciimoo.github.io/searx/dev/install/installation.html#installation for subdirectory URL deployments:

```nginx
root /usr/local/searx;

location = /searx { rewrite ^ /searx/; }
        try_files $uri @searx;
}
location @searx {
        uwsgi_param SCRIPT_NAME /searx;
        include uwsgi_params;
        uwsgi_modifier1 30;
        uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
```

`try_files` causes Nginx to search for files in the server root first. If it matches a file, it is returned. Only if no file matched, the request is passed to uwsgi. The worst consequence I can think of is that  `settings.yml` can be downloaded without authentication (where secrets and configuration details are stored).

To fix this, I propose:

```nginx
location = /searx {
        rewrite ^ /searx/;
}

location /searx/static {
}

location /searx {
        uwsgi_param SCRIPT_NAME /searx;
        include uwsgi_params;
        uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
```

And add

```
route-run = fixpathinfo:
```

to `/etc/uwsgi/apps-available/searx.ini` because `uwsgi_modifier1 30` is apparently deprecated. Ref: https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.11.html#fixpathinfo-routing-action

I assume this issue exists because some uwsgi upstream docs also use the `try_files` construct (at least I have seen this somewhere in the docs or somewhere else on the Internet but cannot find it right now again).

https://uwsgi-docs.readthedocs.io/en/latest/Nginx.html#hosting-multiple-apps-in-the-same-process-aka-managing-script-name-and-path-info also warns about this:

> If used incorrectly a configuration like this may cause security problems. For your sanity’s sake, double-triple-quadruple check that your application files, configuration files and any other sensitive files are outside of the root of the static files.
---
 docs/admin/installation.rst | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/docs/admin/installation.rst b/docs/admin/installation.rst
index 239ce070..28a6b061 100644
--- a/docs/admin/installation.rst
+++ b/docs/admin/installation.rst
@@ -114,6 +114,9 @@ content:
     # Module to import
     module = searx.webapp
 
+    # Support running the module from a webserver subdirectory.
+    route-run = fixpathinfo:
+
     # Virtualenv and python path
     virtualenv = /usr/local/searx/searx-ve/
     pythonpath = /usr/local/searx/
@@ -180,14 +183,16 @@ Add this configuration in the server config file
 
 .. code:: nginx
 
-    location = /searx { rewrite ^ /searx/; }
-    location /searx {
-            try_files $uri @searx;
+    location = /searx {
+            rewrite ^ /searx/;
     }
-    location @searx {
+
+    location /searx/static {
+    }
+
+    location /searx {
             uwsgi_param SCRIPT_NAME /searx;
             include uwsgi_params;
-            uwsgi_modifier1 30;
             uwsgi_pass unix:/run/uwsgi/app/searx/socket;
     }
 
@@ -338,4 +343,3 @@ References
 
 * How to: `Setup searx in a couple of hours with a free SSL certificate
   <https://www.reddit.com/r/privacytoolsIO/comments/366kvn/how_to_setup_your_own_privacy_respecting_search/>`__
-

From 088337295aaeebf8a37d6b4e859cd59019cd3d27 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Tue, 31 Dec 2019 14:37:01 +0100
Subject: [PATCH 2/3] Simply Nginx example by using alias directive for
 subdirectory URL

We explicitly specific the static directory here using alias to allow to
host from a other subdirectory than "searx" which just so happens to
match the source code directory.
---
 docs/admin/installation.rst | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/docs/admin/installation.rst b/docs/admin/installation.rst
index 28a6b061..e0b3779f 100644
--- a/docs/admin/installation.rst
+++ b/docs/admin/installation.rst
@@ -183,11 +183,8 @@ Add this configuration in the server config file
 
 .. code:: nginx
 
-    location = /searx {
-            rewrite ^ /searx/;
-    }
-
     location /searx/static {
+            alias /usr/local/searx/searx/static;
     }
 
     location /searx {

From 3e5a3ee4e49c739fdc464d47252c684a42620d48 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Tue, 31 Dec 2019 14:38:30 +0100
Subject: [PATCH 3/3] Let Nginx deliver static files directory in all examples

---
 docs/admin/installation.rst | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/docs/admin/installation.rst b/docs/admin/installation.rst
index e0b3779f..15800fc0 100644
--- a/docs/admin/installation.rst
+++ b/docs/admin/installation.rst
@@ -154,7 +154,10 @@ content:
     server {
         listen 80;
         server_name searx.example.com;
-        root /usr/local/searx;
+        root /usr/local/searx/searx;
+
+        location /static {
+        }
 
         location / {
                 include uwsgi_params;
@@ -199,6 +202,10 @@ in case of single-user or low-traffic instances.)
 
 .. code:: nginx
 
+    location /searx/static {
+            alias /usr/local/searx/searx/static;
+    }
+
     location /searx {
         proxy_pass http://127.0.0.1:8888;
         proxy_set_header Host $host;