Our fork of searx
Go to file
Robin Schneider a1d9c81915
Fix Nginx subdir URL install docs which allowed download of settings.yml
Closes: #1617

There is an issue with the setup example in https://asciimoo.github.io/searx/dev/install/installation.html#installation for subdirectory URL deployments:

```nginx
root /usr/local/searx;

location = /searx { rewrite ^ /searx/; }
        try_files $uri @searx;
}
location @searx {
        uwsgi_param SCRIPT_NAME /searx;
        include uwsgi_params;
        uwsgi_modifier1 30;
        uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
```

`try_files` causes Nginx to search for files in the server root first. If it matches a file, it is returned. Only if no file matched, the request is passed to uwsgi. The worst consequence I can think of is that  `settings.yml` can be downloaded without authentication (where secrets and configuration details are stored).

To fix this, I propose:

```nginx
location = /searx {
        rewrite ^ /searx/;
}

location /searx/static {
}

location /searx {
        uwsgi_param SCRIPT_NAME /searx;
        include uwsgi_params;
        uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
```

And add

```
route-run = fixpathinfo:
```

to `/etc/uwsgi/apps-available/searx.ini` because `uwsgi_modifier1 30` is apparently deprecated. Ref: https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.11.html#fixpathinfo-routing-action

I assume this issue exists because some uwsgi upstream docs also use the `try_files` construct (at least I have seen this somewhere in the docs or somewhere else on the Internet but cannot find it right now again).

https://uwsgi-docs.readthedocs.io/en/latest/Nginx.html#hosting-multiple-apps-in-the-same-process-aka-managing-script-name-and-path-info also warns about this:

> If used incorrectly a configuration like this may cause security problems. For your sanity’s sake, double-triple-quadruple check that your application files, configuration files and any other sensitive files are outside of the root of the static files.
2019-12-31 14:24:27 +01:00
dockerfiles 🐳 Config for instance name and autocomplete 2019-10-14 02:02:41 +02:00
docs Fix Nginx subdir URL install docs which allowed download of settings.yml 2019-12-31 14:24:27 +01:00
examples Fix whitespaces 2016-07-11 18:52:37 +07:00
searx Merge branch 'master' into fix-engine-spotify 2019-12-29 09:47:06 +01:00
tests [mod] remove useless engine unit tests 2019-12-21 21:15:09 +01:00
utils makefile.sphinx: fix gh-pages / pull before add commits 2019-12-22 23:28:07 +01:00
.codecov.yml codecov : update the commit status 2017-09-28 19:43:58 +02:00
.coveragerc Cover searx.utils 2014-07-12 15:46:55 +02:00
.dir-locals.el .dir-locals.el: add some comments about jedi & EPC 2019-11-29 13:15:15 +01:00
.dockerignore Update Docker image 2019-07-13 15:49:59 +02:00
.gitattributes [enh] add simple theme (WIP) 2017-08-06 16:04:21 +02:00
.gitignore gh-pages - build docs & deploy on gh-pages branch 2019-12-12 14:15:41 +01:00
.landscape.yaml Add landscape.io configuration 2014-07-09 22:49:38 +02:00
.pylintrc boilerplate: add pylint / WIP: balance linting with pylint 2019-11-28 20:07:10 +01:00
.travis.yml .travis.yml: robot tests: remove the xvfb dependency 2019-07-13 15:49:59 +02:00
AUTHORS.rst [enh] add @pofilo & @return42 to maintainers 2019-12-09 18:10:03 +01:00
CHANGELOG.rst update changelog and version.py 2019-01-06 21:59:59 +01:00
Dockerfile Merge pull request #1680 from robbyoconnor/patch-1 2019-12-02 13:42:33 +00:00
LICENSE [fix] full AGPLv3+ license according to #382 2015-07-04 18:23:54 +02:00
Makefile doc: describe Makefile targets 2019-12-18 16:11:05 +01:00
README.rst Update README.rst 2019-10-01 10:56:40 +10:00
babel.cfg [enh] babel.cfg added 2014-01-22 00:15:42 +01:00
manage.sh Merge pull request #1457 from hobbestigrou/force_upgrade_requirements 2019-12-17 13:55:13 +00:00
requirements-dev.txt doc(dev): reST/sphinx add tabbed views extension (sphinx_tabs.tabs) 2019-12-26 10:26:12 +01:00
requirements.txt [enh] Add Interlingua locale (requires requirements update) 2019-07-15 13:38:51 -05:00
setup.py seatup.py: fix [dev_]requirements and open file with context 2019-11-28 19:22:03 +01:00
tox.ini [enh] tox.ini added to rewrite standard pep8 rules 2015-01-02 12:26:21 +01:00

README.rst

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

searx
=====

A privacy-respecting, hackable `metasearch
engine <https://en.wikipedia.org/wiki/Metasearch_engine>`__.

Pronunciation: səːks

List of `running
instances <https://github.com/asciimoo/searx/wiki/Searx-instances>`__.

See the `documentation <https://asciimoo.github.io/searx>`__ and the `wiki <https://github.com/asciimoo/searx/wiki>`__ for more information.

|OpenCollective searx backers|
|OpenCollective searx sponsors|

Installation
~~~~~~~~~~~~

With Docker
------
Go to the `searx-docker <https://github.com/searx/searx-docker>`__ project.

Without Docker
------
For all of the details, follow this `step by step installation <https://asciimoo.github.io/searx/dev/install/installation.html>`__.

Note: the documentation needs to be updated.

If you are in a hurry
------
-  clone the source:
   ``git clone https://github.com/asciimoo/searx.git && cd searx``
-  install dependencies: ``./manage.sh update_packages``
-  edit your
   `settings.yml <https://github.com/asciimoo/searx/blob/master/searx/settings.yml>`__
   (set your ``secret_key``!)
-  run ``python searx/webapp.py`` to start the application


Bugs
~~~~

Bugs or suggestions? Visit the `issue
tracker <https://github.com/asciimoo/searx/issues>`__.

`License <https://github.com/asciimoo/searx/blob/master/LICENSE>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More about searx
~~~~~~~~~~~~~~~~

-  `openhub <https://www.openhub.net/p/searx/>`__
-  `twitter <https://twitter.com/Searx_engine>`__
-  IRC: #searx @ freenode


.. |OpenCollective searx backers| image:: https://opencollective.com/searx/backers/badge.svg
   :target: https://opencollective.com/searx#backer


.. |OpenCollective searx sponsors| image:: https://opencollective.com/searx/sponsors/badge.svg
   :target: https://opencollective.com/searx#sponsor