Closes: #1617
There is an issue with the setup example in https://asciimoo.github.io/searx/dev/install/installation.html#installation for subdirectory URL deployments:
```nginx
root /usr/local/searx;
location = /searx { rewrite ^ /searx/; }
try_files $uri @searx;
}
location @searx {
uwsgi_param SCRIPT_NAME /searx;
include uwsgi_params;
uwsgi_modifier1 30;
uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
```
`try_files` causes Nginx to search for files in the server root first. If it matches a file, it is returned. Only if no file matched, the request is passed to uwsgi. The worst consequence I can think of is that `settings.yml` can be downloaded without authentication (where secrets and configuration details are stored).
To fix this, I propose:
```nginx
location = /searx {
rewrite ^ /searx/;
}
location /searx/static {
}
location /searx {
uwsgi_param SCRIPT_NAME /searx;
include uwsgi_params;
uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
```
And add
```
route-run = fixpathinfo:
```
to `/etc/uwsgi/apps-available/searx.ini` because `uwsgi_modifier1 30` is apparently deprecated. Ref: https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.11.html#fixpathinfo-routing-action
I assume this issue exists because some uwsgi upstream docs also use the `try_files` construct (at least I have seen this somewhere in the docs or somewhere else on the Internet but cannot find it right now again).
https://uwsgi-docs.readthedocs.io/en/latest/Nginx.html#hosting-multiple-apps-in-the-same-process-aka-managing-script-name-and-path-info also warns about this:
> If used incorrectly a configuration like this may cause security problems. For your sanity’s sake, double-triple-quadruple check that your application files, configuration files and any other sensitive files are outside of the root of the static files.
Herein we add some hints and suggestions about typical architectures of
searx infrastructures. We start with a contribution from @dalf
- https://github.com/asciimoo/searx/pull/1776#issuecomment-567917320
thanks @dalf !!
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
With the aim to simplify development cycles, started with PR #1756 a Makefile
based boilerplate was added. This patch adds the missing developer
documentation.
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
Normalize reST sources with best practice and KISS in mind.
to name a few points:
- simplify reST tables
- make use of ``literal`` markup for monospace rendering
- fix code-blocks for better rendering in HTML
- normalize section header markup
- limit all lines to a maximum of 79 characters
- add option -H to the sudo command used in code blocks
- drop useless indentation of lists
- ...
[1] https://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
- normalize section header markup
- limit all lines to a maximum of 79 characters
- add option -H to the sudo command used in code blocks
- place *WARNING* lines into a '.. warning::' admonition block
- make use of ``literal`` markup for monospace rendering
- drop useless indentation of lists
[1] https://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
docs/admin/filtron.rst:24: \
WARNING: Could not lex literal_block as "json". Highlighting skipped.
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
- add sphinx extensions
- patch documentation to make use of
These modules help to simplify the reST markup of external references. BTW it
helps to write more readable reST and form custom brands.
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
The old searx theme was a copy of the flask theme. In the meantime this theme
is available from the python module pallets-sphinx-themes.
This patch makes pallets-sphinx-themes as a (dev) requirement and drops most of
the old and obsolete searx theme settings/files.
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>