mirror of
https://github.com/searxng/searxng.git
synced 2026-05-10 04:55:50 +02:00
Robin Schneider
a1d9c81915
Closes: #1617 There is an issue with the setup example in https://asciimoo.github.io/searx/dev/install/installation.html#installation for subdirectory URL deployments: ```nginx root /usr/local/searx; location = /searx { rewrite ^ /searx/; } try_files $uri @searx; } location @searx { uwsgi_param SCRIPT_NAME /searx; include uwsgi_params; uwsgi_modifier1 30; uwsgi_pass unix:/run/uwsgi/app/searx/socket; } ``` `try_files` causes Nginx to search for files in the server root first. If it matches a file, it is returned. Only if no file matched, the request is passed to uwsgi. The worst consequence I can think of is that `settings.yml` can be downloaded without authentication (where secrets and configuration details are stored). To fix this, I propose: ```nginx location = /searx { rewrite ^ /searx/; } location /searx/static { } location /searx { uwsgi_param SCRIPT_NAME /searx; include uwsgi_params; uwsgi_pass unix:/run/uwsgi/app/searx/socket; } ``` And add ``` route-run = fixpathinfo: ``` to `/etc/uwsgi/apps-available/searx.ini` because `uwsgi_modifier1 30` is apparently deprecated. Ref: https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.11.html#fixpathinfo-routing-action I assume this issue exists because some uwsgi upstream docs also use the `try_files` construct (at least I have seen this somewhere in the docs or somewhere else on the Internet but cannot find it right now again). https://uwsgi-docs.readthedocs.io/en/latest/Nginx.html#hosting-multiple-apps-in-the-same-process-aka-managing-script-name-and-path-info also warns about this: > If used incorrectly a configuration like this may cause security problems. For your sanity’s sake, double-triple-quadruple check that your application files, configuration files and any other sensitive files are outside of the root of the static files.
searx ===== A privacy-respecting, hackable `metasearch engine <https://en.wikipedia.org/wiki/Metasearch_engine>`__. Pronunciation: səːks List of `running instances <https://github.com/asciimoo/searx/wiki/Searx-instances>`__. See the `documentation <https://asciimoo.github.io/searx>`__ and the `wiki <https://github.com/asciimoo/searx/wiki>`__ for more information. |OpenCollective searx backers| |OpenCollective searx sponsors| Installation ~~~~~~~~~~~~ With Docker ------ Go to the `searx-docker <https://github.com/searx/searx-docker>`__ project. Without Docker ------ For all of the details, follow this `step by step installation <https://asciimoo.github.io/searx/dev/install/installation.html>`__. Note: the documentation needs to be updated. If you are in a hurry ------ - clone the source: ``git clone https://github.com/asciimoo/searx.git && cd searx`` - install dependencies: ``./manage.sh update_packages`` - edit your `settings.yml <https://github.com/asciimoo/searx/blob/master/searx/settings.yml>`__ (set your ``secret_key``!) - run ``python searx/webapp.py`` to start the application Bugs ~~~~ Bugs or suggestions? Visit the `issue tracker <https://github.com/asciimoo/searx/issues>`__. `License <https://github.com/asciimoo/searx/blob/master/LICENSE>`__ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ More about searx ~~~~~~~~~~~~~~~~ - `openhub <https://www.openhub.net/p/searx/>`__ - `twitter <https://twitter.com/Searx_engine>`__ - IRC: #searx @ freenode .. |OpenCollective searx backers| image:: https://opencollective.com/searx/backers/badge.svg :target: https://opencollective.com/searx#backer .. |OpenCollective searx sponsors| image:: https://opencollective.com/searx/sponsors/badge.svg :target: https://opencollective.com/searx#sponsor