diff --git a/coreos-config/plays/services/search/docker-compose.yaml b/coreos-config/plays/services/search/docker-compose.yaml index 7e1cdc8..702bba2 100644 --- a/coreos-config/plays/services/search/docker-compose.yaml +++ b/coreos-config/plays/services/search/docker-compose.yaml @@ -13,6 +13,7 @@ services: volumes: - ./settings.yml:/etc/searxng/settings.yml:ro,z - ./uwsgi.ini:/etc/searxng/uwsgi.ini:ro,z + - ./limiter.toml:/etc/searxng/limiter.toml:ro,z labels: - "traefik.enable=true" - "traefik.http.routers.searxng.rule=Host(`search.tobiasmanske.de`)" diff --git a/coreos-config/plays/services/search/limiter.toml b/coreos-config/plays/services/search/limiter.toml new file mode 100644 index 0000000..f2687a1 --- /dev/null +++ b/coreos-config/plays/services/search/limiter.toml @@ -0,0 +1,41 @@ +[real_ip] + +# Number of values to trust for X-Forwarded-For. + +x_for = 1 + +# The prefix defines the number of leading bits in an address that are compared +# to determine whether or not an address is part of a (client) network. + +ipv4_prefix = 32 +ipv6_prefix = 48 + +[botdetection.ip_limit] + +# To get unlimited access in a local network, by default link-lokal addresses +# (networks) are not monitored by the ip_limit +filter_link_local = false + +# activate link_token method in the ip_limit method +link_token = false + +[botdetection.ip_lists] + +# In the limiter, the ip_lists method has priority over all other methods -> if +# an IP is in the pass_ip list, it has unrestricted access and it is also not +# checked if e.g. the "user agent" suggests a bot (e.g. curl). + +block_ip = [ + # '93.184.216.34', # IPv4 of example.org + # '257.1.1.1', # invalid IP --> will be ignored, logged in ERROR class +] + +pass_ip = [ + '65.108.60.208' # Monitoring + # '192.168.0.0/16', # IPv4 private network + # 'fe80::/10' # IPv6 linklocal / wins over botdetection.ip_limit.filter_link_local +] + +# Activate passlist of (hardcoded) IPs from the SearXNG organization, +# e.g. `check.searx.space`. +pass_searxng_org = true