Issues configuring nginx with searxng, header issues and CSP blocked on /static

[y0nei]

Hello, im running docker with searxng and i want to make nginx work properly on it but i keep getting thrown off by wierd issues.
I have searched searxng/searxng-docker, searxng/searxng and the documentation and every single one of those recommend a diffirent method and config for setting nginx.
The way i want to do it is have a static configuration for nginx and reverse proxy searxng with it.

I am aware that #15 shows how to set up nginx with searxng but i cant seem to figure out how and which configuration to use, caddyfile adds headers, and none of these are mentioned in issue #15

heres is how my nginx.conf looks like (and excuse my intendtation in the post)

#user searxng;   <= if i use anything else it will just throw an error
worker_processes 1;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;

events {
	worker_connections 768;
}

http {

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	client_max_body_size 0;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	#access_log /config/log/nginx/access.log;
	#error_log /config/log/nginx/error.log;
	access_log /dev/null;
        error_log  /dev/null;

	include /etc/nginx/http.d/*.conf;
	include /config/nginx/site-confs/*;
	#Removed lua. Do not remove this comment
  
    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_min_length 10240;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;

    
    server {
        listen  80;
        server_name  searx.zimro.xyz;

	location / {

	        set $target http://192.168.1.200:8080;  <= 127.0.0.1:8080 has not worked

	        #add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com" always;
	        add_header Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()" always;
	        add_header Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" always;
	        add_header X-Robots-Tag "noindex, noarchive, nofollow" always;
	        add_header Referrer-Policy "no-referrer" always;
	        add_header Cache-Control "no-cache, no-store" always;
	        add_header Pragma "no-cache" always;
	        add_header X-Frame-Options SAMEORIGIN always;

	        #proxy_set_header Host $host;
	        proxy_set_header Host             $target;
			proxy_set_header Connection       $http_connection;

	        # see flaskfix.py
   		proxy_set_header X-Scheme         $scheme;
    		proxy_set_header X-Script-Name    $target;
	        # see limiter.py
	        proxy_set_header X-Real-IP 	      $remote_addr;
	        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
	        
    		proxy_pass $target;
	    }

	    location /stats/errors {
	    	add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
		add_header Access-Control-Allow-Origin  "*" always;
	    }

	    location /stats/checker {
	    	add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
		add_header Access-Control-Allow-Origin  "*" always;
	    }

	   location /image_proxy {
	   	add_header Content-Security-Policy "default-src 'none'; img-src 'self' data:" always;
	   }
     }
}  
#daemon off; <= also throws an error when not commented 

all the add_header options in location / i have added from caddyconfig, previously i had them running on nginx proxy manager and worked just fine. But once the instance has gone public, it would constantly return too many requests

I have tried this solution from Originally posted by @return42 in #55 (comment)

    # see limiter.py
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

It works fine in nginx itself but sadly it wouldnt work in nginx proxy manager.

Theres also an issue with /static that cant load any resources because of the Content-Security-Policy header in the / location
without this, it loads fine, thats why i have it commented out above

---

for .env i have SEARXNG_HOSTNAME=searx.zimro.xyz
and my docker-compose.yml looks like this

version: '3.7'

services:
  nginx:
    image: nginx:alpine
    container_name: searxng-nginx
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
    ports:
      - 7880:80
    networks:
      - searxng
      - nginx-proxy
    restart: always

  redis:
    container_name: redis
    image: "redis:alpine"
    command: redis-server --save "" --appendonly "no"
    networks:
      - searxng
    tmpfs:
      - /var/lib/redis
    cap_drop:
      - ALL
    cap_add:
      - SETGID
      - SETUID
      - DAC_OVERRIDE
    restart: always

  searxng:
    container_name: searxng
    image: searxng/searxng:latest
    networks:
      - searxng
    ports:
     - "8080:8080"
    volumes:
      - ./searxng:/etc/searxng:rw
    environment:
     - SEARXNG_BASE_URL=https://searx.zimro.xyz
    #  - SEARXNG_BASE_URL=https://127.0.0.1:8080
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
      - DAC_OVERRIDE
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"
    restart: always

networks:
  searxng:
    ipam:
      driver: default
  nginx-proxy:
    name: nginx-proxy-manager_default

and yes, im not setting ssl inside my nginx.conf since i use nginx proxy manager to reverse proxy it. (i know its pointless and i can just use npm to manage the nginx config but its cleaner for me that way)

[y0nei]

after looking into this comment on this issue, i have added the headers listed in there, seems to fix the too many requests error

[return42]

after looking into this comment on this issue, i have added the headers listed in there, seems to fix the too many requests error

Yes, you have to set the HTTP headers / its now documented here https://docs.searxng.org/src/searx.botdetection.html#x-forwarded-for