[mod] upgrade to Caddy v2

.env

@@ -1,23 +1,14 @@
-# hostname
-SEARX_HOSTNAME=localhost
+# By default listen on https://localhost
+# To change this:
+# * uncomment SEARX_HOSTNAME, and replace <host> by the searx hostname
+# * uncomment LETSENCRYPT_EMAIL, and replace <email> by your email (require to create a Let's Encrypt certificate)
 
-# comment both if SEARX_HOSTNAME is NOT localhost
-SEARX_PROTOCOL=https://
-SEARX_TLS=self_signed
+# SEARX_HOSTNAME=<host>
+# LETSENCRYPT_EMAIL=<email>
 
 # automatically update settings to the new version
 # comment this line if you made / will make some modifications to the settings
 SEARX_COMMAND=-f
 
-# Let's encrypt contact information
-[email protected]
-
-# Do you agree Let's Encrypt TOS https://letsencrypt.org/repository/
-LETSENCRYPT_AGREE=false
-
 # use openssl rand -base64 33
 MORTY_KEY=ReplaceWithARealKey!
-
-# filtron ( /filtron/rules ), use for example "tr -cd '[:alnum:]' < /dev/urandom | fold -w12 | head -n1"
-FILTRON_USER=filtron
-FILTRON_PASSWORD=SetARealPassword

Caddyfile

@@ -1,21 +1,36 @@
-{$SEARX_PROTOCOL}{$SEARX_HOSTNAME} {
+{
+  admin off
+}
+
+{$SEARX_HOSTNAME} {
+  log {
+        output discard
+  }
+
   tls {$SEARX_TLS}
-  gzip {
-        not /morty
+
+  @api {
+        path /config
+	path /status
   }
-  root /srv
 
-  header /config {
-        Access-Control-Allow-Methods "GET, OPTIONS"
-        Access-Control-Allow-Origin  "*"
+  @static {
+        path /static/*
   }
 
-  header /status {
-        Access-Control-Allow-Methods "GET, OPTIONS"
-        Access-Control-Allow-Origin  "*"
+  @notstatic {
+        not path /static/*
+  }
+
+  @morty {
+        path /morty/*
   }
 
-  header / {
+  @notmorty {
+        not path /morty/*
+  }
+
+  header {
         # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
         Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 
@@ -28,16 +43,9 @@
         # Disallow the site to be rendered within a frame (clickjacking protection)
         X-Frame-Options "SAMEORIGIN"
 
-        # CSP (see http://content-security-policy.com/ )
-        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
-
         # Disable some features
         Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
 
-        # Cache
-        Cache-Control "no-cache, no-store"
-        Pragma "no-cache"
-
         # Referer
         Referrer-Policy "no-referrer"
 
@@ -48,36 +56,56 @@
         -Server
   }
 
-  header /morty {
-        Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'"
+  header @api {
+        Access-Control-Allow-Methods "GET, OPTIONS"
+        Access-Control-Allow-Origin  "*"
   }
 
-  header /static {
-        Cache-Control "public, max-age=31536000"
-        -Pragma
+  # Cache
+  header @static {
+        # Cache
+	Cache-Control "public, max-age=31536000"
+	defer
   }
 
-  rewrite / {
-        regexp ^/status$
-        to /searx-checker/status.json
+  header @notstatic {
+        # No Cache
+        Cache-Control "no-cache, no-store"
+        Pragma "no-cache"
   }
 
-  proxy / localhost:4040 {
-        transparent
-        header_upstream X-Forwarded-TlsProto {tls_protocol}
-        header_upstream X-Forwarded-TlsCipher {tls_cipher}
-        header_upstream X-Forwarded-HttpsProto {proto}
+  # CSP (see http://content-security-policy.com/ )
+  header @morty {
+	Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self'; base-uri 'self'; img-src 'self' data:; font-src 'self'; frame-src 'self'"
+  }
 
-        except /searx-checker/status.json
+  header @notmorty {
+        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
   }
 
-  basicauth /filtron {$FILTRON_USER} {$FILTRON_PASSWORD}
-  proxy /filtron/rules localhost:4041 {
-        without /filtron
+  # Searx-Checker
+  uri replace /status /searx-checker/status.json
+  handle /searx-checker/status.json {
+        root * /srv
+        file_server
   }
 
-  proxy /morty localhost:3000
+  # Morty
+  handle @morty {
+        reverse_proxy localhost:3000
+  }
 
-  limits 10KB
+  # Filtron
+  handle {
+        encode zstd gzip
+
+        reverse_proxy localhost:4040 {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+  }
 
 }

README.md

@@ -8,7 +8,7 @@ This is a work in progress, the bot protection is basic and not battle tested, a
 
 | Name | Description | Docker image | Dockerfile |
 | -- | -- | -- | -- |
-| [Caddy](https://github.com/caddyserver/caddy) | Reverse proxy (create a LetsEncrypt certificate automatically) | [abiosoft/caddy:1.0.3-no-stats](https://hub.docker.com/r/abiosoft/caddy) | [Dockerfile](https://github.com/abiosoft/caddy-docker/blob/master/Dockerfile-no-stats) |
+| [Caddy](https://github.com/caddy/caddy) | Reverse proxy (create a LetsEncrypt certificate automatically) | [caddy/caddy:2-alpine](https://hub.docker.com/r/caddy/caddy) | [Dockerfile](https://github.com/caddyserver/caddy-docker) |
 | [Filtron](https://github.com/asciimoo/filtron) |  Filtering reverse HTTP proxy, bot and abuse protection | [dalf/filtron:latest](https://hub.docker.com/r/dalf/filtron) | See [asciimoo/filtron#4](https://github.com/asciimoo/filtron/pull/4) |
 | [Searx](https://github.com/asciimoo/searx) | searx by itself | [searx/searx:latest](https://hub.docker.com/r/searx/searx) | [Dockerfile](https://github.com/searx/searx/blob/master/Dockerfile) |
 | [Morty](https://github.com/asciimoo/morty) | Privacy aware web content sanitizer proxy as a service. | [dalf/morty:latest](https://hub.docker.com/r/dalf/morty) | [Dockerfile](https://github.com/dalf/morty/blob/master/Dockerfile) |

docker-compose.yaml

@@ -4,23 +4,17 @@ services:
 
   caddy:
     container_name: caddy
-    image: abiosoft/caddy:1.0.3-no-stats
-    ports:
-      - 80:80
-      - 443:443
+    image: caddy/caddy:2-alpine
     network_mode: host
-    command: -email ${LETSENCRYPT_EMAIL} -agree=${LETSENCRYPT_AGREE} -log stdout -host ${SEARX_HOSTNAME} -conf /etc/Caddyfile
+    command: caddy run -config /etc/caddy/Caddyfile
     volumes:
-      - ./Caddyfile:/etc/Caddyfile:rw
-      - ./caddy:/root/.caddy:rw
-      - ./srv:/srv:rw
+      - ./Caddyfile:/etc/caddy/Caddyfile:rw
       - searx-checker:/srv/searx-checker:rw
+      - caddy-data:/data:rw
+      - caddy-config:/config:rw
     environment:
-      - SEARX_HOSTNAME=${SEARX_HOSTNAME}
-      - SEARX_PROTOCOL=${SEARX_PROTOCOL:-}
-      - SEARX_TLS=${SEARX_TLS:-}
-      - FILTRON_USER=${FILTRON_USER}
-      - FILTRON_PASSWORD=${FILTRON_PASSWORD}
+      - SEARX_HOSTNAME=${SEARX_HOSTNAME:-localhost}
+      - SEARX_TLS=${LETSENCRYPT_EMAIL:-internal}
     cap_drop:
       - ALL
     cap_add:
@@ -32,8 +26,8 @@ services:
     image: dalf/filtron
     restart: always
     ports:
-      - 4040:4040
-      - 4041:4041
+      - "127.0.0.1:4040:4040"
+      - "127.0.0.1:4041:4041"
     networks:
       - searx
     command: -listen 0.0.0.0:4040 -api 0.0.0.0:4041 -target searx:8080
@@ -54,8 +48,8 @@ services:
       - ./searx:/etc/searx:rw
     environment:
       - BIND_ADDRESS=0.0.0.0:8080
-      - BASE_URL=https://${SEARX_HOSTNAME}/
-      - MORTY_URL=https://${SEARX_HOSTNAME}/morty/
+      - BASE_URL=https://${SEARX_HOSTNAME:-localhost}/
+      - MORTY_URL=https://${SEARX_HOSTNAME:-localhost}/morty/
       - MORTY_KEY=${MORTY_KEY}
     cap_drop:
       - ALL
@@ -70,7 +64,7 @@ services:
     image: dalf/morty
     restart: always
     ports:
-      - 3000:3000
+      - "127.0.0.1:3000:3000"
     networks:
       - searx
     command: -listen 0.0.0.0:3000 -timeout 6 -ipv6
@@ -99,3 +93,5 @@ networks:
 
 volumes:
   searx-checker:
+  caddy-data:
+  caddy-config:

start.sh

@@ -5,6 +5,6 @@ cd -- "$BASE_DIR"
 
 . ./util.sh
 
-$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down -v
+$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down
 $DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE rm -fv
 $DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE up

stop.sh

@@ -5,4 +5,4 @@ cd -- "$BASE_DIR"
 
 . ./util.sh
 
-$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down -v
+$DOCKERCOMPOSE -f $DOCKERCOMPOSEFILE down