Rework Caddyfile #255
Rework Caddyfile #255
Conversation
Since this header is attached to each outgoing request the overall size is slightly increased by 300 bytes, we don't care if the site is allowed to play media in the background, so with the vast majority of features that have been added (and those that were already present)
Caddyserver actually did passthrough the precompressed resources served by uWSGI (Oops)
| log { | ||
| output discard | ||
| } | ||
| {$SEARXNG_HOSTNAME:http://localhost} |
There was a problem hiding this comment.
Caddy is able to read from the .env file?
There was a problem hiding this comment.
Probably?, if used from Docker Compose should load all the variables from there, it also supports default value fallback https://caddyserver.com/docs/caddyfile/concepts#environment-variables
|
I note as I almost forgot this PR existed, the default CSP is broken and forced you to use the image_proxy all the time, also some cache changes to try to reduce the number of requests to the server (specially /image_proxy) |
That's indeed an issue. We should allow images to load without the image_proxy in case the user has disabled it. I kinda wish SearXNG would handle that by itself instead of having to set the CSP on the reverse proxy. Invidious does it natively: https://github.com/iv-org/invidious/blob/98926047586154269bb269d01e3e52e60e044035/src/invidious/routes/before_all.cr#L40-L52
Feel free to tell me if you want to continue this PR or not. If not, please close it. |
|
cf3b060 commit allows the CSP policy to load all images from all sources to be loaded, it's kinda meh, but I don't know any better way to do it, putting all URLs is not an option
No problem, the PR is ready |
This PR completely reworks the Caddy config file to solve several inconveniences that are not worth having them in separate PRs, the changes are these...
Cache-Controlheader if its matcher token matches rather than doing the comparison twice in a row.Strict-Transport-Securityheader to not include all subdomains in the HSTS policy nor mark the latter to enter the HSTS preload list.Permissions-Policyheader to remove useless features.X-XSS-ProtectionandFeature-Policyheaders following the standards recommendations and evaluating the possible impact with older clients.All changes have been tested and validated without requiring major changes for users.