# {{ ansible_managed }} { admin off acme_dns cloudflare {$CLOUDFLARE_API_TOKEN} # order rate_limit before basicauth } # ---------------------------------------------------------------------------------------------------- # SearXNG {$HOSTNAME} { log { output discard } @api { path /config path /healthz path /stats/errors path /stats/checker } @static { path /static/* } @notstatic { not path /static/* } @imageproxy { path /image_proxy } @notimageproxy { not path /image_proxy } header { Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" X-XSS-Protection "1; mode=block" X-Content-Type-Options "nosniff" Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()" Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" Referrer-Policy "no-referrer" X-Robots-Tag "noindex, noarchive, nofollow" -Server } header @api { Access-Control-Allow-Methods "GET, OPTIONS" Access-Control-Allow-Origin "*" } # Cache header @static { # Cache Cache-Control "public, max-age=31536000" defer } header @notstatic { # No Cache Cache-Control "no-cache, no-store" Pragma "no-cache" } # CSP (see http://content-security-policy.com/ ) header @imageproxy { Content-Security-Policy "default-src 'none'; img-src 'self' data:" } header @notimageproxy { Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com" } handle { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8080 to {{ oracle2_private_ip }}:8080 to {{ oracle3_private_ip }}:8080 to {{ oracle4_private_ip }}:8080 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 header_up X-Real-IP {remote_host} header_up X-Forwarded-Port {http.request.port} header_up X-Forwarded-Proto {http.request.scheme} } } # IP block range by ProjectSegfault @spam client_ip {{ blocked_ranges }} respond @spam "Unfortunately, your IP is part of a range that has been involved in mass spam to our servers. If you think our action was a mistake, please email us." 403 # IP block range by return42 @botnet client_ip {{ botnet_ranges }} respond @botnet "Unfortunately, your IP is part of a range that has been involved in a botnet to our servers. If you think our action was a mistake, please email us." 403 } # ---------------------------------------------------------------------------------------------------- # Other subdomains *.{$HOSTNAME} { log { output discard } handle { abort } header { Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" X-XSS-Protection "1; mode=block" X-Content-Type-Options "nosniff" Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),usb=(),vr=()" #sync-xhr=(), Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';usb 'none';vr 'none'" #sync-xhr 'none'; Referrer-Policy "no-referrer" X-Frame-Options SAMEORIGIN -Server } # IP block range by ProjectSegfault @denied client_ip {{ blocked_ranges }} respond @denied "Unfortunately, your IP is part of a range that has been involved in mass spam to our servers. If you think our action was a mistake, please email us." 403 @about host about.{$HOSTNAME} handle @about { root * /www encode gzip file_server header { Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests" } } @www host www.{$HOSTNAME} handle @www { redir https://opnxng.com{uri} } @x host x.{$HOSTNAME} handle @x { redir https://opnxng.com{uri} } @tt host tt.{$HOSTNAME} handle @tt { redir https://about.opnxng.com/blog/#proxitok } @yt host yt.{$HOSTNAME} handle @yt { redir https://about.opnxng.com/blog/#cloudtube } @n host n.{$HOSTNAME} handle @n { redir https://about.opnxng.com/blog/#nitter } @i host i.{$HOSTNAME} handle @i { redir https://l.opnxng.com{uri} } @l host l.{$HOSTNAME} handle @l { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8882 to {{ oracle2_private_ip }}:8882 to {{ oracle3_private_ip }}:8882 to {{ oracle4_private_ip }}:8882 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests" X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @b host b.{$HOSTNAME} handle @b { reverse_proxy {{ oracle1_private_ip }}:8884 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @git host git.{$HOSTNAME} handle @git { encode zstd gzip reverse_proxy {{ oracle3_private_ip }}:8885 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @s host s.{$HOSTNAME} handle @s { encode zstd gzip reverse_proxy {{ oracle1_private_ip }}:8886 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @p host p.{$HOSTNAME} handle @p { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8887 to {{ oracle2_private_ip }}:8887 to {{ oracle3_private_ip }}:8887 to {{ oracle4_private_ip }}:8887 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @auth host auth.{$HOSTNAME} handle @auth { reverse_proxy {{ oracle4_private_ip }}:8888 } @t host t.{$HOSTNAME} handle @t { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8889 to {{ oracle2_private_ip }}:8889 to {{ oracle3_private_ip }}:8889 to {{ oracle4_private_ip }}:8889 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests" X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @m host m.{$HOSTNAME} handle @m { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8890 to {{ oracle2_private_ip }}:8890 to {{ oracle3_private_ip }}:8890 to {{ oracle4_private_ip }}:8890 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @e host e.{$HOSTNAME} handle @e { encode zstd gzip reverse_proxy {{ oracle3_private_ip }}:8891 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @it host it.{$HOSTNAME} handle @it { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8892 to {{ oracle2_private_ip }}:8892 to {{ oracle3_private_ip }}:8892 to {{ oracle4_private_ip }}:8892 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @f { host f.{$HOSTNAME} maxmind_geolocation { db_path "/etc/caddy/GeoLite2-City.mmdb" allow_countries {{ allow_countries }} } } handle @f { forward_auth {{ oracle4_private_ip }}:8888 { uri /api/verify?rd=https://auth.opnxng.com/ copy_headers Remote-User Remote-Groups Remote-Name Remote-Email #import trusted_proxy_list } encode zstd gzip reverse_proxy {{ oracle2_private_ip }}:8893 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @nt host nt.{$HOSTNAME} handle @nt { encode zstd gzip reverse_proxy {{ oracle3_private_ip }}:8894 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @v host v.{$HOSTNAME} handle @v { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8895 to {{ oracle2_private_ip }}:8895 to {{ oracle3_private_ip }}:8895 to {{ oracle4_private_ip }}:8895 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @bn host bn.{$HOSTNAME} handle @bn { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8896 to {{ oracle2_private_ip }}:8896 to {{ oracle3_private_ip }}:8896 to {{ oracle4_private_ip }}:8896 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @z host z.{$HOSTNAME} handle @z { encode zstd gzip reverse_proxy {{ oracle3_private_ip }}:8897 header { X-Permitted-Cross-Domain-Policies "none" X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @a host a.{$HOSTNAME} handle @a { encode zstd gzip reverse_proxy {{ vultr_private_ip }}:8898 header { Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests" X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @r host r.{$HOSTNAME} handle @r { encode zstd gzip reverse_proxy {{ vultr_private_ip }}:8899 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @g host g.{$HOSTNAME} handle @g { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8900 to {{ oracle2_private_ip }}:8900 to {{ oracle3_private_ip }}:8900 to {{ oracle4_private_ip }}:8900 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests" X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @c host c.{$HOSTNAME} handle @c { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8901 to {{ oracle2_private_ip }}:8901 to {{ oracle3_private_ip }}:8901 to {{ oracle4_private_ip }}:8901 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @o host o.{$HOSTNAME} handle @o { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8902 to {{ oracle2_private_ip }}:8902 to {{ oracle3_private_ip }}:8902 to {{ oracle4_private_ip }}:8902 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @ph host ph.{$HOSTNAME} handle @ph { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8903 to {{ oracle2_private_ip }}:8903 to {{ oracle3_private_ip }}:8903 to {{ oracle4_private_ip }}:8903 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @q host q.{$HOSTNAME} handle @q { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8904 to {{ oracle2_private_ip }}:8904 to {{ oracle3_private_ip }}:8904 to {{ oracle4_private_ip }}:8904 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @d host d.{$HOSTNAME} handle @d { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8905 to {{ oracle2_private_ip }}:8905 to {{ oracle3_private_ip }}:8905 to {{ oracle4_private_ip }}:8905 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @wf host wf.{$HOSTNAME} handle @wf { encode zstd gzip reverse_proxy {{ oracle2_private_ip }}:8906 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @tb host tb.{$HOSTNAME} handle @tb { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8907 to {{ oracle2_private_ip }}:8907 to {{ oracle3_private_ip }}:8907 to {{ oracle4_private_ip }}:8907 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 header_up X-Real-IP {remote_host} } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @ig host ig.{$HOSTNAME} handle @ig { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8908 to {{ oracle2_private_ip }}:8908 to {{ oracle3_private_ip }}:8908 to {{ oracle4_private_ip }}:8908 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @hn host hn.{$HOSTNAME} handle @hn { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8909 to {{ oracle2_private_ip }}:8909 to {{ oracle3_private_ip }}:8909 to {{ oracle4_private_ip }}:8909 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @ti host ti.{$HOSTNAME} handle @ti { encode zstd gzip reverse_proxy {{ vultr_private_ip }}:8910 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @sn host sn.{$HOSTNAME} handle @sn { encode zstd gzip reverse_proxy {{ vultr_private_ip }}:8911 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } } # ---------------------------------------------------------------------------------------------------- # Breezewiki redirect to handle subdomain.fandom.com *.z.{$HOSTNAME} { @fandom host *.z.{$HOSTNAME} redir https://z.opnxng.com/{labels.3}{uri} header { X-Permitted-Cross-Domain-Policies "none" X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" X-XSS-Protection "1; mode=block" X-Content-Type-Options "nosniff" Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()" Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" Referrer-Policy "no-referrer" X-Frame-Options SAMEORIGIN -Server } log { output discard } handle { abort } } # ---------------------------------------------------------------------------------------------------- # Imgin redirect to handle i.imgur.com i.r.{$HOSTNAME} { handle { redir https://r.opnxng.com{uri} } log { output discard } handle { abort } }