# {{ ansible_managed }} { admin off acme_dns cloudflare {$CLOUDFLARE_API_TOKEN} order rate_limit before basicauth } # ---------------------------------------------------------------------------------------------------- # SearXNG {$HOSTNAME} { log { output discard } @api { path /config path /healthz path /stats/errors path /stats/checker } @static { path /static/* } @notstatic { not path /static/* } @imageproxy { path /image_proxy } @notimageproxy { not path /image_proxy } header { Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" X-XSS-Protection "1; mode=block" X-Content-Type-Options "nosniff" Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()" Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" Referrer-Policy "no-referrer" X-Robots-Tag "noindex, noarchive, nofollow" -Server } header @api { Access-Control-Allow-Methods "GET, OPTIONS" Access-Control-Allow-Origin "*" } # Cache header @static { # Cache Cache-Control "public, max-age=31536000" defer } header @notstatic { # No Cache Cache-Control "no-cache, no-store" Pragma "no-cache" } # CSP (see http://content-security-policy.com/ ) header @imageproxy { Content-Security-Policy "default-src 'none'; img-src 'self' data:" } header @notimageproxy { Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com" } handle { encode zstd gzip reverse_proxy {{ oracle4_private_ip }}:8080 { header_up X-Real-IP {remote_host} header_up X-Forwarded-Port {http.request.port} header_up X-Forwarded-Proto {http.request.scheme} } } } # ---------------------------------------------------------------------------------------------------- # Other subdomains *.{$HOSTNAME} { log { output discard } handle { abort } header { Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" X-XSS-Protection "1; mode=block" X-Content-Type-Options "nosniff" Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),usb=(),vr=()" #sync-xhr=(), Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';usb 'none';vr 'none'" #sync-xhr 'none'; Referrer-Policy "no-referrer" X-Frame-Options SAMEORIGIN -Server } @about host about.{$HOSTNAME} handle @about { root * /www encode gzip file_server header { Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests" } } @www host www.{$HOSTNAME} handle @www { redir https://opnxng.com{uri} } @x host x.{$HOSTNAME} handle @x { redir https://opnxng.com{uri} } @i host i.{$HOSTNAME} handle @i { encode zstd gzip reverse_proxy { to {{ vultr_private_ip }}:8881 to {{ oracle1_private_ip }}:8881 to {{ oracle2_private_ip }}:8881 to {{ oracle3_private_ip }}:8881 to {{ oracle4_private_ip }}:8881 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests" X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @l host l.{$HOSTNAME} handle @l { encode zstd gzip reverse_proxy { to {{ vultr_private_ip }}:8882 to {{ oracle1_private_ip }}:8882 to {{ oracle2_private_ip }}:8882 to {{ oracle3_private_ip }}:8882 to {{ oracle4_private_ip }}:8882 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests" X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @n { host n.{$HOSTNAME} maxmind_geolocation { db_path "/etc/caddy/GeoLite2-City.mmdb" deny_countries CN } } handle @n { @notstatic { not path /css/* /js/* /fonts/* /browserconfig.xml /android-chrome* /favicon* /logo* /lp.svg /robots.txt /safari* /site.webmanifest /pic/* } rate_limit @notstatic {remote.ip} 2r/s 60000 500 rate_limit @notstatic {remote.ip} 30r/m 300000 500 reverse_proxy {{ oracle4_private_ip }}:8883 { transport http {compression off} } header { header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; media-src 'self' blob:; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'" X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @t host t.{$HOSTNAME} handle @t { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8889 to {{ oracle2_private_ip }}:8889 to {{ oracle3_private_ip }}:8889 to {{ oracle4_private_ip }}:8889 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests" X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @b host b.{$HOSTNAME} handle @b { reverse_proxy {{ oracle1_private_ip }}:8884 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @s host s.{$HOSTNAME} handle @s { encode zstd gzip reverse_proxy {{ oracle1_private_ip }}:8886 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @p host p.{$HOSTNAME} handle @p { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8887 to {{ oracle2_private_ip }}:8887 to {{ oracle3_private_ip }}:8887 to {{ oracle4_private_ip }}:8887 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @m host m.{$HOSTNAME} handle @m { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8890 to {{ oracle2_private_ip }}:8890 to {{ oracle3_private_ip }}:8890 to {{ oracle4_private_ip }}:8890 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @e host e.{$HOSTNAME} handle @e { encode zstd gzip reverse_proxy {{ oracle3_private_ip }}:8891 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @it host it.{$HOSTNAME} handle @it { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8892 to {{ oracle2_private_ip }}:8892 to {{ oracle3_private_ip }}:8892 to {{ oracle4_private_ip }}:8892 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @f { host f.{$HOSTNAME} maxmind_geolocation { db_path "/etc/caddy/GeoLite2-City.mmdb" allow_countries {{ allow_countries }} } } handle @f { forward_auth {{ oracle4_private_ip }}:9091 { uri /api/verify?rd=https://auth.opnxng.com/ copy_headers Remote-User Remote-Groups Remote-Name Remote-Email #import trusted_proxy_list } encode zstd gzip reverse_proxy {{ oracle2_private_ip }}:8893 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @auth host auth.{$HOSTNAME} handle @auth { reverse_proxy {{ oracle4_private_ip }}:9091 } @v host v.{$HOSTNAME} handle @v { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8895 to {{ oracle2_private_ip }}:8895 to {{ oracle3_private_ip }}:8895 to {{ oracle4_private_ip }}:8895 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @bn host bn.{$HOSTNAME} handle @bn { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8896 to {{ oracle2_private_ip }}:8896 to {{ oracle3_private_ip }}:8896 to {{ oracle4_private_ip }}:8896 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @z host z.{$HOSTNAME} handle @z { encode zstd gzip reverse_proxy {{ oracle3_private_ip }}:8897 header { X-Permitted-Cross-Domain-Policies "none" X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @a host a.{$HOSTNAME} handle @a { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8898 to {{ oracle2_private_ip }}:8898 to {{ oracle3_private_ip }}:8898 to {{ oracle4_private_ip }}:8898 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests" X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @r host r.{$HOSTNAME} handle @r { encode zstd gzip reverse_proxy {{ vultr_private_ip }}:8899 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @g host g.{$HOSTNAME} handle @g { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8900 to {{ oracle2_private_ip }}:8900 to {{ oracle3_private_ip }}:8900 to {{ oracle4_private_ip }}:8900 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { Content-Security-Policy "default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests" X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @c host c.{$HOSTNAME} handle @c { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8901 to {{ oracle2_private_ip }}:8901 to {{ oracle3_private_ip }}:8901 to {{ oracle4_private_ip }}:8901 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @o host o.{$HOSTNAME} handle @o { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8902 to {{ oracle2_private_ip }}:8902 to {{ oracle3_private_ip }}:8902 to {{ oracle4_private_ip }}:8902 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @ph host ph.{$HOSTNAME} handle @ph { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8903 to {{ oracle2_private_ip }}:8903 to {{ oracle3_private_ip }}:8903 to {{ oracle4_private_ip }}:8903 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @q host q.{$HOSTNAME} handle @q { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8904 to {{ oracle2_private_ip }}:8904 to {{ oracle3_private_ip }}:8904 to {{ oracle4_private_ip }}:8904 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @d host d.{$HOSTNAME} handle @d { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8905 to {{ oracle2_private_ip }}:8905 to {{ oracle3_private_ip }}:8905 to {{ oracle4_private_ip }}:8905 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @wf host wf.{$HOSTNAME} handle @wf { encode zstd gzip reverse_proxy {{ oracle2_private_ip }}:8906 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @4g host 4g.{$HOSTNAME} handle @4g { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8907 to {{ oracle2_private_ip }}:8907 to {{ oracle3_private_ip }}:8907 to {{ oracle4_private_ip }}:8907 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @ig host ig.{$HOSTNAME} handle @ig { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8908 to {{ oracle2_private_ip }}:8908 to {{ oracle3_private_ip }}:8908 to {{ oracle4_private_ip }}:8908 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @tt host tt.{$HOSTNAME} handle @tt { encode zstd gzip reverse_proxy { to {{ oracle1_private_ip }}:8909 to {{ oracle2_private_ip }}:8909 to {{ oracle3_private_ip }}:8909 to {{ oracle4_private_ip }}:8909 lb_policy ip_hash lb_try_duration 5s lb_try_interval 1s fail_duration 30s max_fails 3 } header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @tb host tb.{$HOSTNAME} handle @tb { encode zstd gzip reverse_proxy {{ vultr_private_ip }}:8910 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @git host git.{$HOSTNAME} handle @git { encode zstd gzip reverse_proxy {{ oracle3_private_ip }}:3000 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } @nt host nt.{$HOSTNAME} handle @nt { encode zstd gzip reverse_proxy {{ oracle3_private_ip }}:8911 header { X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" } } } # ---------------------------------------------------------------------------------------------------- # Breezewiki redirect to handle subdomain.fandom.com *.z.{$HOSTNAME} { @fandom host *.z.{$HOSTNAME} redir https://z.opnxng.com/{labels.3}{uri} header { X-Permitted-Cross-Domain-Policies "none" X-Robots-Tag "noindex, noimageindex, nosnippet, notranslate, noarchive, nofollow" Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" X-XSS-Protection "1; mode=block" X-Content-Type-Options "nosniff" Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()" Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" Referrer-Policy "no-referrer" X-Frame-Options SAMEORIGIN -Server } log { output discard } handle { abort } } # ---------------------------------------------------------------------------------------------------- # Imgin redirect to handle i.imgur.com i.r.{$HOSTNAME} { handle { redir https://r.opnxng.com{uri} } log { output discard } handle { abort } } # ----------------------------------------------------------------------------------------------------