From 81e2b8a87ae12793f6e5da4be6941f21721cf108 Mon Sep 17 00:00:00 2001
From: AeshEmi1 <121838259+AeshEmi1@users.noreply.github.com>
Date: Sun, 2 Mar 2025 19:53:42 -0600
Subject: [PATCH] [feat] adds tls support to the searxng flask application and
 uwsgi

settings.yml and settings_defaults.py: Adds server.enable_tls, server.certificate_path, and server.certificate_key_path as valid settings. TLS on searxng is disabled by default.

Adds HTTPS socket support to docker-entrypoint.sh and TLS support to webapp.py.
---
 dockerfiles/docker-entrypoint.sh | 28 +++++++++++++++++++++++++++-
 searx/settings.yml               |  6 ++++++
 searx/settings_defaults.py       |  3 +++
 searx/webapp.py                  | 32 ++++++++++++++++++++++++--------
 4 files changed, 60 insertions(+), 9 deletions(-)

diff --git a/dockerfiles/docker-entrypoint.sh b/dockerfiles/docker-entrypoint.sh
index 9e15b4cfa..ac82e4755 100755
--- a/dockerfiles/docker-entrypoint.sh
+++ b/dockerfiles/docker-entrypoint.sh
@@ -54,7 +54,26 @@ get_searxng_version(){
        2>/dev/null
 }
 
+# For TLS support
+get_searxng_tls_status(){
+    su searxng -c \
+       "python3 -c \"import six; from searx import settings; six.print_(settings['server']['enable_tls'])\"" \
+       2>/dev/null
+}
+
+get_searxng_tls_cert(){
+    su searxng -c \
+       "python3 -c \"import six; from searx import settings; from os.path import join; six.print_(join('/etc/searxng/', settings['server']['certificate_path']))\"" 
+}
+
+get_searxng_tls_key(){
+    su searxng -c \
+       "python3 -c \"import six; from searx import settings; from os.path import join; six.print_(join('/etc/searxng/', settings['server']['certificate_key_path']))\"" \
+       2>/dev/null
+}
+
 SEARXNG_VERSION="$(get_searxng_version)"
+SEARXNG_TLS_STATUS="$(get_searxng_tls_status)"
 export SEARXNG_VERSION
 echo "SearXNG version ${SEARXNG_VERSION}"
 
@@ -175,4 +194,11 @@ unset MORTY_KEY
 
 # Start uwsgi
 printf 'Listen on %s\n' "${BIND_ADDRESS}"
-exec uwsgi --master --uid searxng --gid searxng --http-socket "${BIND_ADDRESS}" "${UWSGI_SETTINGS_PATH}"
+# If server.enable_tls is True, enable TLS on searxng
+if [ "${SEARXNG_TLS_STATUS}" = "True" ]; then
+    SEARXNG_TLS_CERT="$(get_searxng_tls_cert)"
+    SEARXNG_TLS_KEY="$(get_searxng_tls_key)"
+    exec uwsgi --master --uid searxng --gid searxng --https-socket "${BIND_ADDRESS}","${SEARXNG_TLS_CERT}","${SEARXNG_TLS_KEY}" "${UWSGI_SETTINGS_PATH}"
+else
+    exec uwsgi --master --uid searxng --gid searxng --http-socket "${BIND_ADDRESS}" "${UWSGI_SETTINGS_PATH}"
+fi
\ No newline at end of file
diff --git a/searx/settings.yml b/searx/settings.yml
index 6aafaeb63..08e3edea3 100644
--- a/searx/settings.yml
+++ b/searx/settings.yml
@@ -108,6 +108,12 @@ server:
     X-Download-Options: noopen
     X-Robots-Tag: noindex, nofollow
     Referrer-Policy: no-referrer
+  # Used to enable TLS on the searxng server itself
+  # If enable_tls is set to true, then you must specify certificate_path and certificate_key_path
+  enable_tls: false
+  # These are the paths to the searxng certificate and its private key relative to /etc/searxng/.
+  certificate_path: "certs/searxng.crt"
+  certificate_key_path: "certs/searxng.key"
 
 redis:
   # URL to connect redis database. Is overwritten by ${SEARXNG_REDIS_URL}.
diff --git a/searx/settings_defaults.py b/searx/settings_defaults.py
index 1bafa749a..96b44640d 100644
--- a/searx/settings_defaults.py
+++ b/searx/settings_defaults.py
@@ -184,6 +184,9 @@ SCHEMA = {
         'http_protocol_version': SettingsValue(('1.0', '1.1'), '1.0'),
         'method': SettingsValue(('POST', 'GET'), 'POST'),
         'default_http_headers': SettingsValue(dict, {}),
+        'enable_tls': SettingsValue(bool, False, 'SEARXNG_ENABLE_TLS'),
+        'certificate_path': SettingsValue(str, 'certs/searxng.crt', environ_name='SEARXNG_CERT_PATH'),
+        'certificate_key_path': SettingsValue(str, 'certs/searxng.key', environ_name='SEARXNG_CERT_KEY_PATH'),
     },
     'redis': {
         'url': SettingsValue((None, False, str), False, 'SEARXNG_REDIS_URL'),
diff --git a/searx/webapp.py b/searx/webapp.py
index 7104853e8..a9a4a99c4 100755
--- a/searx/webapp.py
+++ b/searx/webapp.py
@@ -1359,14 +1359,30 @@ if not werkzeug_reloader or (werkzeug_reloader and os.environ.get("WERKZEUG_RUN_
 
 def run():
     logger.debug('starting webserver on %s:%s', settings['server']['bind_address'], settings['server']['port'])
-    app.run(
-        debug=searx_debug,
-        use_debugger=searx_debug,
-        port=settings['server']['port'],
-        host=settings['server']['bind_address'],
-        threaded=True,
-        extra_files=[DEFAULT_SETTINGS_FILE],
-    )
+
+    # If TLS support is enabled, use TLS
+    if settings['server']['enable_tls']:
+        app.run(
+            debug=searx_debug,
+            use_debugger=searx_debug,
+            port=settings['server']['port'],
+            host=settings['server']['bind_address'],
+            threaded=True,
+            extra_files=[DEFAULT_SETTINGS_FILE],
+            ssl_context=(
+                os.path.join('/etc/searxng/', settings['server']['certificate_path']),
+                os.path.join('/etc/searxng/', settings['server']['certificate_key_path']),
+            ),
+        )
+    else:
+        app.run(
+            debug=searx_debug,
+            use_debugger=searx_debug,
+            port=settings['server']['port'],
+            host=settings['server']['bind_address'],
+            threaded=True,
+            extra_files=[DEFAULT_SETTINGS_FILE],
+        )
 
 
 application = app