[feat] adds tls support to the searxng flask application and uwsgi

settings.yml and settings_defaults.py: Adds server.enable_tls, server.certificate_path, and server.certificate_key_path as valid settings. TLS on searxng is disabled by default.

Adds HTTPS socket support to docker-entrypoint.sh and TLS support to webapp.py.

dockerfiles/docker-entrypoint.sh

@@ -54,7 +54,26 @@ get_searxng_version(){
        2>/dev/null
 }
 
+# For TLS support
+get_searxng_tls_status(){
+    su searxng -c \
+       "python3 -c \"import six; from searx import settings; six.print_(settings['server']['enable_tls'])\"" \
+       2>/dev/null
+}
+
+get_searxng_tls_cert(){
+    su searxng -c \
+       "python3 -c \"import six; from searx import settings; from os.path import join; six.print_(join('/etc/searxng/', settings['server']['certificate_path']))\"" 
+}
+
+get_searxng_tls_key(){
+    su searxng -c \
+       "python3 -c \"import six; from searx import settings; from os.path import join; six.print_(join('/etc/searxng/', settings['server']['certificate_key_path']))\"" \
+       2>/dev/null
+}
+
 SEARXNG_VERSION="$(get_searxng_version)"
+SEARXNG_TLS_STATUS="$(get_searxng_tls_status)"
 export SEARXNG_VERSION
 echo "SearXNG version ${SEARXNG_VERSION}"
 
@@ -175,4 +194,11 @@ unset MORTY_KEY
 
 # Start uwsgi
 printf 'Listen on %s\n' "${BIND_ADDRESS}"
-exec uwsgi --master --uid searxng --gid searxng --http-socket "${BIND_ADDRESS}" "${UWSGI_SETTINGS_PATH}"
+# If server.enable_tls is True, enable TLS on searxng
+if [ "${SEARXNG_TLS_STATUS}" = "True" ]; then
+    SEARXNG_TLS_CERT="$(get_searxng_tls_cert)"
+    SEARXNG_TLS_KEY="$(get_searxng_tls_key)"
+    exec uwsgi --master --uid searxng --gid searxng --https-socket "${BIND_ADDRESS}","${SEARXNG_TLS_CERT}","${SEARXNG_TLS_KEY}" "${UWSGI_SETTINGS_PATH}"
+else
+    exec uwsgi --master --uid searxng --gid searxng --http-socket "${BIND_ADDRESS}" "${UWSGI_SETTINGS_PATH}"
+fi

searx/settings.yml

@@ -108,6 +108,12 @@ server:
     X-Download-Options: noopen
     X-Robots-Tag: noindex, nofollow
     Referrer-Policy: no-referrer
+  # Used to enable TLS on the searxng server itself
+  # If enable_tls is set to true, then you must specify certificate_path and certificate_key_path
+  enable_tls: false
+  # These are the paths to the searxng certificate and its private key relative to /etc/searxng/.
+  certificate_path: "certs/searxng.crt"
+  certificate_key_path: "certs/searxng.key"
 
 redis:
   # URL to connect redis database. Is overwritten by ${SEARXNG_REDIS_URL}.

searx/settings_defaults.py

@@ -184,6 +184,9 @@ SCHEMA = {
         'http_protocol_version': SettingsValue(('1.0', '1.1'), '1.0'),
         'method': SettingsValue(('POST', 'GET'), 'POST'),
         'default_http_headers': SettingsValue(dict, {}),
+        'enable_tls': SettingsValue(bool, False, 'SEARXNG_ENABLE_TLS'),
+        'certificate_path': SettingsValue(str, 'certs/searxng.crt', environ_name='SEARXNG_CERT_PATH'),
+        'certificate_key_path': SettingsValue(str, 'certs/searxng.key', environ_name='SEARXNG_CERT_KEY_PATH'),
     },
     'redis': {
         'url': SettingsValue((None, False, str), False, 'SEARXNG_REDIS_URL'),

searx/webapp.py

@@ -1359,6 +1359,22 @@ if not werkzeug_reloader or (werkzeug_reloader and os.environ.get("WERKZEUG_RUN_
 
 def run():
     logger.debug('starting webserver on %s:%s', settings['server']['bind_address'], settings['server']['port'])
+
+    # If TLS support is enabled, use TLS
+    if settings['server']['enable_tls']:
+        app.run(
+            debug=searx_debug,
+            use_debugger=searx_debug,
+            port=settings['server']['port'],
+            host=settings['server']['bind_address'],
+            threaded=True,
+            extra_files=[DEFAULT_SETTINGS_FILE],
+            ssl_context=(
+                os.path.join('/etc/searxng/', settings['server']['certificate_path']),
+                os.path.join('/etc/searxng/', settings['server']['certificate_key_path']),
+            ),
+        )
+    else:
         app.run(
             debug=searx_debug,
             use_debugger=searx_debug,