I am new to this, but I have been hosting Searxng via docker for a while now and have been accessing it over the internet directly using an open port. Now I have a domain (assume search.abc.xyz) and I have tried multiple things using nginx and traefik to get it working along with cloudflare. So far nothing has helped and I am tired on banging my head. Can anybody steer me in the right path or share the right tutorial for this. Any help would be appreciated.
Solution: Hertzner was blocking port 80 and port 443 by default. So certbot was actually failing.
What did you try and what was the error?
deleted by creator
Okay I fixed the issue. I’m an idiot. Hertzner was blocking port 80 and port 443 by default.
How are u running it? Bare metal? Docker?
So nginx, traffic, and cloudflare are both reverse proxies that can do SSL termination. Now cloudflare hijacks all SSL connection it proxies (essentially a mitm) and has configuration for if u would like SSL connection from cloudflare to ur own server.
All reverse proxies pass along headers to backend services indicating all sorts of things most importantly the remote client IP, and info about if the service is behind an ssl proxy.
I use client -> cloudflare -> nginx -> my services. The client makes an encrypted pipe between itself and cloudflare, cloudflare then terminates SSL does some scanning on the raw unencrypted packet makes an encrypted connection to nginx and attaches headers about the client. I have a SSL cert on my server where nginx does SSL termination of the cloudflare connection. Nginx then attaches more headers and does routing to passes it back to a backend service ie searxng (the service itself) the docker compose for searxng comes with a packaged traffic reverse proxie its not necessary here and will in fact cause all sorts of problems.
Here is the service in my docker compose for searxng:
searxng: container_name: searxng image: docker.io/searxng/searxng:latest restart: unless-stopped networks: - local_bridge - proxy volumes: - ./data/searxng:/etc/searxng environment: - SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/ - SEARXNG_SECRET=${SEARXNG_SECRET} cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUIDHere is the docker compose for my nginx config
certbot: image: certbot/dns-cloudflare # Command to obtain certificates (run once manually or integrate with a web server's startup) # Replace 'yourdomain.com' and '*.yourdomain.com' with your actual domain(s) volumes: - ./data/certbot/conf:/etc/letsencrypt - ./data/certbot/www:/var/www/certbot # A dummy webroot, not strictly necessary for DNS challenge but good practice - ./data/certbot/secrets:/etc/letsencrypt/secrets:ro # Mount secrets read-only command: certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/secrets/cloudflare.ini --non-interactive --agree-tos --email ${LETS_ENCRYPT_EMAIL} --dns-cloudflare-propagation-seconds 60 -d example.com -d *.example.com environment: - TERM=xterm # Required for certbot to run in non-interactive mode gracefully nginx: image: nginx:latest container_name: nginx restart: unless-stopped ports: - "80:80" - "443:443" volumes: - ./data/nginx/cache:/var/cache - ./data/certbot/conf:/etc/letsencrypt - ./data/nginx.conf:/etc/nginx/nginx.conf - ./data/sites-enabled:/etc/nginx/sites-enabled - ./data/sites-available:/etc/nginx/sites-available - ./data/snippets:/config/nginx/snippets - ./data/www:/var/www/html depends_on: - certbot extra_hosts: - "example.com:127.0.0.1" - "*.example.com:127.0.0.1"I use certbot to issue SSL certs for my domain locally this is the cert that do SSL connection between nginx and cloudflare.
Then nginx can route connection to the searxng instance (ur gonna need a bunch of nginx config and I couldn’t be bothered copy pasting that when an LLM can gen that it can probably gen all this tbh).
Also how u doing auth for searxng? Cos if ur opening it to the internet as a whole u might end up with lots of traffic from randos.
Okay I fixed the issue. I’m an idiot. Hertzner was blocking port 80 and port 443 by default.
deleted by creator
