Solved Searxng installed in a Jail, not working yet maybe a pf issue

NapoleonWils0n

NapoleonWils0n

i have installed searxng in a jail but havent got it working yet
which maybe a pf firewall issue

The jail already has Firefox installed
so i thought it would make sense to install searxng in the same jail

searxng is set to listen on the jails ip address 10.10.0.5 and port 8888
and since Firefox is running in the same jail i thought the set up would be simple

searxng is running but i cant access it using Firefox running in the Jail
or using Firefox from outside the jail

so im guessing its a pf firewall issue
if anyone has any bright ideas and could give a shove in the right direction that would be great

this is the only pf rule i have for the jail

Code: 
nat on $int_if from {lo1:network} to any -> ($int_if)

Firefox cant access searxng running in the same Jail with this address

Code: 
10.10.0.5:8888

its almost like the pf rule is forcing the traffic out the external interface
and its not able to connect to the service running in the jail

just another thought
do i need enable pf in the jail and open port 8888

the issue is how can you access a service running in a jail
using a browser running in the same jail

this is the jails config

github.com

GitHub - NapoleonWils0n/jailfox: firefox in a freebsd jail

firefox in a freebsd jail. Contribute to NapoleonWils0n/jailfox development by creating an account on GitHub.
github.com github.com

root config files

github.com

GitHub - NapoleonWils0n/freebsd-root-xps: freebsd root dotfiles for dell xps 15 2019

freebsd root dotfiles for dell xps 15 2019. Contribute to NapoleonWils0n/freebsd-root-xps development by creating an account on GitHub.
github.com github.com

pf.conf

github.com

freebsd-root-xps/etc/pf.conf at master · NapoleonWils0n/freebsd-root-xps

freebsd root dotfiles for dell xps 15 2019. Contribute to NapoleonWils0n/freebsd-root-xps development by creating an account on GitHub.
github.com github.com

classic jail config

github.com

freebsd-root-xps/etc/jail.conf.d/classic.conf at master · NapoleonWils0n/freebsd-root-xps

freebsd root dotfiles for dell xps 15 2019. Contribute to NapoleonWils0n/freebsd-root-xps development by creating an account on GitHub.
github.com github.com

searxng jail notes

github.com

cerberus/freebsd/searxng-jail.org at master · NapoleonWils0n/cerberus

cerberus code library. Contribute to NapoleonWils0n/cerberus development by creating an account on GitHub.
github.com github.com

searxng install

Code: 
doas pkg install py311-searxng-devel

searxng config

we need to change a couple of setting before starting searxng

Code: 
doas vi /usr/local/etc/searxng.yml

bind_address

by default the searxng bing_address is set to 127.0.0.1
which doesnt exist in the jail, so we use the jails ip address instead

Code: 
#bind_address: "127.0.0.1"
bind_address: "10.10.0.5"


we also need to set the secret key
we can install apg to generate a random password

Code: 
doas pkg install apg

generate a 64 character password

Code: 
apg -n 1 -m 64

Code: 
1kpadEERISSrIMj0Sat6WeUWS0WGyGYXhELOmUtkx05fAu5kHWen9HpFgfxEOJZA

set the secret key

Code: 
#secret_key: "ultrasecretkey"  # Is overwritten by ${SEARXNG_SECRET}
secret_key: "1kpadEERISSrIMj0Sat6WeUWS0WGyGYXhELOmUtkx05fAu5kHWen9HpFgfxEOJZA"

enable the searxng service in /etc/rc.conf

Code: 
doas sysrc searxng_enable="YES"

we can then start searxng

Code: 
doas service searxng start

check if searxng is running on port 8888

Code: 
sockstat -l4

jail set up

Code: 
doas vi /etc/rc.conf

Code: 
jail_enable="YES"
ifconfig_lo1_aliases="inet 10.10.0.1-12/24"

Code: 
/etc/jail.conf.d/classic.conf

Code: 
classic {
    # hostname/path
    host.hostname = "${name}";
    path = "/usr/local/jails/containers/${name}";

    # permissions
    allow.raw_sockets;
    exec.clean;
    persist;
    sysvmsg=inherit;
    sysvsem=inherit;
    sysvshm=inherit;
    enforce_statfs=1;

    # permissions
    devfs_ruleset=7;

    # network
    ip4.addr="lo1|10.10.0.5/24";

    # mount
    #mount.fstab="/usr/local/jails/containers/classic/etc/fstab";

    mount += "devfs           $path/dev      devfs           rw                      0       0";
    mount += "tmpfs           $path/dev/shm  tmpfs           rw,size=1g,mode=1777    0       0";
    mount += "/tmp            $path/tmp      nullfs          rw                      0       0";
    mount += "/home           $path/home     nullfs          rw                      0       0";
    # mount the download directory from the host to the jail after creating it
    mount += "/home/djwilcox/downloads $path/home/djwilcox/downloads  nullfs rw      0       0";
    # uncomment the line below for the xdg runtime directory for wayland after creating it
    mount += "/var/run/xdg/djwilcox $path/var/run/xdg/djwilcox  nullfs rw            0       0";

}

pf config

Code: 
/etc/pf.conf

Code: 
#=========================================================================#
# variables, macro and tables                                             #
#=========================================================================#

int_if="lagg0" # lagg0 failover
vpn_if="tun0" # vpn interface
all_networks="0.0.0.0/0"
vpn_network="$vpn_if:network"
# 6881, 6882 = transmission. , 22000, 21025 = syncthing
tcp_services = "{ ntp, 6881, 22000 }" # tcp services - torrent
udp_services = "{ ntp, 6882, 21025 }" # udp services - torrent
icmp_types = "{ echoreq, unreach }"
tcp_state="flags S/SA keep state"
udp_state="keep state"

table <lan> { $int_if:network, !self }                      # lan network
table <myself> { self }                                     # self
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
            172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
            192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
            203.0.113.0/24 }                         # broken networks

#=========================================================================#
# global policy                                                           #
#=========================================================================#

set block-policy drop
set loginterface $int_if
set fingerprints "/etc/pf.os"
set skip on lo0
scrub in all fragment reassemble no-df max-mss 1440
# nat jail
nat on $int_if from {lo1:network} to any -> ($int_if)
antispoof log quick for { lo $int_if } label "block_spoofing"

#=========================================================================#
# block                                                                   #
#=========================================================================#

block log all # block log all
block return out quick inet6 all tag IPV6 # block ipv6
block in quick inet6 all tag IPV6 # block ipv6

#=========================================================================#
# anchors                                                                 #
#=========================================================================#

# openvpn - anchor
anchor "openvpn"

#=========================================================================#
# traffic tag                                                             #
#=========================================================================#

# icmp
pass inet proto icmp all icmp-type $icmp_types keep state tag ICMP

# Allow the tcp and udp services defined in the macros at the top of the file
pass in on $int_if inet proto tcp from any to ($int_if) port $tcp_services $tcp_state tag TCP_IN
pass in on $int_if inet proto udp from any to ($int_if) port $udp_services $udp_state tag UDP_IN

# nfs
#pass in on $int_if inet proto tcp from <lan> to any port $nfs_services keep state

# outbound traffic
block out on $int_if all
pass out quick on $int_if all modulate state
 
just another thought

maybe i need a pf rule on the host that redirects port 8888 from the jail traffic back into the jail
if that makes sense
 
Searxng working in a Jail and accessible using Firefox running in the Jail

i found the culprits
2 block statements in my pf.conf were causing the issue

Code: 
block log all
block out on $int_if all


20250306_17h27m44s_grim.png


Heres my pf.conf
with the block statements commented out

Code: 
#=========================================================================#
# variables, macro and tables                                             #
#=========================================================================#

int_if="lagg0" # lagg0 failover
#int_if="ue0" # usb to ethernet adaptor
#int_if="bge0" # thunderbolt to ethernet adaptor
#int_if="wlan0" # iwlwifi
#int_if="wlan1" # ralink usb wifi
vpn_if="tun0" # vpn interface
all_networks="0.0.0.0/0"
vpn_network="$vpn_if:network"
# 6881, 6882 = transmission. , 22000, 21025 = syncthing
tcp_services = "{ ntp, 6881, 22000, 8888 }" # tcp services - torrent
udp_services = "{ ntp, 6882, 21025 }" # udp services - torrent
#nfs_services = "{ 2049 }" # 2049 = nfs
icmp_types = "{ echoreq, unreach }"
tcp_state="flags S/SA keep state"
udp_state="keep state"

#table <internet> { $all_networks, !self, !$int_if:network } # internet
table <lan> { $int_if:network, !self }                      # lan network
table <myself> { self }                                     # self

table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
            172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
            192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
            203.0.113.0/24 }                         # broken networks

#=========================================================================#
# global policy                                                           #
#=========================================================================#

set block-policy drop
set loginterface $int_if
set fingerprints "/etc/pf.os"
set skip on lo0
scrub in all fragment reassemble no-df max-mss 1440
# nat jail
nat on $int_if from {lo1:network} to any -> ($int_if)
antispoof log quick for { lo $int_if } label "block_spoofing"

#=========================================================================#
# block                                                                   #
#=========================================================================#

#block log all # block log all
block return out quick inet6 all tag IPV6 # block ipv6
block in quick inet6 all tag IPV6 # block ipv6

#=========================================================================#
# anchors                                                                 #
#=========================================================================#

# openvpn - anchor
anchor "openvpn"

#=========================================================================#
# traffic tag                                                             #
#=========================================================================#

# icmp
pass inet proto icmp all icmp-type $icmp_types keep state tag ICMP

# Allow the tcp and udp services defined in the macros at the top of the file
pass in on $int_if inet proto tcp from any to ($int_if) port $tcp_services $tcp_state tag TCP_IN
pass in on $int_if inet proto udp from any to ($int_if) port $udp_services $udp_state tag UDP_IN

# outbound traffic
#block out on $int_if all
pass out quick on $int_if all modulate state
 
looking at the error
from the unexpected crash link

mentions ssl
searxng is running over http not https

so maybe either an ssl issue or the captcha

Code: 
Exception    TypeError    Percentage    100
Parameter    create_ssl_context() takes from 0 to 3 positional arguments but 4 were given
Filename    searx/search/processors/online.py:116
Function    _send_http_request
Code

20250306_19h13m01s_grim.png
 
the searxng package doesnt work
thats the issue

searching for this error
"searxng create_ssl_context"

i came across this issue on github

github.com

Bug: nothing can be searched for in all search engines · searxng searxng · Discussion #4219

Version of SearXNG, commit number if you are using on master branch and stipulate if you forked SearXNG 8731e37 How did you install SearXNG? I'm the maintainer of this port in FreeBSD. I have used ...
github.com github.com

I'm the maintainer of this port in FreeBSD. I have used the ports framework
Search for anything and the error will appear.
Click to expand...

response

Sorry I can't really help on FreeBSD .. but I remember about your #1418 (comment)
I can only help with very common hints; SearXNG needs to be installed into a python virtual env .. the log shows me that your instance is installed into system's python at /usr/local/lib/python3.11/. Never install packages into system's python .. the python installation of the system and the python-packages in, are managed by the package manager of the system. The dependencies on python-packages of SearXNG and those from the system are different, mixing the one with the other will break both, the system installation of python and the SearXNG installation (it is what we see here in your log).
Click to expand...
 
NapoleonWils0n said:
the searxng package doesnt work
thats the issue

searching for this error
"searxng create_ssl_context"

i came across this issue on github

github.com

Bug: nothing can be searched for in all search engines · searxng searxng · Discussion #4219

Version of SearXNG, commit number if you are using on master branch and stipulate if you forked SearXNG 8731e37 How did you install SearXNG? I'm the maintainer of this port in FreeBSD. I have used ...
github.com github.com



response
Click to expand...
Hi Napoleon,

Which version are you using? 20241108 is the version in quarterly and 20250203 in latest. I have fixed SearxNG on 20250203 [1], so you should use latest instead of quarterly.

IMG: https://ibb.co/8LPnMss7

[1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284554
 
hi mate

i was using 20241108 in quarterly

I have fixed SearxNG on 20250203 [1], so you should use latest instead of quarterly.
Click to expand...

great stuff
if people are on the quarterly branch they could use poudreire to build it

one thought is if you wanted to run searxng in a jail
and you built the package with poudriere, im not sure how you set the jail to use the poudriere package

sods law i just got searxng working in a podman container in a ubuntu bhyve vm

github.com

cerberus/freebsd/searxng-podman-bhyve.org at master · NapoleonWils0n/cerberus

cerberus code library. Contribute to NapoleonWils0n/cerberus development by creating an account on GitHub.
github.com github.com

there is a git repo for a searxng-docker container
but i couldnt get that working after many hours

but i came across a youtube video
with a guy how made a simplified docker-compose.yaml file

which i got working in a couple of minutes

i wrote a guide on using vm-bhyve to install podman here



github.com

cerberus/freebsd/invidious-bhyve.org at master · NapoleonWils0n/cerberus

cerberus code library. Contribute to NapoleonWils0n/cerberus development by creating an account on GitHub.
github.com github.com

after setting up the vm and podman these are the steps to get searxng working

create a directory called searxng
and cd into it

Code: 
mkdir -p searxng
cd searxng

create the docker-compose.yaml file

Code: 
vi docker-compose.yaml

add the following code to the file
and change the SEARXNG_BASE_URL to your ip address

Code: 
services:
  redis:
    container_name: redis
    image: docker.io/valkey/valkey:8-alpine
    command: valkey-server --save 30 1 --loglevel warning
    restart: unless-stopped
    networks:
      - searxng
    volumes:
      - valkey-data:/data
    cap_drop:
      - ALL
    cap_add:
      - SETGID
      - SETUID
      - DAC_OVERRIDE
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"

  searxng:
    container_name: searxng
    image: docker.io/searxng/searxng:latest
    restart: unless-stopped
    networks:
      - searxng
    ports:
      - "8080:8080" #change 8080 as needed, but not 8080
    volumes:
      - searxng:/etc/searxng:rw
    environment:
      - SEARXNG_BASE_URL=http://192.168.1.151:8080/ # change http://192.168.1.151 to your ip
      - UWSGI_WORKERS=4 #You can change this
      - UWSGI_THREADS=4 #You can change this
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"

networks:
  searxng:

volumes:
  valkey-data: #redis storage
  searxng: #searxng storage

run podman-compose up

Code: 
podman-compose up -d

20250306_23h46m05s_grim.png


youtube video


 
NapoleonWils0n said:
and you built the package with poudriere, im not sure how you set the jail to use the poudriere package
Click to expand...
Inside the jail configure pkg.conf(5) to use your custom repository. At a minimum you need to configure the URL and the PRIORITY parameter.

I have written a howto on the AppJail wiki in case it can be of help: Using a custom repository in a jail with poudriere

I use SearxNG's Makejail to deploy it, you may find it useful: AppJail-makejails / searxng

Code: 
appjail makejail \
    -j searxng \
    -f gh+AppJail-makejails/searxng \
    -o alias \
    -o ip4_inherit \
    -V SEARXNG_PORT=8088 \
    -V SEARXNG_BIND_ADDRESS=127.0.0.1 \
    -V SEARXNG_SECRET="myultrasecretsecret" \
    -V SEARXNG_BASE_URL="http://127.0.0.1:8088"
 
great stuff

one thing thats worth a mention is that searxng runs on http if you are using an ip address
and not https which i think requires a domain name

the official docker images does have a .env file that works with letsencrypt
i may be wrong but i think that only works with a domain name
 
You must log in or register to reply here.
Back
Top