Caddy not redirecting to HTTPS - SearXNG

1. The problem I’m having:

• I setup searxng from this github repo - GitHub - searxng/searxng-docker: The docker-compose files for setting up a SearXNG instance with docker. on a raspberrypi v5
• The setup creates a Docker stack with Caddy, searxng, and redis
• Searxng is working, but only via HTTP.
• Expect to be redirected to HTTPS

2. Error messages and/or full log output:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

* Specifying https in a Chrome browser returns (URL = https://192.168.86.249:8080) ERR_CONNECTION_CLOSED. I have not tested with other browsers
* curl 192.168.86.249:8080 returns "Too Many Requests"
* curl -vL output
''' *   Trying 192.168.86.249:8080...
* Connected to 192.168.86.249 (192.168.86.249) port 8080 (#0)
> GET / HTTP/1.1
> Host: 192.168.86.249:8080
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 429 TOO MANY REQUESTS
< Content-Type: text/html; charset=utf-8
< Content-Length: 17
< Server-Timing: total;dur=1.597, render;dur=0
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Robots-Tag: noindex, nofollow
< Referrer-Policy: no-referrer
< Connection: close
< 
* Closing connection 0

Caddy Logs

INF ts=1733421801.6143177 msg=using config from file file=/etc/caddy/Caddyfile

INF ts=1733421801.6165607 msg=adapted config to JSON adapter=caddyfile

WRN ts=1733421801.6171393 logger=admin msg=admin endpoint disabled

WRN ts=1733421801.6172726 logger=http.auto_https msg=server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server server_name=srv0 http_port=80

INF ts=1733421801.6173203 logger=tls.cache.maintenance msg=started background certificate maintenance cache=0x40007c2500

INF ts=1733421801.6182463 logger=http.log msg=server running name=srv0 protocols=["h1","h2","h3"]

INF ts=1733421801.618409 msg=autosaved config (load with --resume flag) file=/config/caddy/autosave.json

INF ts=1733421801.6184182 msg=serving initial configuration



{"level":"info","ts":1733421801.6265461,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"19ed4355-3bd1-45bc-b2a0-30fcfe2bf5e2","try_again":1733508201.6265445,"try_again_in":86399.999999667}

INF ts=1733421801.6266148 logger=tls msg=finished cleaning storage units

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

a. System environment:

• Raspberry Pi 5
• ARM processor
• Docker
  • Docker version 20.10.24+dfsg1, build 297e128
  • in a stack with searxng
  • docker network = searxng-docker

b. Command:

docker compose up -d

c. Service/unit/compose file:

services:
  caddy:
    container_name: caddy
    image: docker.io/library/caddy:2-alpine
    network_mode: host
    restart: unless-stopped
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy-data:/data:rw
      - caddy-config:/config:rw
    environment:
      - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80}
      - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"

  redis:
    container_name: redis
    image: docker.io/valkey/valkey:8-alpine
    command: valkey-server --save 30 1 --loglevel warning
    restart: unless-stopped
    networks:
      - searxng
    volumes:
      - valkey-data2:/data
    cap_drop:
      - ALL
    cap_add:
      - SETGID
      - SETUID
      - DAC_OVERRIDE
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"

  searxng:
    container_name: searxng
    image: docker.io/searxng/searxng:latest
    restart: unless-stopped
    networks:
      - searxng
    ports:
      - "8080:8080"
    volumes:
      - ./searxng:/etc/searxng:rw
    environment:
      - SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
      - UWSGI_WORKERS=${SEARXNG_UWSGI_WORKERS:-4}
      - UWSGI_THREADS=${SEARXNG_UWSGI_THREADS:-4}
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"

networks:
  searxng:

volumes:
  caddy-data:
  caddy-config:
  valkey-data2:

d. My complete Caddy config:

{
  admin off
}

{$SEARXNG_HOSTNAME} {
  log {
        output discard
  }

  tls {$SEARXNG_TLS}

  @api {
        path /config
        path /healthz
        path /stats/errors
        path /stats/checker
  }

  @static {
        path /static/*
  }

  @notstatic {
        not path /static/*
  }

  @imageproxy {
        path /image_proxy
  }

  @notimageproxy {
        not path /image_proxy
  }

  header {
        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

        # Enable cross-site filter (XSS) and tell browser to block detected attacks
        X-XSS-Protection "1; mode=block"

        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        X-Content-Type-Options "nosniff"

        # Disable some features
        Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"

        # Disable some features (legacy)
        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"

        # Referer
        Referrer-Policy "no-referrer"

        # X-Robots-Tag
        X-Robots-Tag "noindex, noarchive, nofollow"

        # Remove Server header
        -Server
  }

  header @api {
        Access-Control-Allow-Methods "GET, OPTIONS"
        Access-Control-Allow-Origin  "*"
  }

  # Cache
  header @static {
        # Cache
        Cache-Control "public, max-age=31536000"
        defer
  }

  header @notstatic {
        # No Cache
        Cache-Control "no-cache, no-store"
        Pragma "no-cache"
  }

  # CSP (see http://content-security-policy.com/ )
  header @imageproxy {
        Content-Security-Policy "default-src 'none'; img-src 'self' data:"
  }

  header @notimageproxy {
        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
  }

  # SearXNG
  handle {
        encode zstd gzip

        reverse_proxy localhost:8080 {
               header_up X-Forwarded-Port {http.request.port}
               #header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Real-IP {remote_host}
        }
  }

}

5. Links to relevant resources:

If you’re going to discard the logs anyway, just remove this.

Doing this means you’re disabling the ability to do graceful config reloads.

You probably don’t need any of those security headers. Those are an application-layer concern, your underlying app should be setting the headers it needs correctly on its own. Don’t set headers like this unless you understand the implications. You might be harming security by doing this in some cases.

Remove all this, Caddy sets proxy headers correctly, automatically. See reverse_proxy (Caddyfile directive) — Caddy Documentation

Your logs look incomplete. There’s no errors there.

Your formatting for curl output is broken. Please show the entire output.

Thank you for the reply.

My Caddyfile is the one distributed with searxng. I did not make any changes.

I’ll make the changes according to your reply and capture new logs. I will also get an updated curl.

I assume I should just remove the entire header section.

Updated curl output
Note: Output is the same as previously pasted.

njack@madden-pi:/usr/local/searxng-docker $ curl -vL 192.168.86.249:8080
*   Trying 192.168.86.249:8080...
* Connected to 192.168.86.249 (192.168.86.249) port 8080 (#0)
> GET / HTTP/1.1
> Host: 192.168.86.249:8080
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 429 TOO MANY REQUESTS
< Content-Type: text/html; charset=utf-8
< Content-Length: 17
< Server-Timing: total;dur=4.141, render;dur=0
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Robots-Tag: noindex, nofollow
< Referrer-Policy: no-referrer
< Connection: close
< 
* Closing connection 0

What do you have SEARXNG_HOSTNAME set to?

The hostname is set in the .env file, but since I am only using it locally on my network, I don’t think it needs to be set.

I also do not expect you to help me with my searxng config.

Thanks so much for all your help to this point.

Contents of .env
*Note: Email address redacted.

# To change this:
# * uncomment SEARXNG_HOSTNAME, and replace <host> by the SearXNG hostname
# * uncomment LETSENCRYPT_EMAIL, and replace <email> by your email (require to create a Let's Encrypt certificate)

# SEARXNG_HOSTNAME=<host>
LETSENCRYPT_EMAIL=xxxxxxxx@xxxx.com

# Optional:
# If you run a very small or a very large instance, you might want to change the amount of used uwsgi workers and threads per >
# More workers (= processes) means that more search requests can be handled at the same time, but it also causes more resource>

SEARXNG_UWSGI_WORKERS=6
SEARXNG_UWSGI_THREADS=6

Updated Caddy logs with debug set

2024-12-05T22:49:20.587474349Z INF ts=1733438960.5873218 msg=using config from file file=/etc/caddy/Caddyfile

2024-12-05T22:49:20.590589307Z INF ts=1733438960.5894794 msg=adapted config to JSON adapter=caddyfile

2024-12-05T22:49:20.590627992Z INF ts=1733438960.590477 logger=admin msg=admin endpoint started address=localhost:2019 enforce_origin=false origins=["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]

2024-12-05T22:49:20.590790770Z WRN ts=1733438960.5907402 logger=http.auto_https msg=server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server server_name=srv0 http_port=80

2024-12-05T22:49:20.591345732Z INF ts=1733438960.590826 logger=tls.cache.maintenance msg=started background certificate maintenance cache=0x400004f880

2024-12-05T22:49:20.591355213Z DBG ts=1733438960.5907629 logger=http.auto_https msg=adjusted config tls={"automation":{"policies":[{}]}} http={"servers":{"srv0":{"listen":[":80"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"headers","response":{"set":{"Access-Control-Allow-Methods":["GET, OPTIONS"],"Access-Control-Allow-Origin":["*"]}}}],"match":[{"path":["/config","/healthz","/stats/errors","/stats/checker"]}]},{"handle":[{"handler":"headers","response":{"deferred":true,"set":{"Cache-Control":["public, max-age=31536000"]}}}],"match":[{"path":["/static/*"]}]},{"handle":[{"handler":"headers","response":{"set":{"Cache-Control":["no-cache, no-store"],"Pragma":["no-cache"]}}}],"match":[{"not":[{"path":["/static/*"]}]}]},{"handle":[{"handler":"headers","response":{"set":{"Content-Security-Policy":["default-src 'none'; img-src 'self' data:"]}}}],"match":[{"path":["/image_proxy"]}]},{"handle":[{"handler":"headers","response":{"set":{"Content-Security-Policy":["upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"]}}}],"match":[{"not":[{"path":["/image_proxy"]}]}]},{"handle":[{"handler":"subroute","routes":[{"handle":[{"encodings":{"gzip":{},"zstd":{}},"handler":"encode","prefer":["zstd","gzip"]},{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8080"}]}]}]}]}]}],"terminal":true}],"automatic_https":{"disable":true}}}}

2024-12-05T22:49:20.591694231Z DBG ts=1733438960.5916483 logger=http msg=starting server loop address=[::]:80 tls=false http3=false

2024-12-05T22:49:20.591701231Z INF ts=1733438960.5916693 logger=http.log msg=server running name=srv0 protocols=["h1","h2","h3"]

2024-12-05T22:49:20.591961879Z INF ts=1733438960.5918612 msg=autosaved config (load with --resume flag) file=/config/caddy/autosave.json

2024-12-05T22:49:20.591969527Z INF ts=1733438960.5918686 msg=serving initial configuration

2024-12-05T22:49:20.600880401Z INF ts=1733438960.600836 logger=tls msg=storage cleaning happened too recently; skipping for now storage=FileStorage:/data/caddy instance=19ed4355-3bd1-45bc-b2a0-30fcfe2bf5e2 try_again=1733525360.6008348 try_again_in=86399.999999667

2024-12-05T22:49:20.600944994Z INF ts=1733438960.600917 logger=tls msg=finished cleaning storage units

Then it defaults to http://localhost:80 in that case. So you cannot use 192.168.86.249:80 to connect to it, only localhost as a hostname will work.

Change it to simply http:// to allow any hostname on port 80.

Hmmm, made the suggested change, but still not getting HTTPS when accessing the app.

The app is running headless on a raspberry pi so I am accessing from other hosts on my network using 192.168.86.249:8080

Current curl output from the raspberry pi host console:

*   Trying 192.168.86.249:8080...
* Connected to 192.168.86.249 (192.168.86.249) port 8080 (#0)
> GET / HTTP/1.1
> Host: 192.168.86.249:8080
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 429 TOO MANY REQUESTS
< Content-Type: text/html; charset=utf-8
< Content-Length: 17
< Server-Timing: total;dur=4.108, render;dur=0
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Robots-Tag: noindex, nofollow
< Referrer-Policy: no-referrer
< Connection: close
< 
* Closing connection 0

Current Caddy Logs:

      
INF ts=1733506390.3951406 msg=using config from file file=/etc/caddy/Caddyfile

INF ts=1733506390.3971972 msg=adapted config to JSON adapter=caddyfile

INF ts=1733506390.3982074 logger=admin msg=admin endpoint started address=localhost:2019 enforce_origin=false origins=["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]

WRN ts=1733506390.3984816 logger=http.auto_https msg=server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server server_name=srv0 http_port=80

INF ts=1733506390.398509 logger=tls.cache.maintenance msg=started background certificate maintenance cache=0x40004b0300

DBG ts=1733506390.398542 logger=http.auto_https msg=adjusted config tls={"automation":{"policies":[{}]}} http={"servers":{"srv0":{"listen":[":80"],"routes":[{"handle":[{"handler":"headers","response":{"set":{"Access-Control-Allow-Methods":["GET, OPTIONS"],"Access-Control-Allow-Origin":["*"]}}}]},{"handle":[{"handler":"headers","response":{"deferred":true,"set":{"Cache-Control":["public, max-age=31536000"]}}}]},{"handle":[{"handler":"headers","response":{"set":{"Cache-Control":["no-cache, no-store"],"Pragma":["no-cache"]}}}]},{"handle":[{"handler":"headers","response":{"set":{"Content-Security-Policy":["default-src 'none'; img-src 'self' data:"]}}}]},{"handle":[{"handler":"headers","response":{"set":{"Content-Security-Policy":["upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"]}}}]},{"handle":[{"handler":"subroute","routes":[{"handle":[{"encodings":{"gzip":{},"zstd":{}},"handler":"encode","prefer":["zstd","gzip"]},{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8080"}]}]}]}]}],"automatic_https":{"disable":true}}}}

DBG ts=1733506390.3991475 logger=http msg=starting server loop address=[::]:80 tls=false http3=false

INF ts=1733506390.399187 logger=http.log msg=server running name=srv0 protocols=["h1","h2","h3"]

INF ts=1733506390.4008832 msg=autosaved config (load with --resume flag) file=/config/caddy/autosave.json

INF ts=1733506390.4009147 msg=serving initial configuration



{"level":"info","ts":1733506390.4125643,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"19ed4355-3bd1-45bc-b2a0-30fcfe2bf5e2","try_again":1733592790.4125605,"try_again_in":86399.999999241}

INF ts=1733506390.4127357 logger=tls msg=finished cleaning storage units

INF ts=1733506504.5414386 msg=shutting down apps, then terminating signal=SIGTERM

WRN ts=1733506504.5415857 msg=exiting; byeee!! 👋 signal=SIGTERM

INF ts=1733506504.541861 logger=http msg=servers shutting down with eternal grace period

INF ts=1733506504.542323 logger=admin msg=stopped previous server address=localhost:2019

INF ts=1733506504.5423465 msg=shutdown complete signal=SIGTERM exit_code=0

INF ts=1733506553.517312 msg=using config from file file=/etc/caddy/Caddyfile

INF ts=1733506553.5220819 msg=adapted config to JSON adapter=caddyfile

INF ts=1733506553.5256689 logger=admin msg=admin endpoint started address=localhost:2019 enforce_origin=false origins=["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]

WRN ts=1733506553.5306582 logger=http.auto_https msg=server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server server_name=srv0 http_port=80

INF ts=1733506553.5312433 logger=tls.cache.maintenance msg=started background certificate maintenance cache=0x4000694580

DBG ts=1733506553.5306993 logger=http.auto_https msg=adjusted config tls={"automation":{"policies":[{}]}} http={"servers":{"srv0":{"listen":[":80"],"routes":[{"handle":[{"handler":"headers","response":{"set":{"Access-Control-Allow-Methods":["GET, OPTIONS"],"Access-Control-Allow-Origin":["*"]}}}]},{"handle":[{"handler":"headers","response":{"deferred":true,"set":{"Cache-Control":["public, max-age=31536000"]}}}]},{"handle":[{"handler":"headers","response":{"set":{"Cache-Control":["no-cache, no-store"],"Pragma":["no-cache"]}}}]},{"handle":[{"handler":"headers","response":{"set":{"Content-Security-Policy":["default-src 'none'; img-src 'self' data:"]}}}]},{"handle":[{"handler":"headers","response":{"set":{"Content-Security-Policy":["upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"]}}}]},{"handle":[{"handler":"subroute","routes":[{"handle":[{"encodings":{"gzip":{},"zstd":{}},"handler":"encode","prefer":["zstd","gzip"]},{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8080"}]}]}]}]}],"automatic_https":{"disable":true}}}}

DBG ts=1733506553.531983 logger=http msg=starting server loop address=[::]:80 tls=false http3=false

INF ts=1733506553.5320241 logger=http.log msg=server running name=srv0 protocols=["h1","h2","h3"]

INF ts=1733506553.5407524 msg=autosaved config (load with --resume flag) file=/config/caddy/autosave.json

INF ts=1733506553.5407739 msg=serving initial configuration



{"level":"info","ts":1733506553.6208005,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"19ed4355-3bd1-45bc-b2a0-30fcfe2bf5e2","try_again":1733592953.6207955,"try_again_in":86399.999999296}

INF ts=1733506553.620944 logger=tls msg=finished cleaning storage units

Current docker-compose.yaml

services:
  caddy:
    container_name: caddy
    image: docker.io/library/caddy:2-alpine
    network_mode: host
    restart: unless-stopped
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy-data:/data:rw
      - caddy-config:/config:rw
    environment:
      - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://}
      - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal}
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"

  redis:
    container_name: redis
    image: docker.io/valkey/valkey:8-alpine
    command: valkey-server --save 30 1 --loglevel warning
    restart: unless-stopped
    networks:
      - searxng
    volumes:
      - valkey-data2:/data
    cap_drop:
      - ALL
    cap_add:
      - SETGID
      - SETUID
      - DAC_OVERRIDE
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"

  searxng:
    container_name: searxng
    image: docker.io/searxng/searxng:latest
    restart: unless-stopped
    networks:
      - searxng
    ports:
      - "8080:8080"
    volumes:
      - ./searxng:/etc/searxng:rw
    environment:
      - SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME:-localhost}/
      - UWSGI_WORKERS=${SEARXNG_UWSGI_WORKERS:-4}
      - UWSGI_THREADS=${SEARXNG_UWSGI_THREADS:-4}
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"

networks:
  searxng:

volumes:
  caddy-data:
  caddy-config:
  valkey-data2:

Current Caddyfile

{
        debug
}

{$SEARXNG_HOSTNAME} {
        tls {$SEARXNG_TLS}

        @api {
                path /config
                path /healthz
                path /stats/errors
                path /stats/checker
        }

        @static {
                path /static/*
        }

        @notstatic {
                not path /static/*
        }

        @imageproxy {
                path /image_proxy
        }

        @notimageproxy {
                not path /image_proxy
        }

        header @api {
                Access-Control-Allow-Methods "GET, OPTIONS"
                Access-Control-Allow-Origin "*"
        }

        # Cache
        header @static {
                # Cache
                Cache-Control "public, max-age=31536000"
                defer
        }

        header @notstatic {
                # No Cache
                Cache-Control "no-cache, no-store"
                Pragma "no-cache"
        }

        # CSP (see http://content-security-policy.com/ )
        header @imageproxy {
                Content-Security-Policy "default-src 'none'; img-src 'self' data:"
        }

        header @notimageproxy {
                Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'u>
        }

        # SearXNG
        handle {
                encode zstd gzip

                reverse_proxy localhost:8080 {
                }
        }
}

Of course not, http:// has Caddy listen for HTTP only.

You must set a domain for Caddy to set up HTTPS. You have to override SEARXNG_HOSTNAME with your actual domain name. You will also need to set LETSENCRYPT_EMAIL to your email.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.