Help regarding HTTPS on a local selfhosted searxng instance

1. The problem I’m having:

I’ve spun up a searxng docker container, which includes caddy. So far, searxng sort of works, the only thing I’m confused about right now is that there is no HTTPS available. I have changed my .env file(searxng-docker/.env at master · searxng/searxng-docker · GitHub) so that my email is there along with my hostname. Navigating to will not connect to the site, only http://.

Since it’s a search engine I feel like HTTPS is crucial.

This could be a issue with Lets Encrypt though. I am not used to webservers, but I’m really excited to learn as much as I can by playing with it.

2. Error messages and/or full log output:

There are no error messages, only that there is no HTTPS on the site.

3. Caddy version:

Going by the version numbers found on the dockerhub page, I would guess that the version of Caddy is 2.6.4

4. How I installed and ran Caddy:

I followed the tutorial found here: GitHub - searxng/searxng-docker: The docker-compose files for setting up a SearXNG instance with docker. so I did not install Caddy on my own.

a. System environment:

Server: Ubuntu Server 22.04.2 LTS
Docker version: Docker version 20.10.21, build 20.10.21-0ubuntu1~22.04.2

b. Command:

sudo docker-compose up -d

d. My complete Caddy config:

I’m not sure if I should insert my Caddyfile here, but in the case that I should, here it is:

  admin off

  log {
        output discard

  tls {$SEARXNG_TLS}

  @api {
        path /config
        path /healthz
        path /stats/errors
        path /stats/checker

  @static {
        path /static/*

  @notstatic {
        not path /static/*

  @imageproxy {
        path /image_proxy

  @notimageproxy {
        not path /image_proxy

  header {
        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

        # Enable cross-site filter (XSS) and tell browser to block detected attacks
        X-XSS-Protection "1; mode=block"

        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        X-Content-Type-Options "nosniff"

        # Disable some features
        Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"

        # Disable some features (legacy)
        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"

        # Referer
        Referrer-Policy "no-referrer"

        # X-Robots-Tag
        X-Robots-Tag "noindex, noarchive, nofollow"

        # Remove Server header

  header @api {
        Access-Control-Allow-Methods "GET, OPTIONS"
        Access-Control-Allow-Origin  "*"

  # Cache
  header @static {
        # Cache
        Cache-Control "public, max-age=31536000"

  header @notstatic {
        # No Cache
        Cache-Control "no-cache, no-store"
        Pragma "no-cache"

  # CSP (see )
  header @imageproxy {
        Content-Security-Policy "default-src 'none'; img-src 'self' data:"

  header @notimageproxy {
        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self'; img-src 'self' data: https://*; frame-src"

  # SearXNG
  handle {
        encode zstd gzip

        reverse_proxy localhost:8080 {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}


Yeah, you need to use a real domain name, you can’t use an IP address for ACME. This is a requirement by ACME issuers.

Also, that’s a LAN IP address, not a public IP address, so that wouldn’t work for reaching the server from outside your network.

Oh I see. Thank you very much! Appreciate it :smiley:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.