Using Internally Signed SSL Certificate and Key

[wre136]

For those who are interested in using an internal CA signed SSL certificate to secure your SearXNG instance (Not self-signed nor a public SSL certificate), it is possible and easy to do with Docker-Compose.

In my environment, I use my pfSense router as my certificate authority. As such, I used it to create an internally signed certificate and key for my internal SearXNG server's DNS name.

The following instructions imply that you are using a Linux host and you working directory for SearXNG is at /usr/local/searxng-docker

1. Copy your internally signed .crt and .key file to the root of the working directory (/usr/local/searxng-docker)

2. Bring down your docker-compose environment
   docker-compose down

3. Edit the docker-compse file
   sudo nano ./docker-compse.yaml

4. Under the "volumes" sub-section of the "caddy" section, add a bind volume to bind the .crt file to /data/caddy/certificates/local/<DNS NAME>/<DNS NAME>.crt (NOTE! <DNS NAME> should be whatever you specified for your hostname in the .env file!)
   - type: bind
source: ./<IMPORTED CERT>.crt
target: /data/caddy/certificates/local/<DNS NAME>/<DNS NAME>.crt

5. Just like the pervious step, add another bind volume but this time do it for the key file located at /data/caddy/certificates/local/<DNS NAME>/<DNS NAME>.key
   - type: bind
source: ./<IMPORTED KEY>.key
target: /data/caddy/certificates/local/<DNS NAME>/<DNS NAME>.key

6. Save your docker-compose.yaml file

7. Bring your docker-compose environment back up

8. If you have told your computer/phone/whatever that your internal certificate authority is valid, then when you now access your SearXNG instance, it should now be secure and not give you an Invalid SSL warning. (NOTE: You may have to close all your web browsers before it accepts the new cert!)

[dutchtexan25]

I've set up searxng with tailscale, enabled the https in the tailscale console, and created the certificates. How do I direct searxng to use these certificates?

Docker compose file:

services:
searxng:
image: searxng/searxng:latest
restart: always
ports:
- "8080:8080"
environment:
- BASE_URL=https://mydomain.ts.net
depends_on:
- redis
redis:
image: redis:alpine