Commit 361861daa53a

Vincent Demeester <vincent@sbr.pm>
2026-03-23 15:21:54
feat(searx): add proxy rotation to avoid rate limiting
Added microsocks SOCKS5 proxies on sakhalin (local) and kerkouane (VPN) for round-robin request distribution. SearXNG was getting CAPTCHA-blocked by DuckDuckGo, Google, and Brave due to single exit IP. Requests now split 50/50 across two different IPs.
main
1 parent 4ab8378
Changed files (2)
systems
kerkouane
extra.nix
sakhalin
extra.nix
systems/kerkouane/extra.nix
@@ -414,6 +414,15 @@ in
     peers = libx.generateWireguardPeers globals.machines;
   };
 
+  # SOCKS5 proxy for SearXNG outgoing requests (VPN-only)
+  # Allows searx on sakhalin to route queries through kerkouane's IP
+  # for round-robin proxy rotation to avoid search engine rate limiting
+  services.microsocks = {
+    enable = true;
+    ip = builtins.head globals.machines.kerkouane.net.vpn.ips;
+    port = 1080;
+  };
+
   services.gosmee = {
     enable = true;
     public-url = "https://webhook.sbr.pm";
@@ -446,6 +455,9 @@ in
       # Allow node exporter (9000) only from VPN network
       iptables -A nixos-fw -p tcp -s 10.100.0.0/24 --dport 9000 -j nixos-fw-accept
 
+      # Allow microsocks SOCKS5 proxy (1080) only from VPN network
+      iptables -A nixos-fw -p tcp -s 10.100.0.0/24 --dport 1080 -j nixos-fw-accept
+
       # Block known SYN flood source (USBINF INFORMATICA LTDA, Brazil)
       iptables -I nixos-fw 1 -s 45.233.176.0/22 -j DROP
       ip6tables -I nixos-fw 1 -s ::ffff:45.233.176.0/118 -j DROP
systems/sakhalin/extra.nix
@@ -347,6 +347,14 @@ in
       };
     };
 
+    # Local SOCKS5 proxy for SearXNG round-robin (exits through sakhalin's IP)
+    # Paired with kerkouane's proxy for 50/50 request distribution
+    microsocks = {
+      enable = true;
+      ip = "127.0.0.1";
+      port = 1080;
+    };
+
     # SearXNG metasearch engine (migrated from aomi)
     # Private instance, API-focused for Pi agent
     searx = {
@@ -366,6 +374,21 @@ in
           limiter = false; # Private instance, no rate limiting needed
           image_proxy = false;
         };
+        # Route outgoing requests through multiple proxies (round-robin)
+        # to avoid search engine rate limiting / CAPTCHAs
+        outgoing = {
+          proxies = {
+            "all://" = [
+              # sakhalin (local) — exits through sakhalin's IP
+              "socks5h://127.0.0.1:1080"
+              # kerkouane (DigitalOcean VPS) — exits through kerkouane's IP
+              "socks5h://${builtins.head globals.machines.kerkouane.net.vpn.ips}:1080"
+              # Add more proxies here for additional exit IPs:
+              # "socks5h://${builtins.head globals.machines.carthage.net.vpn.ips}:1080"
+            ];
+          };
+          extra_proxy_timeout = 10.0;
+        };
         search = {
           safe_search = 0;
           autocomplete = "";