From 73ca1e0bbf993fa3b856474f6b05a464ef99c366 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@robotics.uk.to>
Date: Sat, 5 Mar 2016 15:42:23 +0000
Subject: [PATCH] Search engine access control

---
 src/freedombone | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/freedombone b/src/freedombone
index 2e4805d6..6c3d5d08 100755
--- a/src/freedombone
+++ b/src/freedombone
@@ -257,6 +257,7 @@ SEARCH_ENGINE_COMMIT='fee556c9904637051a9ba874ba7e71cd9f10789f'
 SEARCH_ENGINE_PATH=/etc
 SEARCH_ENGINE_ONION_PORT=8094
 SEARCH_ENGINE_ONION_HOSTNAME=
+SEARCH_ENGINE_LOGIN_TEXT=$"Search engine login"
 
 GPG_KEYSERVER="hkp://keys.gnupg.net"
 
@@ -6235,6 +6236,15 @@ function install_web_server {
     echo 'install_web_server' >> $COMPLETION_FILE
 }
 
+function install_web_server_access_control {
+    if [ ! -f /etc/pam.d/nginx ]; then
+        echo '#%PAM-1.0' > /etc/pam.d/nginx
+        echo '@include common-auth' >> /etc/pam.d/nginx
+        echo '@include common-account' >> /etc/pam.d/nginx
+        echo '@include common-session' >> /etc/pam.d/nginx
+    fi
+}
+
 function configure_php {
     sed -i "s/memory_limit = 128M/memory_limit = ${MAX_PHP_MEMORY}M/g" /etc/php5/fpm/php.ini
     sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini
@@ -9160,14 +9170,7 @@ function install_gnu_social_markdown {
 }
 
 function install_search_engine {
-    # Note: having a search engine is a nice idea, but at present there are a couple
-    # of problems. One is that there is no access control, such that J random web surfer
-    # could use your search engine. Secondly, the outgoing connection to other search
-    # engines currently can't be socks5 proxied. This potentially causes legal liability
-    # issues for the user - (i) providing secondard services beyond household members
-    # and (ii) adversaries could try to incriminate you by searching for things illegal
-    # within your zone.
-    # Until these factors are addressed it's unwise to have this enabled by default.
+    # Note: currently socks5 outgoing proxies to other search engines does not work
     if [[ $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
         return
     fi
@@ -9293,6 +9296,8 @@ function install_search_engine {
     echo '        proxy_set_header X-Remote-Port $remote_port;' >> /etc/nginx/sites-available/searx
     echo '        proxy_set_header X-Forwarded-Proto $scheme;' >> /etc/nginx/sites-available/searx
     echo '        proxy_redirect off;' >> /etc/nginx/sites-available/searx
+    echo "        auth_pam \"${SEARCH_ENGINE_LOGIN_TEXT}\";" >> /etc/nginx/sites-available/searx
+    echo '        auth_pam_service_name "nginx";' >> /etc/nginx/sites-available/searx
     echo '    }' >> /etc/nginx/sites-available/searx
     echo '' >> /etc/nginx/sites-available/searx
     echo '    fastcgi_buffers 64 4K;' >> /etc/nginx/sites-available/searx
@@ -10680,6 +10685,7 @@ encrypt_all_email
 import_email
 script_for_attaching_usb_drive
 install_web_server
+install_web_server_access_control
 configure_firewall_for_web_server
 install_owncloud
 install_owncloud_music_app