I’m looking at self-hosting SearXNG. I have an old Win 11 machine and figure this might be the only way it can be useful.
Two questions I haven’t seen answered so far:
-
I would be hosting on my own home network, which is on a VPN 24/7, but for added privacy my devices are sometimes on VPN connections to other IPs. So I need to know the external IP of the instance to be able to find it. Are there any added measures I should put in place to prevent randoms looking at IPs or port scanning from finding the instance and going to town?
-
If this is on my home network anyway, are there any risks of data leaking or triangulation of, say, referrals or image searches that would just point back to my home network?
My threat model is for big tech to leave me alone, so it’s not exactly huge stakes, but I also don’t want to bother self-hosting if added complexity makes it not worth it.
I recently switched my home to using cloudaflare tunnels from dns because the ISP blocked traffic. my services are exposed to the Internet, so if you only want access by vpn, I’ve found tailscale to be easier than wireguard. If you want external access, you can get a domain name from CF and set up cloudflared on the host device and target the docker service names. But with both ways, you can have your ports not exposed to the Internet.
I formerly used external DNS until the ISP blocked the modem.
1: You could use duckdns, or cloudflare (with your own TLS cert), or tailscale. To access it off network. If you do decide to use cloudflare or duckDNS, You can try to make it private by putting it behind authelia or just adding a proxy that does HTTP basic auth, You could just also port forward on a very high port, mine runs publicly and I’ve never seen other traffic coming through.
2: they strip private data that goes to the search engines.
https://docs.searxng.org/own-instance.html#how-does-searxng-protect-privacy