Noob Question: Exposing Whoogle to the Internet

[masmith79]

First and foremost, thank you so much for this project. I love pretty much anything self-hosted and this really fills a niche for me that SearX proved to be an overkill, for.
Having said that, I am having a devil of a time getting Whoogle exposed to the internet with https. I have a domain, I have the cert (letsencrypt), but I keep getting:

Your connection is not private Attackers might be trying to steal your information from whoogle.<my.domain> (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_COMMON_NAME_INVALID

my systemd config looks like this:

[Unit]
Description=Whoogle

[Service]
# Basic auth configuration, uncomment to enable
Environment=WHOOGLE=CONFIG_URL=https://<my.domain>
Environment=WHOOGLE_CONFIG_THEME=dark
#Environment=WHOOGLE_USER=<username>
#Environment=WHOOGLE_PASS=<password>
# Proxy configuration, uncomment to enable
#Environment=WHOOGLE_PROXY_USER=<proxy username>
#Environment=WHOOGLE_PROXY_PASS=<proxy password>
#Environment=WHOOGLE_PROXY_TYPE=<proxy type (http|https|proxy4|pro>
#Environment=WHOOGLE_PROXY_LOC=<proxy host/ip>
# Site alternative configurations, uncomment to enable
# Note: If not set, the feature will still be available
# with default values. 
#Environment=WHOOGLE_ALT_TW=nitter.net
#Environment=WHOOGLE_ALT_YT=invidious.snopyta.org
#Environment=WHOOGLE_ALT_IG=bibliogram.art/u
#Environment=WHOOGLE_ALT_RD=libredd.it
#Environment=WHOOGLE_ALT_TL=lingva.ml
#Environment=WHOOGLE_ALT_MD=scribe.rip
# Load values from dotenv only
#Environment=WHOOGLE_DOTENV=1
Type=simple
User=root
WorkingDirectory=/root/whoogle-search/
ExecStart=/root/whoogle-search/venv/bin/python3 -um app --host 0.0.0.0 --port 443 --https-only
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
RestartSec=3
SyslogIdentifier=whoogle

[Install]
WantedBy=multi-user.target

NOTE: <my.domain> is actually my domain in the config.

Any ideas? I am sure the fix is easy but I just don't know enough to see it.

Thank you!

EDIT: I forgot to mention that the whoogle instance is in a container on a ProxMox machine behind a HAProxy proxy

[benbusby]

I think for your setup you'd need to tell Flask where the SSL certs are located, since otherwise it's just running on port 443 without any knowledge of what domain it's running on or the cert you acquired. From a quick search it seems like you could do something like this: https://bits.mdminhazulhaque.io/python/run-flask-app-with-let's-encrypt-ssl-certificate.html, where you update app/routes.py with an ssl_context param added in order to actually secure the app. But you'd need to modify the built-in Flask server though (not Waitress, as I don't believe Waitress supports SSL currently), and the Flask default server is not recommended for non-debugging use.

I'm not familiar with HAProxy, but the common approach is to set up any reverse proxy (I typically use nginx) to Whoogle and handle TLS that way. Here's an nginx example:

server {
    server_name whoogle.domain;
    root /var/www/whoogle;
    access_log /dev/null;
    error_log /dev/null;
    index index.html index.htm;

    location / {
        proxy_pass http://127.0.0.1:5000/;  # Whoogle Flask app
        proxy_set_header X-Forwarded-For $remote_addr;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/whoogle.domain/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/whoogle.domain/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = whoogle.domain) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name whoogle.domain;
    listen 80;
    return 404; # managed by Certbot
}