Self-Host SearXNG: Private Search Without Feeding the Ad Machine

Self-Host SearXNG: Private Search Without Feeding the Ad Machine

I got tired of search pages full of ads, tracking, and AI boxes. Here's how I run SearXNG at home with Docker, sane settings, and a few security guardrails.

#self-hosting #docker #privacy #search #searxng #security
đź’ˇ Disclosure: This article contains affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. This helps support the site and keeps the content free.

Search got weird.

I don’t mean “Google changed the shade of blue on a button” weird. I mean search results that feel like an ad sandwich with a tiny slice of useful web page in the middle. Then came the tracking, the location nudges, the shopping boxes, the AI summaries, the cookie banners, and the general feeling that every query is being turned into a little behavioral dossier.

So I started running SearXNG.

SearXNG is a metasearch engine. You ask it a question, it asks other search engines, then it gives you the results without turning your browser into a tracking beacon. It is not magic, and it will not make you invisible. But it does give you a cleaner, calmer search page that you control.

Honestly, for most homelab people, this is the private search setup I would try before anything else.

Why I picked SearXNG instead of Whoogle

Whoogle is great if you want Google results with less junk around them. I used it for a while and liked it.

But SearXNG fits my brain better because it can pull from multiple engines. Google, Brave, DuckDuckGo, Bing, Wikipedia, GitHub, Stack Overflow, package registries, and a bunch more depending on how you configure it. When one engine gets noisy, you are not stuck with it.

That matters more than I expected.

I had a week where Google kept giving me SEO soup for a Docker error. SearXNG pulled a result from a GitHub issue that actually solved it. Tiny thing. Big mood improvement.

The trade-off: SearXNG has more knobs. More knobs means more chances to misconfigure it, expose it publicly, or get rate-limited because you treated the public internet like your personal API. Don’t do that.

The setup I actually run

This is a simple Docker Compose install behind a reverse proxy. I use a private instance for myself and my household. I do not run a public SearXNG instance, and I don’t recommend you do either unless you enjoy abuse reports as a hobby.

Create a folder:

mkdir -p ~/searxng
cd ~/searxng

Create docker-compose.yml:

services:
  searxng:
    image: docker.io/searxng/searxng:latest
    container_name: searxng
    restart: unless-stopped
    ports:
      - "127.0.0.1:8080:8080"
    volumes:
      - ./searxng:/etc/searxng:rw
    environment:
      - SEARXNG_BASE_URL=https://search.example.com/
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
      - DAC_OVERRIDE
    logging:
      driver: "json-file"
      options:
        max-size: "1m"
        max-file: "1"

Notice the 127.0.0.1:8080:8080 bit. That is intentional. I don’t want this port exposed directly to the network. Caddy, Traefik, or Nginx Proxy Manager can publish it over HTTPS after authentication.

Start it once so it generates the config files:

docker compose up -d

Then edit the generated settings:

nano ./searxng/settings.yml

The file is big, but the important parts are small.

Set your instance name:

general:
  instance_name: "My Private Search"

Set a real secret key:

server:
  secret_key: "change-this-to-a-long-random-string"
  limiter: true
  public_instance: false

Generate the secret with:

openssl rand -hex 32

Then restart:

docker compose restart

That’s the basic install. Not glamorous. Good.

Put it behind auth

This is the part people skip, then they wonder why random bots are hammering their server from every corner of the planet.

SearXNG is useful. Useful public things get abused. If you put it on search.yourdomain.com with no protection, bots will find it, users will share it, and some upstream engines may start blocking your IP. Your quiet little VPS becomes a search proxy for strangers.

I put mine behind one of these:

  • Tailscale-only access for personal use
  • Caddy basic auth for a tiny household setup
  • Authentik if you already run SSO
  • VPN access if you don’t want any public exposure

For a private homelab, Tailscale or WireGuard is the cleanest answer. If you do expose it publicly, at least require authentication.

🚀NordVPN

Secure your server with a reliable VPN.

Get NordVPN →

Affiliate link — we may earn a commission at no extra cost to you.

Yes, this is also where a VPN makes sense. Not because a VPN magically fixes privacy. It doesn’t. But if you’re managing a VPS, testing private services, or accessing admin panels from sketchy Wi-Fi, having an encrypted tunnel is better than raw-dogging hotel networks and hoping for the best.

Reverse proxy example with Caddy

If you use Caddy, this is enough for a small private instance:

search.example.com {
  basicauth {
    yourname $2a$14$REPLACE_WITH_HASHED_PASSWORD
  }

  reverse_proxy 127.0.0.1:8080
}

Generate the password hash with:

caddy hash-password

If you use Nginx Proxy Manager, point it to http://127.0.0.1:8080 if NPM is running on the host, or to the Docker service name if both containers share a network. Enable SSL. Add access lists or forward auth if you have them.

The boring security checklist:

  • HTTPS only
  • Authentication on the proxy
  • No direct public port binding
  • Rate limiting enabled in SearXNG
  • Backups of ./searxng/settings.yml

That list has saved me from myself more than once.

The settings worth changing

SearXNG ships with a lot of engines enabled. I prefer starting narrow.

In the web UI, go to preferences and test what you actually use. For my daily searches, I keep general web search, images, GitHub, Stack Overflow, Wikipedia, and a few documentation-focused sources. I don’t need 47 engines yelling at once.

The result quality gets better when you remove noisy engines. That sounds backwards, but it is true. Less garbage in, less garbage out.

I also disable autocomplete. It is convenient, but I don’t love leaking partial searches to external services. Maybe that is paranoid. Maybe it is Tuesday.

For image proxying, be careful. Proxying images through your instance improves privacy for clients, but it increases load on your server. On a tiny VPS, I leave heavy features off unless I actually need them.

Make it your browser default

This is where SearXNG stops being a toy.

Open your instance, click the search bar, and most browsers will detect it as an installable search engine. In Firefox, you can add it from the address bar menu, then set it as default in search settings.

In Chromium-based browsers, you may need to add it manually:

Name: SearXNG
Shortcut: sx
URL: https://search.example.com/search?q=%s

I use sx as a keyword search too. If I want to search from the address bar without making it the global default, I type:

sx docker compose healthcheck restart

Small habit. Big reduction in search-page frustration.

What can go wrong

The first gotcha is rate limiting from upstream engines. If you refresh like a caffeinated squirrel, some engines will slow down or block results. This is normal. SearXNG is not a paid search API.

The second gotcha is public abuse. I know I already said it, but it deserves repetition. A public unauthenticated SearXNG instance is asking for noise.

The third gotcha is expecting perfect privacy. SearXNG helps by separating your browser from search engines, but your server still makes requests. If your instance is on a VPS, upstream services may see the VPS IP. If you log everything at the reverse proxy, congratulations, you built your own surveillance system. Turn down logs if you don’t need them.

I keep access logs short-lived and boring. Debug logs are for debugging, not permanent decoration.

Backups and updates

The backup is easy:

tar -czf searxng-config-backup.tgz ./searxng

For updates:

docker compose pull
docker compose up -d

Read the release notes if you heavily customize engines. I don’t customize much, because future me is lazy and deserves kindness.

Should you self-host it?

If you want a private, calmer search front-end for yourself or a small group, yes. SearXNG is absolutely worth running.

If you want to run a public search service for the internet, think twice. The maintenance burden is not huge, but abuse control is real work. Most people underestimate that part because the initial Docker install is so easy.

My recommendation: run it privately for two weeks. Make it your browser default. Remove engines that annoy you. Keep the setup boring. If you still like it after the novelty wears off, it earns a permanent spot in the homelab.

Mine did.

What to do next

Spin it up on localhost first. Don’t expose anything yet. Once it works, put it behind your reverse proxy with HTTPS and authentication. Then make it your browser default and see if your search habits actually improve.

If you hate it, delete one folder and move on. That’s the beauty of small self-hosted tools: low drama, high control.

Useful resources:

Stay in the loop 📬

Get self-hosting tutorials, tool reviews, and infrastructure tips delivered to your inbox. No spam, unsubscribe anytime.

Join 0 self-hosters. Free forever.

#self-hosting #docker #privacy #search #searxng #security