feat(apps): add SearXNG instance tracker policy and Qualys Labs SSL testing rules (#512)

* feat(apps): add SearXNG instance tracker policy

* feat(apps): add Qualys SSL Labs policy

* chore: spelling

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: hyperdefined <contact@hyper.lol>

.github/actions/spelling/expect.txt

@@ -151,6 +151,7 @@ promauto
 promhttp
 pwcmd
 pwuser
+qualys
 qwant
 qwantbot
 rac
@@ -165,6 +166,7 @@ ruleset
 RUnlock
 sas
 Scumm
+searx
 sebest
 secretplans
 selfsigned
@@ -212,6 +214,7 @@ xesite
 xess
 xff
 XForwarded
+XNG
 XReal
 yae
 YAMLTo

data/apps/qualys-ssl-labs.yml

@@ -0,0 +1,7 @@
+# This policy allows Qualys SSL Labs to fully work. (https://www.ssllabs.com/ssltest)
+# IP ranges are taken from: https://qualys.my.site.com/discussions/s/article/000005823
+- name: qualys-ssl-labs
+  action: ALLOW
+  remote_addresses:
+  - 64.41.200.0/24
+  - 2600:C02:1020:4202::/64

data/apps/searx-checker.yml

@@ -0,0 +1,9 @@
+# This policy allows SearXNG's instance tracker to work. (https://searx.space)
+# IPs are taken from `check.searx.space` DNS records.
+# https://toolbox.googleapps.com/apps/dig/#A/check.searx.space
+# https://toolbox.googleapps.com/apps/dig/#AAAA/check.searx.space
+- name: searx-checker
+  action: ALLOW
+  remote_addresses:
+  - 167.235.158.251/32
+  - 2a01:4f8:1c1c:8fc2::1/128

docs/docs/CHANGELOG.md

@@ -21,6 +21,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Add `--target-host` flag/envvar to allow changing the value of the Host header in requests forwarded to the target service.
 - Bump AI-robots.txt to version 1.30 (add QualifiedBot)
 - Add `RuntimeDirectory` to systemd unit settings so native packages can listen over unix sockets
+- Added SearXNG instance tracker whitelist policy
+- Added Qualys SSL Labs whitelist policy
 
 ## v1.18.0: Varis zos Galvus