From 3b98368aa9dac058e06bad80487b41d373a0d727 Mon Sep 17 00:00:00 2001
From: Xe Iaso <me@xeiaso.net>
Date: Fri, 16 May 2025 12:59:15 -0400
Subject: [PATCH] feat(apps): add SearXNG instance tracker policy and Qualys
 Labs SSL testing rules (#512)

* feat(apps): add SearXNG instance tracker policy

* feat(apps): add Qualys SSL Labs policy

* chore: spelling

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: hyperdefined <contact@hyper.lol>
---
 .github/actions/spelling/expect.txt | 3 +++
 data/apps/qualys-ssl-labs.yml       | 7 +++++++
 data/apps/searx-checker.yml         | 9 +++++++++
 docs/docs/CHANGELOG.md              | 2 ++
 4 files changed, 21 insertions(+)
 create mode 100644 data/apps/qualys-ssl-labs.yml
 create mode 100644 data/apps/searx-checker.yml

diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
index e1e3065..b6345d4 100644
--- a/.github/actions/spelling/expect.txt
+++ b/.github/actions/spelling/expect.txt
@@ -151,6 +151,7 @@ promauto
 promhttp
 pwcmd
 pwuser
+qualys
 qwant
 qwantbot
 rac
@@ -165,6 +166,7 @@ ruleset
 RUnlock
 sas
 Scumm
+searx
 sebest
 secretplans
 selfsigned
@@ -212,6 +214,7 @@ xesite
 xess
 xff
 XForwarded
+XNG
 XReal
 yae
 YAMLTo
diff --git a/data/apps/qualys-ssl-labs.yml b/data/apps/qualys-ssl-labs.yml
new file mode 100644
index 0000000..2092051
--- /dev/null
+++ b/data/apps/qualys-ssl-labs.yml
@@ -0,0 +1,7 @@
+# This policy allows Qualys SSL Labs to fully work. (https://www.ssllabs.com/ssltest)
+# IP ranges are taken from: https://qualys.my.site.com/discussions/s/article/000005823
+- name: qualys-ssl-labs
+  action: ALLOW
+  remote_addresses:
+  - 64.41.200.0/24
+  - 2600:C02:1020:4202::/64
\ No newline at end of file
diff --git a/data/apps/searx-checker.yml b/data/apps/searx-checker.yml
new file mode 100644
index 0000000..c6da25f
--- /dev/null
+++ b/data/apps/searx-checker.yml
@@ -0,0 +1,9 @@
+# This policy allows SearXNG's instance tracker to work. (https://searx.space)
+# IPs are taken from `check.searx.space` DNS records.
+# https://toolbox.googleapps.com/apps/dig/#A/check.searx.space
+# https://toolbox.googleapps.com/apps/dig/#AAAA/check.searx.space
+- name: searx-checker
+  action: ALLOW
+  remote_addresses:
+  - 167.235.158.251/32
+  - 2a01:4f8:1c1c:8fc2::1/128
\ No newline at end of file
diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md
index a32c42c..fe327b7 100644
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -21,6 +21,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Add `--target-host` flag/envvar to allow changing the value of the Host header in requests forwarded to the target service.
 - Bump AI-robots.txt to version 1.30 (add QualifiedBot)
 - Add `RuntimeDirectory` to systemd unit settings so native packages can listen over unix sockets
+- Added SearXNG instance tracker whitelist policy
+- Added Qualys SSL Labs whitelist policy
 
 ## v1.18.0: Varis zos Galvus