All systems operational 21 cryptocurrencies accepted · Monero welcome No-KYC policy
ChainVPS

Privacy · no KYC

Host SearXNG on an Offshore VPS

Run your own private metasearch engine that queries dozens of engines on your behalf, strips trackers, and never profiles you — hosted offshore and paid in crypto.

What it is

SearXNG is a free, self-hostable metasearch engine that aggregates results from 70+ sources (Google, Bing, DuckDuckGo, Wikipedia, and more) without storing your queries or sharing any identifying data with those upstream engines. It gives you Google-quality results while acting as a privacy buffer, so the search providers only ever see your server's IP, never yours.

Why host it offshore

A self-hosted search engine is only as private as the box it runs on — an offshore, no-KYC VPS means no identity is ever tied to the instance and no local jurisdiction can compel your search logs. Paying in crypto and hosting in a privacy-tier location (NL/CH/RO/IS/MD/LU) keeps the whole chain, from signup to query, free of identity and outside surveillance-heavy jurisdictions.

The deploy

A working reference setup

Copy this onto a fresh ChainVPS instance. Replace the placeholders, then bring it up.

docker-compose.yml
# 1. Create the config dir and a settings.yml (SearXNG generates one on first boot).
# 2. Generate a real secret:  openssl rand -hex 32
# 3. docker compose up -d
#
# docker-compose.yml
services:
  searxng:
    image: docker.io/searxng/searxng:latest
    container_name: searxng
    restart: unless-stopped
    ports:
      - "127.0.0.1:8080:8080"      # bind to loopback; put a TLS proxy in front
    volumes:
      - ./searxng:/etc/searxng:rw
    environment:
      - SEARXNG_BASE_URL=https://search.example.com/
      - SEARXNG_SECRET=REPLACE_WITH_openssl_rand_hex_32
      - UWSGI_WORKERS=4
      - UWSGI_THREADS=4
    depends_on:
      - valkey
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
    logging:
      driver: json-file
      options:
        max-size: "1m"
        max-file: "1"

  valkey:
    image: docker.io/valkey/valkey:8-alpine
    container_name: searxng-valkey
    restart: unless-stopped
    command: valkey-server --save 30 1 --loglevel warning
    volumes:
      - valkey-data:/data
    cap_drop:
      - ALL
    cap_add:
      - SETGID
      - SETUID
      - DAC_OVERRIDE

volumes:
  valkey-data:

# After first boot, edit ./searxng/settings.yml:
#   server.secret_key: <same 32-byte hex>
#   server.limiter: true
#   valkey.url: redis://searxng-valkey:6379/0
# then:  docker compose restart searxng

Firewall

Ports to open

PortProtocolPurpose
8080TCPSearXNG uwsgi HTTP — keep bound to 127.0.0.1, never expose directly
443TCPHTTPS via your reverse proxy (Caddy/nginx) with a Let's Encrypt cert
6379TCPValkey/Redis for the rate limiter — internal Docker network only, never published

Right-sizing

Which plan you need

Light — personal / 1-3 users

VPS Nano/Small (1 vCPU, 1-2 GB RAM)

Plenty for a private single-user instance; SearXNG idles near zero and only spikes briefly per query.

Medium — small team / friends (up to ~30 users)

VPS Pro (2-4 vCPU, 4-8 GB RAM)

Raise UWSGI_WORKERS to match cores; upstream engine fan-out is the main CPU cost, not storage.

Heavy — public instance / bot-facing traffic

VPS Max or Dedicated (8+ vCPU, 16+ GB RAM)

Public instances attract scraper bots; unmetered bandwidth and DDoS protection matter more than raw CPU here.

Best locations: SearXNG is a privacy tool, so pick a privacy-tier location: Switzerland (CH) and Iceland (IS) have strong data-protection law and no mandatory logging; Netherlands (NL) and Luxembourg (LU) give excellent EU peering and low latency for European users; Romania (RO) and Moldova (MD) sit outside 14-Eyes reach for the most jurisdiction-resistant setup. Choose the one closest to you for snappier search, or the most jurisdiction-neutral one if that is your priority.

Lock it down

Hardening checklist

  • Never publish port 8080 to 0.0.0.0 — keep it on 127.0.0.1 and terminate TLS at a reverse proxy (Caddy or nginx) with a Let's Encrypt cert using an offshore/no-identity email.
  • Set a unique server.secret_key (openssl rand -hex 32) and enable server.limiter: true with Valkey wired in — this is what stops bots from turning your instance into an open scraping relay.
  • Keep the instance private: set a non-obvious hostname, and either put it behind HTTP basic-auth / a VPN, or leave it off public instance lists so it is not indexed and hammered by bots.
  • Disable engines and features you do not use in settings.yml, and turn off image proxy or metrics endpoints if unneeded to shrink the attack surface.
  • Cap container logs (max-size shown above) and drop all Linux capabilities except the few required — SearXNG holds no user data, so the goal is a minimal, log-light, non-persistent footprint that leaves nothing to seize.

Questions

Hosting SearXNG — FAQ

Does SearXNG keep search logs?

No. SearXNG stores no query history or user profiles by default — it only holds a short-lived rate-limiter counter in Valkey. Combined with an offshore no-KYC host, there is simply no identity-linked search log to hand over.

Will Google or Bing block my server?

Occasionally an upstream engine will rate-limit a busy IP. On a light/personal instance this is rare. If it happens, SearXNG lets you disable the offending engine or route it through the many alternatives it aggregates, so results keep flowing.

Do I need the Valkey/Redis container?

SearXNG runs without it, but Valkey is required to enable the built-in rate limiter and bot protection. For anything reachable from the internet, keep it — it is what prevents abuse of your instance.

Can I use this as a private search API for my own apps or AI tools?

Yes. Enable the JSON output format in settings.yml and query /search?q=...&format=json. Keep it on the internal network or behind auth so only your own services can reach it.

How much bandwidth does it use?

Very little per query — SearXNG fetches text results, not media. A personal instance uses a few GB a month at most, and ChainVPS bandwidth is unmetered, so a public instance facing bot traffic will not run into overage fees.

Can I pay without giving my identity?

Yes. ChainVPS is no-KYC and crypto-paid, so you can stand up a SearXNG instance without ever tying it to your name — the whole point of self-hosting your search.

Spin up SearXNG
in the next 60 seconds.

Unmetered bandwidth · DDoS included · 21 cryptocurrencies · no KYC.