[squid-users] block inappropriate images of google

Stanford Prescott stan.prescott at gmail.com
Sat Aug 1 16:16:27 UTC 2015


I added "ssl" to the options


*cache_peer forcesafesearch.google.com <http://forcesafesearch.google.com>
parent 443 0 ssl name=GS originserver no-query no-netdb-exchange no-digest*

but now when I try to access *https://www.google.com
<https://www.google.com> *at all, I get an "SSL certificate error" page.
All other https sites load fine.

@Luis, where can I find information on the icap project? We already use
c-icap for SquidClamAV. It might not be much more of a stretch to add this
to it.

On Fri, Jul 31, 2015 at 6:34 PM, Luis Daniel Lucio Quiroz <
luis.daniel.lucio at gmail.com> wrote:

> There is a project for icap that does exactly what you want. This is like
> a L8 filter, meanwhile dns is L5.
>
> The higher, the better
> On Jul 31, 2015 5:20 PM, "Amos Jeffries" <squid3 at treenet.co.nz> wrote:
>
>> On 1/08/2015 8:49 a.m., Stanford Prescott wrote:
>> > Hi Amos. I wanted to try out the "ssl-bump splice" to send traffic to a
>> > peer found in the recent snapshots for 3.5.6/7 to block Google images. I
>> > compiled configured and installed the latest 3.5 snapshot and added the
>> > directives you listed above to squid.conf but I am not sure I got them
>> > right.
>> >
>> >
>> > acl s1_tls_connect      at_step SslBump1
>> > acl s2_tls_client_hello at_step SslBump2
>> > acl s3_tls_server_hello at_step SslBump3
>> > acl tls_server_name_is_ip ssl::server_name_regex
>> ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
>> > acl google ssl::server_name .google.com
>> >
>> > ssl_bump peek s1_tls_connect      all
>> > acl nobumpSites ssl::server_name .wellsfargo.com
>> > ssl_bump splice s2_tls_client_hello nobumpSites
>> > ssl_bump splice s2_tls_client_hello google
>> > ssl_bump stare s2_tls_client_hello all
>> > ssl_bump bump  s3_tls_server_hello all
>> >
>> > cache_peer forcesafesearch.google.com parent 443 0 \
>> > name=GS originserver no-query no-netdb-exchange no-digest
>>
>> Sorry, I missed out the 'ssl' option on the peer.
>>
>> > acl search dstdomain .google.com
>> > cache_peer_access GS allow search
>> >
>> cache_peer_access GS deny all
>> > sslproxy_cert_error allow tls_server_name_is_ip
>> > sslproxy_cert_error deny all
>> > sslproxy_flags DONT_VERIFY_PEER
>> >
>> > When restarting Squid and searching in Google images for "sex" it still
>> > shows images that I want to be able to block with safesearch.
>>
>> Other than the it I missed out mentioning. it looks okay to me. Though I
>> have not tested any of this myself so YMMV.
>>
>> Amos
>>
>> >
>> > On Thu, Jul 16, 2015 at 11:24 PM, Amos Jeffries wrote:
>> >
>> >> On 19/05/2015 5:49 a.m., Andres Granados wrote:
>> >>> hello!I need help on how to block pornographic images of google, I
>> >>> was trying different options and still do not succeed, try:
>> >>> http_reply_access with request_header_add, and even with a
>> >>> configuration dns, I think is to request_header_add the best, though
>> >>> not it has worked for me, I hope your help, is to implement a school,
>> >>> thanks!
>> >>>
>> >>
>> >> FYI; Christos has added a tweak to the "ssl-bump splice" handling that
>> >> permits sending the traffic to a cache_peer configured something like
>> this:
>> >>
>> >>  acl example ssl::server_name .example.com
>> >>  ssl_bump splice example
>> >>  ssl_bump peek all
>> >>
>> >>  cache_peer forcesafesearch.example.com parent 443 0 \
>> >>     name=GS \
>> >>     originserver no-query no-netdb-exchange no-digest
>> >>
>> >>  acl search dstdomain .example.com
>> >>  cache_peer_access GS allow search
>> >>  cache_peer_access GS deny all
>> >>
>> >> The idea being that you can use this on intercepted (or forward-proxy)
>> >> HTTPS traffic instead of hacking about with DNS to direct clients at
>> the
>> >> servers Google use to present "safe" searching.
>> >>
>> >> This should be available in 3.5.7, or the current 3.5 snaphots.
>> >>
>> >> Cheers
>> >> Amos
>> >> _______________________________________________
>> >> squid-users mailing list
>> >> squid-users at lists.squid-cache.org
>> >> http://lists.squid-cache.org/listinfo/squid-users
>> >>
>> >
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150801/2fa4ae11/attachment.html>


More information about the squid-users mailing list