[squid-users] block inappropriate images of google

Stanford Prescott stan.prescott at gmail.com
Fri Jul 31 20:49:42 UTC 2015


Hi Amos. I wanted to try out the "ssl-bump splice" to send traffic to a
peer found in the recent snapshots for 3.5.6/7 to block Google images. I
compiled configured and installed the latest 3.5 snapshot and added the
directives you listed above to squid.conf but I am not sure I got them
right.
























*acl s1_tls_connect      at_step SslBump1acl s2_tls_client_hello at_step
SslBump2acl s3_tls_server_hello at_step SslBump3acl tls_server_name_is_ip
ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+nacl google
ssl::server_name .google.com <http://google.com>ssl_bump peek
s1_tls_connect      allacl nobumpSites ssl::server_name .wellsfargo.com
<http://wellsfargo.com>ssl_bump splice s2_tls_client_hello
nobumpSitesssl_bump splice s2_tls_client_hello googlessl_bump stare
s2_tls_client_hello allssl_bump bump  s3_tls_server_hello allcache_peer
forcesafesearch.google.com <http://forcesafesearch.google.com> parent 443 0
name=GS originserver no-query no-netdb-exchange no-digestacl search
dstdomain .google.com <http://google.com>cache_peer_access GS allow
searchcache_peer_access GS deny allsslproxy_cert_error allow
tls_server_name_is_ipsslproxy_cert_error deny allsslproxy_flags
DONT_VERIFY_PEER*
When restarting Squid and searching in Google images for "sex" it still
shows images that I want to be able to block with safesearch.

On Thu, Jul 16, 2015 at 11:24 PM, Amos Jeffries <squid3 at treenet.co.nz>
wrote:

> On 19/05/2015 5:49 a.m., Andres Granados wrote:
> > hello!I need help on how to block pornographic images of google, I
> > was trying different options and still do not succeed, try:
> > http_reply_access with request_header_add, and even with a
> > configuration dns, I think is to request_header_add the best, though
> > not it has worked for me, I hope your help, is to implement a school,
> > thanks!
> >
>
> FYI; Christos has added a tweak to the "ssl-bump splice" handling that
> permits sending the traffic to a cache_peer configured something like this:
>
>  acl example ssl::server_name .example.com
>  ssl_bump splice example
>  ssl_bump peek all
>
>  cache_peer forcesafesearch.example.com parent 443 0 \
>     name=GS \
>     originserver no-query no-netdb-exchange no-digest
>
>  acl search dstdomain .example.com
>  cache_peer_access GS allow search
>  cache_peer_access GS deny all
>
> The idea being that you can use this on intercepted (or forward-proxy)
> HTTPS traffic instead of hacking about with DNS to direct clients at the
> servers Google use to present "safe" searching.
>
> This should be available in 3.5.7, or the current 3.5 snaphots.
>
> Cheers
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150731/67558ba0/attachment.html>


More information about the squid-users mailing list