[squid-users] Squid + Squidguard Youtube URL video filtering
Marcus Kool
marcus.kool at urlfilterdb.com
Fri Aug 17 16:22:44 UTC 2018
I cannot tell you how to do it with DNS entries since I think it is impossible and therefore I asked Benjamin to explain.
Allowing one single video and blocking all other videos on Youtube is not easy.
One cannot block by domain but must filter by full URL.
When HTTPS is used, full URLs can only be obtained/filtered using ssl_bump in peek+bump mode which is doable but not easy.
Once you have peek+bump working you can make two categories in ufdbGuard:
category youtube with
youtube.com/watch
category allowedyoutubevideos with
youtube.com/watch?v=ff9sDLGtnK8
and an acl like
acl {
allSystems {
pass allowedyoutubevideos !youtube ...
}
...
The above allows access to www.youtube.com but not to the blocked videos.
This is necessary since the youtube site also uses a set of URLs like
https://www.youtube.com/sw.js
https://www.youtube.com/service_ajax?name=signalServiceEndpoint
etc.
which all must be allowed to be able to display/allow your single video.
Marcus
On 17/08/18 11:27, Roberto Carna wrote:
> Dear Marcus, please can you tell me the way to do what you suggest?
>
> Suppose I want to block youtube.com but enable only one URL video
> "https://www.youtube.com/embed/ff9sDLGtnK8?rel=0&showinfo=0".
>
> How should I set te DNS entries please?
>
> Regards,
>
> 2018-08-17 9:51 GMT-03:00 Marcus Kool <marcus.kool at urlfilterdb.com>:
>> OP asked about blocking Youtube but allowing a single Youtube video.
>> How would you do that with a couple of DNS entries ?
>>
>> Marcus
>>
>> On 16/08/18 22:11, SQUIDBLACKLIST.ORG wrote:
>>>
>>> This might be painfully obvious to some who are in the know, but,
>>> filtering youtube video content can be done with a lot less effort by simply
>>> adding a couple dns entries for Googles safesearch servers.
>>>
>>> #justsayin
>>>
>>>
>>>
>>> Signed,
>>>
>>> Benjamin E. Nichols
>>> Founder & Chief Architect
>>> http://www.squidblacklist.org
>>> 1-405-301-9516
>>>
>>> -------- Original message --------
>>> From: Marcus Kool <marcus.kool at urlfilterdb.com>
>>> Date: 8/16/18 7:53 PM (GMT-06:00)
>>> To: squid-users at lists.squid-cache.org
>>> Subject: Re: [squid-users] Squid + Squidguard Youtube URL video filtering
>>>
>>> yes, with ufdbguard you put
>>> youtube.com/watch?v=VIDEOID
>>> in a urls file and create a URL table with ufdbGenTable.
>>> ufdbGenTable adds many URLs automagically, i.e.
>>> youtube.com/embed/VIDEOID
>>> youtube.com/get_video_info?video_id=VIDEOID
>>> ytimg.googleusercontent.com/vi/VIDEOID
>>> and many more.
>>>
>>> Marcus
>>>
>>> On 16/08/18 11:01, Vacheslav wrote:
>>> > Wouldn't it be better to try it in ufdbguard?
>>> >
>>> > -----Original Message-----
>>> > From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf
>>> Of Amos Jeffries
>>> > Sent: Thursday, August 16, 2018 4:18 PM
>>> > To: squid-users at lists.squid-cache.org
>>> > Subject: Re: [squid-users] Squid + Squidguard Youtube URL video
>>> filtering
>>> >
>>> > On 17/08/18 00:43, Roberto Carna wrote:
>>> >> Dear, I have Squid + Squidguard working OK.
>>> >>
>>> >> Squidguard is filtering the entire www.youtube.com website.
>>> >>
>>> >> But now I have to permit just one video from Youtube:
>>> >>
>>> >> https://www.youtube.com/embed/ff9sDLGtnK8?rel=0&showinfo=0
>>> >>
>>> >> I have added the below URL as an exception in Squidguard:
>>> >>
>>> >> www.youtube.com/embed/ff9sDLGtnK8?rel=0&showinfo=0
>>> >>
>>> >> but after that I can't see it, still blocked.
>>> >>
>>> >> How can I enable just this URL from Squidguard preferently blocking
>>> >> the rest of Youtube ???
>>> >
>>> >> Unfortunately only with a great deal of difficulty.
>>> >
>>> >> The "?v=..." and "/embed/..." URLs are just public identifiers to
>>> access the YouTube APIs. At the HTTP level they result in a quite long
>>> series of sub-requests, redirections and the like bouncing all over the
>>> > youtube.* and googlevideos.* and googleapis.* domains.
>>> > Yes all of them are involved multiple times. So whitelisting is an
>>> all-or-nothing prospect, with other G services being implicitly whitelisted
>>> as side effects.
>>> >
>>> >
>>> >> Also, whenever the way to decipher the above maze of traffic gets
>>> published so we can do things like what you ask. YT shortly afterwards
>>> change how it operates - usually towards even more complexity. This has
>>> happened too many times to be coincidence IMO.
>>> >
>>> >
>>> >> Amos
>>> > _______________________________________________
>>> > squid-users mailing list
>>> > squid-users at lists.squid-cache.org
>>> > http://lists.squid-cache.org/listinfo/squid-users
>>> >
>>> >
>>> > _______________________________________________
>>> > squid-users mailing list
>>> > squid-users at lists.squid-cache.org
>>> > http://lists.squid-cache.org/listinfo/squid-users
>>> >
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
More information about the squid-users
mailing list