Google Images Safe Search for Squid

Squidguard has a builtin function to handle searches on Google Images, I did some tests in the past but I couldn’t get it working :frowning:

Indeed it does, however you aren’t able to use it on Nethserver for some reason. I tried manually editing the squidguard.conf file with the bits and pieces it needs to get it working, however if the web filter feature on the website is stopped and restarted, all my changes are deleted and replaced with a default squidguard.conf populated from the web interface options. If the dev team could keep looking into this it would be great, its a needed feature for any education facility these days.

1 Like

Could you apply the needed modifications to squidguard.conf and make it work as expected?
If yes, please, send here the differences and I’ll help to create a custom template to make them permanent.

1 Like

Ile try again tonight after work and let you know. However I followed this link: http://betka.net/wordpress/2005/01/15/squidguard-google-safe-search/

1 Like

Hello.

Try as I might, I have had no luck getting safe search to work with squidguard. I have Googled for the last hour and tried many forms of rewrite rules and acl additions. No luck. Maby somebody else might have better luck.

I did some tests with SafeSearch that seemed to work well.
This is using squid and squidGuard, but seems it can also be done using icap and other methods.

Part 1: implementing rewrite rules

1) Created custom template fragments for squidGuard.conf

mkdir -p /etc/e-smith/templates-custom/etc/squid/squidGuard.conf/
cp /etc/e-smith/templates/etc/squid/squidGuard.conf/99acl20profiles /etc/e-smith/templates-custom/etc/squid/squidGuard.conf/
cp /etc/e-smith/templates/etc/squid/squidGuard.conf/99acl90default /etc/e-smith/templates-custom/etc/squid/squidGuard.conf/

Added new code at line 49 of /etc/e-smith/templates-custom/etc/squid/squidGuard.conf/99acl90default. This will activate the rewrite rules for the default profile (more on that later):

vi /etc/e-smith/templates-custom/etc/squid/squidGuard.conf/99acl90default
# inserted code at line 49, towards the end of the file
$OUT .= "        rewrite safesearch\n";

A visual example of the inserted code and its surroundings:

Added new code at line 55 of /etc/e-smith/templates-custom/etc/squid/squidGuard.conf/99acl20profiles. This will activate the rewrite rules for all other profiles (more on that later):

vi /etc/e-smith/templates-custom/etc/squid/squidGuard.conf/99acl20profiles
# inserted code at line 55, towards the end of the file
$OUT .= "        rewrite safesearch\n";

A visual example of the code addition and its surroundings:

Created a new file containing the desired safesearch rewrite rules:

vi /etc/e-smith/templates-custom/etc/squid/squidGuard.conf/30rewrites

Content of the 30rewrites file:

rewrite	safesearch \{
	s@(^https?:\/\/)(www\.bing\.com\/.+q=.+)@&\&adlt=strict@i
	s@(^https?:\/\/)(.+\.)*(duckduckgo\.com\/.+)@&\&kp=1@i
	s@(^https?:\/\/)(.+\.)*(google\..+\/.+q=.+)@&\&safe=strict@i
	s@(^https?:\/\/)(.+\.)*(yahoo\..+\/.+p=.+)@&\&vm=r@i
	s@(^https?:\/\/)(.+\.)*(yandex\..+\/.+text=.+)@&\&family=1@i
	logfile urlfilter.log
\}

Note 1: I have the same file with some comments on the search engine safesearch parameters, but this post is already way too long :cold_sweat:

Note 2: there is room for improvement for the rewrite rules:

  • some parenthesis for the regex capture groups could have been omitted (but I find them useful for visual clarity)
  • some rules will also match domains like google.example.com, uk.yahoo.bad.example.com
  • the regex does not take care of url validation rules, like allowed characters, domain label length, TLD format, IDNs… (did some tries but got really tired)

2) Created custom template fragment for squid.conf

mkdir -p /etc/e-smith/templates-custom/etc/squid/squid.conf/
vi /etc/e-smith/templates-custom/etc/squid/squid.conf/20acl_30_safesearch

The content of the 20acl_30_safesearch file is intended to filter youtube:

#
# YouTube-Restrict: (Strict|Moderate)
#
acl youtuberestrict dstdomain www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
request_header_add YouTube-Restrict "Strict" youtuberestrict

3) Expanded templates to recreate the squidGuard.conf and squid.conf files, and restarted squid service for the changes to take effect:

expand-template /etc/squid/squidGuard.conf
expand-template /etc/squid/squid.conf
service squid restart
3 Likes

Part 2: implementing SafeSearch at the DNS level

Redirects the specified domains to DNS IP addresses that the search engines had setup to serve filtered content (to block NSFW content), and will be applied network wide (not per profile). This will make some of the rewrite rules unnecessary.

1) Create custom template fragment for dnsmasq.conf

mkdir -p /etc/e-smith/templates-custom/etc/dnsmasq.conf/
vi /etc/e-smith/templates-custom/etc/dnsmasq.conf/42safesearch

Contents of 42safesearch file:

#
# 42safesearch fragment for dnsmasq.conf
#

# Bing (strict.bing.com.)
address=/www.bing.com/204.79.197.220


# Google (forcesafesearch.google.com.)
address=/google.com/216.239.38.120
address=/google.ad/216.239.38.120
address=/google.ae/216.239.38.120
address=/google.com.af/216.239.38.120
address=/google.com.ag/216.239.38.120
address=/google.com.ai/216.239.38.120
address=/google.al/216.239.38.120
address=/google.am/216.239.38.120
address=/google.co.ao/216.239.38.120
address=/google.com.ar/216.239.38.120
address=/google.as/216.239.38.120
address=/google.at/216.239.38.120
address=/google.com.au/216.239.38.120
address=/google.az/216.239.38.120
address=/google.ba/216.239.38.120
address=/google.com.bd/216.239.38.120
address=/google.be/216.239.38.120
address=/google.bf/216.239.38.120
address=/google.bg/216.239.38.120
address=/google.com.bh/216.239.38.120
address=/google.bi/216.239.38.120
address=/google.bj/216.239.38.120
address=/google.com.bn/216.239.38.120
address=/google.com.bo/216.239.38.120
address=/google.com.br/216.239.38.120
address=/google.bs/216.239.38.120
address=/google.bt/216.239.38.120
address=/google.co.bw/216.239.38.120
address=/google.by/216.239.38.120
address=/google.com.bz/216.239.38.120
address=/google.ca/216.239.38.120
address=/google.cd/216.239.38.120
address=/google.cf/216.239.38.120
address=/google.cg/216.239.38.120
address=/google.ch/216.239.38.120
address=/google.ci/216.239.38.120
address=/google.co.ck/216.239.38.120
address=/google.cl/216.239.38.120
address=/google.cm/216.239.38.120
address=/google.cn/216.239.38.120
address=/google.com.co/216.239.38.120
address=/google.co.cr/216.239.38.120
address=/google.com.cu/216.239.38.120
address=/google.cv/216.239.38.120
address=/google.com.cy/216.239.38.120
address=/google.cz/216.239.38.120
address=/google.de/216.239.38.120
address=/google.dj/216.239.38.120
address=/google.dk/216.239.38.120
address=/google.dm/216.239.38.120
address=/google.com.do/216.239.38.120
address=/google.dz/216.239.38.120
address=/google.com.ec/216.239.38.120
address=/google.ee/216.239.38.120
address=/google.com.eg/216.239.38.120
address=/google.es/216.239.38.120
address=/google.com.et/216.239.38.120
address=/google.fi/216.239.38.120
address=/google.com.fj/216.239.38.120
address=/google.fm/216.239.38.120
address=/google.fr/216.239.38.120
address=/google.ga/216.239.38.120
address=/google.ge/216.239.38.120
address=/google.gg/216.239.38.120
address=/google.com.gh/216.239.38.120
address=/google.com.gi/216.239.38.120
address=/google.gl/216.239.38.120
address=/google.gm/216.239.38.120
address=/google.gp/216.239.38.120
address=/google.gr/216.239.38.120
address=/google.com.gt/216.239.38.120
address=/google.gy/216.239.38.120
address=/google.com.hk/216.239.38.120
address=/google.hn/216.239.38.120
address=/google.hr/216.239.38.120
address=/google.ht/216.239.38.120
address=/google.hu/216.239.38.120
address=/google.co.id/216.239.38.120
address=/google.ie/216.239.38.120
address=/google.co.il/216.239.38.120
address=/google.im/216.239.38.120
address=/google.co.in/216.239.38.120
address=/google.iq/216.239.38.120
address=/google.is/216.239.38.120
address=/google.it/216.239.38.120
address=/google.je/216.239.38.120
address=/google.com.jm/216.239.38.120
address=/google.jo/216.239.38.120
address=/google.co.jp/216.239.38.120
address=/google.co.ke/216.239.38.120
address=/google.com.kh/216.239.38.120
address=/google.ki/216.239.38.120
address=/google.kg/216.239.38.120
address=/google.co.kr/216.239.38.120
address=/google.com.kw/216.239.38.120
address=/google.kz/216.239.38.120
address=/google.la/216.239.38.120
address=/google.com.lb/216.239.38.120
address=/google.li/216.239.38.120
address=/google.lk/216.239.38.120
address=/google.co.ls/216.239.38.120
address=/google.lt/216.239.38.120
address=/google.lu/216.239.38.120
address=/google.lv/216.239.38.120
address=/google.com.ly/216.239.38.120
address=/google.co.ma/216.239.38.120
address=/google.md/216.239.38.120
address=/google.me/216.239.38.120
address=/google.mg/216.239.38.120
address=/google.mk/216.239.38.120
address=/google.ml/216.239.38.120
address=/google.com.mm/216.239.38.120
address=/google.mn/216.239.38.120
address=/google.ms/216.239.38.120
address=/google.com.mt/216.239.38.120
address=/google.mu/216.239.38.120
address=/google.mv/216.239.38.120
address=/google.mw/216.239.38.120
address=/google.com.mx/216.239.38.120
address=/google.com.my/216.239.38.120
address=/google.co.mz/216.239.38.120
address=/google.com.na/216.239.38.120
address=/google.com.nf/216.239.38.120
address=/google.com.ng/216.239.38.120
address=/google.com.ni/216.239.38.120
address=/google.ne/216.239.38.120
address=/google.nl/216.239.38.120
address=/google.no/216.239.38.120
address=/google.com.np/216.239.38.120
address=/google.nr/216.239.38.120
address=/google.nu/216.239.38.120
address=/google.co.nz/216.239.38.120
address=/google.com.om/216.239.38.120
address=/google.com.pa/216.239.38.120
address=/google.com.pe/216.239.38.120
address=/google.com.pg/216.239.38.120
address=/google.com.ph/216.239.38.120
address=/google.com.pk/216.239.38.120
address=/google.pl/216.239.38.120
address=/google.pn/216.239.38.120
address=/google.com.pr/216.239.38.120
address=/google.ps/216.239.38.120
address=/google.pt/216.239.38.120
address=/google.com.py/216.239.38.120
address=/google.com.qa/216.239.38.120
address=/google.ro/216.239.38.120
address=/google.ru/216.239.38.120
address=/google.rw/216.239.38.120
address=/google.com.sa/216.239.38.120
address=/google.com.sb/216.239.38.120
address=/google.sc/216.239.38.120
address=/google.se/216.239.38.120
address=/google.com.sg/216.239.38.120
address=/google.sh/216.239.38.120
address=/google.si/216.239.38.120
address=/google.sk/216.239.38.120
address=/google.com.sl/216.239.38.120
address=/google.sn/216.239.38.120
address=/google.so/216.239.38.120
address=/google.sm/216.239.38.120
address=/google.sr/216.239.38.120
address=/google.st/216.239.38.120
address=/google.com.sv/216.239.38.120
address=/google.td/216.239.38.120
address=/google.tg/216.239.38.120
address=/google.co.th/216.239.38.120
address=/google.com.tj/216.239.38.120
address=/google.tk/216.239.38.120
address=/google.tl/216.239.38.120
address=/google.tm/216.239.38.120
address=/google.tn/216.239.38.120
address=/google.to/216.239.38.120
address=/google.com.tr/216.239.38.120
address=/google.tt/216.239.38.120
address=/google.com.tw/216.239.38.120
address=/google.co.tz/216.239.38.120
address=/google.com.ua/216.239.38.120
address=/google.co.ug/216.239.38.120
address=/google.co.uk/216.239.38.120
address=/google.com.uy/216.239.38.120
address=/google.co.uz/216.239.38.120
address=/google.com.vc/216.239.38.120
address=/google.co.ve/216.239.38.120
address=/google.vg/216.239.38.120
address=/google.co.vi/216.239.38.120
address=/google.com.vn/216.239.38.120
address=/google.vu/216.239.38.120
address=/google.ws/216.239.38.120
address=/google.rs/216.239.38.120
address=/google.co.za/216.239.38.120
address=/google.co.zm/216.239.38.120
address=/google.co.zw/216.239.38.120
address=/google.cat/216.239.38.120

# Youtube (restrictmoderate.youtube.com.)
#address=/www.youtube.com/216.239.38.119
#address=/m.youtube.com/216.239.38.119
#address=/youtubei.googleapis.com/216.239.38.119
#address=/youtube.googleapis.com/216.239.38.119
#address=/www.youtube-nocookie.com/216.239.38.119

# Youtube (restrict.youtube.com.)
address=/www.youtube.com/216.239.38.120
address=/m.youtube.com/216.239.38.120
address=/youtubei.googleapis.com/216.239.38.120
address=/youtube.googleapis.com/216.239.38.120
address=/www.youtube-nocookie.com/216.239.38.120

Note 1: Instead of embedding the IPs, the creation of this file can be scripted to get the template always build from current content.

Note 2: The recommended way is to create cname records, not pointing to an IP, but dnsmasq cannot resolve domains by itself and I didn’t look much further in the unbound settings.

2) Applied the changes:

signal-event nethserver-dnsmasq-save

3) Optional: some external DNS services can be used to filter additional content:
They can be configured in the DNS Servers section of the administration panel.
For instance, OpenDNS FamilyShield nameservers are:
208.67.222.123
208.67.220.123

Additional information:

4 Likes

Great news, ile test it later today and provide feedback. Now if only the devs could turn this into a checkbox :sunglasses:

Wow! This looks a great contribution, you’re making a real effort here.
:stuck_out_tongue_winking_eye::stuck_out_tongue_winking_eye::stuck_out_tongue_winking_eye::stuck_out_tongue_winking_eye: @GG_jr @Freddy_Brignardello @Renan_Azedo_de_Olive @acsel10 @cswain @Mario_Spang are you interested in playing with it?

Apologies for only coming back now. However the above is working. Could the Devs please consider a GUI enable/disable function please. Thanks in advance.

3 Likes

It looks a great additional feature to our proxy. What do you think @dev_team @davide_marini ?

We should decide which implementation we would like to add: squidguard or dns based one?

If we don’t permit editing the safesarch options, a simple checkbox to enable the filter shouldn’t take more than a couple of hours of work.

Well. I wouldnt mind the squid guard based. But im just a single voice…

1 Like

Hello !
Dear developers, the topic of discussion is very popular in my opinion - in schools similar module would be very necessary, but also the two. In my personal case, inspectors sometimes come to do the impossible … and such a regime, when it is possible to quickly convert large number of computers in the secure search - simply superb

3 Likes

Are you telling us that it would be a great addon for our content filter? I’m curious to know your feelings.

1 Like

There should be no doubt, this is a MUST HAVE feature. There is no better way to break into the education field then having a secure proxy with ldap authentication, especially one that blocks social media and porn.

3 Likes

Yes, I agree, a vital function.
Forced secure search + SQUID on blacklists good solution is not always possible to switch to an alternative dns.

From myself I’d asked (since we use a modular system) to be able to install and dansguardan module. The Forum requests, I think that such an option would have been urgently needed for schools. Yes, porn and social networks can be disabled in the current configuration, but it is always the local language is meaningful momentum, and these points may block dansguardian says. Then plug in the schools - or white list of allowed, but you are restricted with access to the information in school or squid but then lists options …

1 Like

Thanks to dnutan Marc for the configuration tips.
I could apply the dnsmask part on nethserver 7.3,
but no the squidguard part since squidguard templates to customize are no more there.

I could only find /etc/e-smith/templates/etc/squid/squid.conf/50squidguard which make use of rewriting rules:

more /etc/e-smith/templates/etc/squid/squid.conf/50squidguard
{
    my $status = $ufdb{'status'} || 'disabled';
    my $schildren = $squidguard{'StartupChildren'} || '5';
    my $ichildren = $squidguard{'IdleChildren'} || '5';
    my $mchildren = $squidguard{'MaxChildren'} || '20';
    if ($status eq 'enabled') {
        $OUT.="\n# Enable squidGuard \n";
        $OUT.="url_rewrite_program /usr/sbin/ufdbgclient -l /var/log/squid\n";
        $OUT.="url_rewrite_children $mchildren startup=$schildren idle=$ichildren concurrency=0\n";
        $OUT.='url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""'
    }
}

Does any one can explain me where I’m wrong ?
Thanks

In 7.3 squidGuard has been replaced by ufdbGuard.
You could add a line to /etc/ufdbguard/ufdbGuard.conf:

safe-search on

It could not work well due to https.
I follow google faq to block safe search through safesearch vip (see @dnutan link above: https://support.google.com/websearch/answer/186669?hl=en ).

1 Like

Ok thanks :then I will relie only on the dns trick, which can be of course bypassed it specifying directly ip@ but this is enough for targetted user current skills :wink: .