Google Images Safe Search for Squid

Feature
12

I did some tests with SafeSearch that seemed to work well.
This is using squid and squidGuard, but seems it can also be done using icap and other methods.

Part 1: implementing rewrite rules

1) Created custom template fragments for squidGuard.conf

mkdir -p /etc/e-smith/templates-custom/etc/squid/squidGuard.conf/
cp /etc/e-smith/templates/etc/squid/squidGuard.conf/99acl20profiles /etc/e-smith/templates-custom/etc/squid/squidGuard.conf/
cp /etc/e-smith/templates/etc/squid/squidGuard.conf/99acl90default /etc/e-smith/templates-custom/etc/squid/squidGuard.conf/

Added new code at line 49 of /etc/e-smith/templates-custom/etc/squid/squidGuard.conf/99acl90default. This will activate the rewrite rules for the default profile (more on that later):

vi /etc/e-smith/templates-custom/etc/squid/squidGuard.conf/99acl90default
# inserted code at line 49, towards the end of the file
$OUT .= "        rewrite safesearch\n";

A visual example of the inserted code and its surroundings:

Added new code at line 55 of /etc/e-smith/templates-custom/etc/squid/squidGuard.conf/99acl20profiles. This will activate the rewrite rules for all other profiles (more on that later):

vi /etc/e-smith/templates-custom/etc/squid/squidGuard.conf/99acl20profiles
# inserted code at line 55, towards the end of the file
$OUT .= "        rewrite safesearch\n";

A visual example of the code addition and its surroundings:

Created a new file containing the desired safesearch rewrite rules:

vi /etc/e-smith/templates-custom/etc/squid/squidGuard.conf/30rewrites

Content of the 30rewrites file:

rewrite	safesearch \{
	s@(^https?:\/\/)(www\.bing\.com\/.+q=.+)@&\&adlt=strict@i
	s@(^https?:\/\/)(.+\.)*(duckduckgo\.com\/.+)@&\&kp=1@i
	s@(^https?:\/\/)(.+\.)*(google\..+\/.+q=.+)@&\&safe=strict@i
	s@(^https?:\/\/)(.+\.)*(yahoo\..+\/.+p=.+)@&\&vm=r@i
	s@(^https?:\/\/)(.+\.)*(yandex\..+\/.+text=.+)@&\&family=1@i
	logfile urlfilter.log
\}

Note 1: I have the same file with some comments on the search engine safesearch parameters, but this post is already way too long :cold_sweat:

Note 2: there is room for improvement for the rewrite rules:

  • some parenthesis for the regex capture groups could have been omitted (but I find them useful for visual clarity)
  • some rules will also match domains like google.example.com, uk.yahoo.bad.example.com
  • the regex does not take care of url validation rules, like allowed characters, domain label length, TLD format, IDNs… (did some tries but got really tired)

2) Created custom template fragment for squid.conf

mkdir -p /etc/e-smith/templates-custom/etc/squid/squid.conf/
vi /etc/e-smith/templates-custom/etc/squid/squid.conf/20acl_30_safesearch

The content of the 20acl_30_safesearch file is intended to filter youtube:

#
# YouTube-Restrict: (Strict|Moderate)
#
acl youtuberestrict dstdomain www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
request_header_add YouTube-Restrict "Strict" youtuberestrict

3) Expanded templates to recreate the squidGuard.conf and squid.conf files, and restarted squid service for the changes to take effect:

expand-template /etc/squid/squidGuard.conf
expand-template /etc/squid/squid.conf
service squid restart
3 Likes