5

So my goal here it to block only certain youtube channels.

If I do:

acl block_youtube dstdomain .youtube.com
http_access deny block_youtube

it blocks any access to youtube.

if I do:

acl block_youtube url_regex -i ^https://www.youtube.com/watch\?v=v2AC41dglnM
http_access deny block_youtube

it doesn't block that particular page, even though I see this in my access_log.

475862685.876      0 100.100.100.100 TAG_NONE/200 0 CONNECT www.youtube.com:443 - HIER_NONE/- -
1475862686.359    412 100.100.100.100 TCP_MISS/200 51182 GET https://www.youtube.com/watch\?v=v2AC41dglnM - HIER_DIRECT/216.58.192.238 application/json

Any one have any idea how to resolve this?

John
  • 157
  • 2
  • 10
  • A very similar question with more comments and answers is: [Pages don't get blocked with Squid over HTTPS](https://unix.stackexchange.com/questions/190330/pages-dont-get-blocked-with-squid-over-https/190340#190340) – Ganton Feb 13 '22 at 14:16

2 Answers2

1

As the youtube you try to block is in HTTPS, you have a problem. The proxy don't decapsulate the HTTPS to know the URL and the content, so, it is able to drop the connection. To solve your problem, you must see the SSL Bump solution of Squid. It is not enable by default because of licence issues, but you can easily recompile the package. The problem of this solution is that the client must know the authority of certification used in the proxy, and this authority is local and allow to create a certificate for all the https sites. So you need to deploy the autority on all the PC.

http://wiki.squid-cache.org/Features/SslBump

Dom
  • 6,628
  • 1
  • 19
  • 24
  • I have already done all this already. If I didn't do this, I would not be seeing the https access in the logs. – John Oct 07 '16 at 18:37
  • IT is strange that in the logs there is a backslash before the question mark. You need to add one in your regex too. – Dom Oct 08 '16 at 06:31
  • It's already in my regex isn't it or do I need it a special way? Not to familiar with regex. – John Oct 10 '16 at 21:27
  • The '?' means the previous char can be optional. If you want a real ?, you need to escape it with a \. So your regex is OK, but the url no : to match , you should have "https://www.youtube.com/watch?v=v2AC41dglnM" (without backslash) – Dom Oct 11 '16 at 06:28
  • It is a real character. So weird, I did a php script to rewrite the urls and it is working fine now as a squid redirect program. Now I am facing another issue as squid isn't working in the iOS YouTube app. – John Oct 12 '16 at 15:05
0

Did you figure out how to block the Youtube channels? I'm working on something similar. Regarding your regex, you can use a site like https://regex101.com/ to test your regex against string values.

x16forest
  • 1
  • This does not provide an answer to the question. Once you have sufficient [reputation](https://serverfault.com/help/whats-reputation) you will be able to [comment on any post](https://serverfault.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/528143) – ndemou Aug 26 '22 at 20:12