[Lias] Re: [acscomputers] Google rewrites?
John Summerfield
summer at corridors.wa.edu.au
Wed Aug 24 13:19:02 UTC 2005
Paul Gear wrote:
> John Summerfield wrote:
>
>>...
>>
>>>Seems like a bit of a waste when it's what squidGuard is supposed to do
>>>well... :-)
>>>
>>>What about a redirect instead? Could we just put
>>> redirect %u&safe=strict
>>>in a section that bans all google traffic with a match like
>>> (google.*\?)
>>>?
>>>
>>
>>In squid.conf:
>># acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
>>acl goodgoogle url_regex [-i] \
>>^http://[^/]*google.com(|\.[a-z]{2}/safe=strict
>>acl google url_regex [-i] \ ^http://[^/]*google.com(|\.[a-z]{2}
>
>
> I'm not trying to block google, i'm trying to rewrite the requests (by
> appending '&safe=strict') so that they don't need blocking.
If I got the regexes right, it blocks Google unless the user has
safe-search enabled.
they can use Google, but they gotta do it safely.
>
>
>>Note that the above regex isn't exactly right, it needs to only apply to
>>searches.
>
>
> That's what the \? in my rule was about.
>
>
>>...
>>I don't like site-specific Squid rules, but I guess a small number (my
>>definition) is tolerable.
>
>
> Indeed.
>
>
>>...
>>The example I saw only works properly if you limit to one copy.
>
>
> One copy running in memory? That wouldn't work for us. We have about
> 400 end nodes, and if we have less than about 30 redirectors, it runs
> out regularly.
That's why I changed it: all the tees in the example were writing to a
single file, each opening it itself. My version uses a different file
for each tee.
>
>
>>...
>>I ran this on WBEL 4 which has selinux enforcing nice behaviour. I could
>>not create the files in /tmp which, I suppose, is good.
>
>
> Not very application-friendly, though...
Define "application-friendly." If someone breaks your php application
(not entirely unknown), that someone doesn't get access to much more.
Sounds fairly friendly to me. One just has to learn to deal with it.
Linux is now getting the level of security that's been available in
serious operating systems for decades, and I for one think it about time.
--
Cheers
John
Corridors College Western Australia
More information about the lias
mailing list