I configured Squid 3.3.13 as transparent proxy. It is intercepting SSL connections as well. My goal is to enforce safe-search into the major search engines.
At the moment my setup deals with google, yahoo and bing but I can't make duckduckgo to work UNLESS I intercept all SSL communication.
Relevant parts of squid.conf are:
Code:
acl engines dstdomain .yahoo.com
acl engines dstdomain .duckduckgo.com
acl engines dstdomain .google.com
acl engines dstdomain .bing.com
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 500
https_port 3130 intercept ssl-bump connection-auth=off generate-host-certificates=on cert=[my certificate path] key=[my key path] cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:HIGH:!aNull:!MD5:!ADH
ssl_bump none localhost
ssl_bump server-first engines
ssl_bump none all
always_direct allow all
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
-------------------
SquidGuard rewrite rule:
Code:
rewrite engines {
s@.*bing.com/search.*@&\&adlt=strict@i
s@.*bing.com/images.*@&\&adlt=strict@i
s@.*bing.com/videos.*@&\&adlt=strict@i
s@.*au.search.yahoo.com.*@&\&vm=r@i
s@.*duckduckgo.com.*@&\&kp=1@i
s@.*google.com.au.*@1&safe=strict@i
}
---------------
I believe the problem is related to the squid
Code:
acl engines dstdomain .duckduckgo.com
because when I disregard that acl and add:
Code:
ssl_bump server-first all
It enforces duckduckgo.com to safe search, therefore the rewrite in SquidGuard must be fine !
I've been digging deep on this one for about a week and run out of ideas.
Thanks in advance
