Squid + squidGuard not enforcing safe search on duckduckgo.com

Question

The purpose of this project is to force safe search on major search engines.

I managed to install Squid (version 3.3) and SquidGuard, configured Squid as transparent proxy with SSL interception...

I managed to enforce safe search on Google, Yahoo and Bing, but I can't with Duckduckgo and I can't find any reasonable explanation (either on my own or in the web).

My Squid.conf is:

    acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
    acl localnet src fc00::/7       # RFC 4193 local private network range
    acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machin$

    acl SSL_ports port 443
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443         # https
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http

    acl CONNECT method CONNECT

    acl engines dstdomain .yahoo.com
    acl engines dstdomain .duckduckgo.com
    acl engines dstdomain .google.com
    acl engines dstdomain .bing.com

    cache deny all
    http_access deny !Safe_ports

    http_access deny CONNECT !SSL_ports

    http_access allow localhost manager
    http_access deny manager

    log_access allow all
    url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
    url_rewrite_children 500

    http_access allow localnet
    http_access allow localhost

    http_access deny all

    http_port 3129
    http_port 3128 intercept
    https_port 3130 intercept ssl-bump connection-auth=off generate-host-certificates=on cert=/etc/squid/control.com.au.pem key=/etc/squid/control.com.au.pem cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:RC4-SHA:HIGH:!aNull:!MD5:!ADH
    ssl_bump none localhost
    ssl_bump server-first engines
    #ssl_bump server-first all
    ssl_bump none all

    always_direct allow all
    sslproxy_cert_error deny all
    sslproxy_flags DONT_VERIFY_PEER

    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern .               0       20%     4320

And the rewrite rule in SquidGuard is:

    rewrite engines {
        s@.*bing.com/search.*@&\&adlt=strict@i
        s@.*bing.com/images.*@&\&adlt=strict@i
        s@.*bing.com/videos.*@&\&adlt=strict@i
        s@.*au.search.yahoo.com.*@&\&vm=r@i
        s@.*duckduckgo.com.*@&\&kp=1@i
        s@.*google.com.au.*@1&safe=strict@i
        s@.*google.com.*@1&safe=strict@i
        s@.*bing.com.*@&\&adlt=strict@i
    }

I am pretty sure the squidGuard rewrite rule is fine because if I change the Squid configuration to intercept ALL SSL communication then duckduckgo.com gets enforced. The question is what shall I enter instead of:

    acl engines dstdomain .duckduckgo.com

??????????

Thanks in advance

Answer 1

You can force TRANSPARENT safe search for google (http and https) by setting:

Configure
set service dns forwarding options address=/.google.com/216.239.38.120
commit
save

DONE !!!! It works.

EXTRA BONUS:

IF YOU WANT TO BLOCK ALL ACCESS to ask and bing and duckduckgo and other domains, use:

configure
set service dns forwarding options address=/.bing.com/216.239.38.120
set service dns forwarding options address=/.ask.com/216.239.38.120
set service dns forwarding options address=/.duckduckgo.com/216.239.38.120
commit
save

This blocks bing and ask and duckduckgo domains on both http and https.

Answer 2

I bet the above does not work with SquidGuard after June 23, 2015

"On 23 June 2015 the Google search services will move all search results behind SSL encryption. This means that all search results will then be served using 'https', with the secure padlock shown in web browsers."

Many schools and business are so pissed off they are now using:

"'SSL interception' functionality that can intercept and filter Google search results after Google implement their change. This also allows to subsequently address existing issues with other Google services like YouTube that have already moved to SSL."

Answer 3

This is a little over a year after the fact, but I found this thread trying to solve this exact problem myself, so here goes.

In your squid config, you have:

acl engines dstdomain .yahoo.com
acl engines dstdomain .duckduckgo.com
acl engines dstdomain .google.com
acl engines dstdomain .bing.com

But that implies any subdomain beneath duckduckgo.com (i.e. www.duckduckgo.com, search.duckduckgo.com), but not duckduckgo.com.

When I do a DDG search, it's just using https://duckduckgo.com/$search_string, as so:

example duckduckgo search

So in short, your explicit ssl-bump acl engines is not matching duckduckgo because it's expecting subdomains, not the domain itself. When you change your config to "bump all", it's obviously catching it then, as it's catching everything.

If you exchange this line

acl engines dstdomain .duckduckgo.com

For this line

acl engines dstdomain duckduckgo.com

It'll work.