Enforcing Youtube Safety Mode



  • Hello Forum,
    Is it possible to enforce Youtube Safety mode via squidGuard or any other package?
    If so, then what is the procedure to do it?



  • No idea, but this previous thread may give you some kind of clue/hint/despair:

    https://forum.pfsense.org/index.php?topic=44651.0



  • @KOM:

    No idea, but this previous thread may give you some kind of clue/hint/despair:

    https://forum.pfsense.org/index.php?topic=44651.0

    I found a post about installing diladele web safety and through which youtube safety mode MIGHT (Not sure cos I'm still working on it) be enforced

    http://sichent.wordpress.com/2014/02/22/filtering-https-traffic-with-squid-on-pfsense-2-1/

    But when I try to add python package using "pkg_add -r python27 py27-sqlite3 py27-pip" its giving error as Unable to get file from
    "ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-stable/Latest/python27.tbz"

    If I install latest package i.e package 9.2 then I'm not able to install Django framework.

    what might be the error?



  • FreeBSD 8.3 is so old that they just recently moved those packages to archive.  8.4 branch is still available, but it is highly discouraged to load those packages unless you are a FreeBSD expert and know exactly what you're doing.  You're more likely to break your system.



  • @KOM:

    FreeBSD 8.3 is so old that they just recently moved those packages to archive.  8.4 branch is still available, but it is highly discouraged to load those packages unless you are a FreeBSD expert and know exactly what you're doing.  You're more likely to break your system.

    Yes my Pfsense got crashed while trying it. The only solution is to wait for the SquidGuard to update the upcoming version with the YouTube Safety mode enforcing option.



  • Not the true "safety mode" but I did setup the edufilter…. maybe you can use the same process to get "safety mode" ?
    I have mine working but it requires some "extra" work.

    Sign up for and get an edufilter number from youtube.

    Install Squid, and Squidguard on pfSense
    Make sure they work.

    SSH into the pfSense box, find the "squidguard.inc" file.
    Edit the squidguard.inc file and modify the following:

    # MSN Live search, Bing
        $rewrite_item[] = array(F_TARGETURL => '(search.live../.q=.)',  F_REPLACETO => '\1&adlt=strict', F_MODE => 'i');
        $rewrite_item[] = array(F_TARGETURL => '(search.msn..
    /.q=.)',  F_REPLACETO => '\1&adlt=strict', F_MODE => 'i');
        $rewrite_item[] = array(F_TARGETURL => '(.bing../.q=.)',        F_REPLACETO => '\1&adlt=strict', F_MODE => 'i');
        $rewrite_item[] = array(F_TARGETURL => '(http://www.youtube.com/watch?v=.
    )',        F_REPLACETO => '\1&edufilter=XXXXXXXXXXXXXXXXXXXXXXXX', F_MODE => 'i');

    where edufilter=XXXXXXXXXXXXXXXXXXXXXXXX is your youtube edufilter number.
    This is the spot where you may be able to do a rewrite for "safety mode " ??
    save the squidguard.inc file.

    Under the Squidguard ACL settings,  (Proxy filter SquidGuard: Common Access Control List (ACL))

    Set "Rewrite" to "safesearch"

    Make sure to uncheck the "Use SafeSearch engine" selection.
    Restart pfSense box.

    This worked for me.
    your mileage may vary.

    -S



  • @sowen:

    Install Squid, and Squidguard on pfSense
    Make sure they work.

    Which version of Squid and SquidGuard were you using?? I think the YouTube edufilter may vary depending on the version also



  • I was playing with safesearch last night with Squid3.  After configuring it, I went to Google and tried to do some image searches for loaded terms like 'hot teen nudes' (research & development reasons only, of course).  No matter what I did, I could not get around safesearch.  If you try to disable it, you will be forwarded to the main Google page.  I'm sure there are clever ways around it, but I doubt my users will think of them.


  • Moderator

    Hi networkinggeek,

    Here is a link to the 8.3 package archive files:

    https://forum.pfsense.org/index.php?topic=78935.msg431084#msg431084



  • @KOM:

    I was playing with safesearch last night with Squid3.  After configuring it, I went to Google and tried to do some image searches for loaded terms like 'hot teen nudes' (research & development reasons only, of course).  No matter what I did, I could not get around safesearch.  If you try to disable it, you will be forwarded to the main Google page.  I'm sure there are clever ways around it, but I doubt my users will think of them.

    Well I have got success with google safesearch and yes you are right if we try to disable the safesearch it'll be redirected to the main page.

    I am stuck in the YouTube edufilter. I want it to be enforced via Pfsense itself. I don't want to login into each PC or Laptop and enforce it. So, it has to be done via Pfsense so that the school kids can access YouTube edu content videos even via Tablets.



  • Another good google trick is to force the "nosslsafesearch" …

    Host Domain IP Description

    www google.com 216.239.32.20 nosslsearch.google.com



  • …sorry ...fat fingered that last post....

    ..under your DNS forwarder,  add www.google.com, and send it to  216.239.32.20

    It looks like youtube issues cookies rather than adding a string to the url, so doing a rewrite will probably not work.
    If you are an education institution, you could / should sign up for edufilter.

    https://support.google.com/youtube/answer/2695317?hl=en



  • @sowen:

    It looks like youtube issues cookies rather than adding a string to the url, so doing a rewrite will probably not work.
    If you are an education institution, you could / should sign up for edufilter.

    https://support.google.com/youtube/answer/2695317?hl=en

    Is it possible to redirect using HTTP header rule? Because the link which you haven given mention about editing header rules.
    I don't know how to edit header rules in Pfsense. So if you are aware about this then, kindly explain the procedure to do so.



  • Well…yes, no and maybe....

    the header rewrite

    $rewrite_item[] = array(F_TARGETURL => '(http://www.youtube.com/watch?v=.*)',        F_REPLACETO => '\1&edufilter=XXXXXXXXXXXXXXXXXXXXXXXX', F_MODE => 'i');

    Forces the users to use your specific educational channel, which you can then control.

    However, I do not know how to rewrite the header to force all proxy users to use "safety mode".

    YouTube Safety Mode is enforced by rewriting a specific cookie in client request headers, while SafeSearch (for google etc...) is enforced by simply adding a string to the request URL (which is what the edufilter filtering does).

    a quick google of "rewrite youtube header to use safety mode" brings up some info, but most of it is at least a couple years old and I'm not sure how (or if) it could be implemented in pfSense / squidguard.


    Youtube Safe Search

    RewriteCond URL .youtube.com.
    RewriteHeader Cookie: (.*) PREF=f2=8000000

    RewriteRule (.)?youtube.com(.?.*) $1youtube.com$2&safety_mode=true [I,L]



    ; === Safety Mode for YouTube ===
        <proxy bc_safesearch_youtube_cookies="">url.domain=youtube.com
        request.header.cookie="PREF=" action.BC_SafeSearch_YouTube_Cookie_Rewrite(yes)
        action.BC_SafeSearch_YouTube_Cookie_append(yes)
              define action BC_SafeSearch_YouTube_Cookie_Rewrite
              rewrite( request.header.Cookie, "(PREF=[^,]+)", "$(1)&f2=8000000" )
              end
              define action BC_SafeSearch_YouTube_Cookie_append
              append( request.header.Cookie, "PREF=f2=8000000" )
              end
    ; === End of Safety Mode for YouTube ===
    ***********************</proxy>



  • This can be done with the NSFilter package by simply entering your Youtube for Schools code into the desired policy.



  • @jamesmr89:

    This can be done with the NSFilter package by simply entering your Youtube for Schools code into the desired policy.

    I have tried NSFilter and its not working. When you follow the steps provided by them to configure all the websites get blocked.
    I have raised this issue with the NSFilter and they have not even cared to respond to the error. So as of now NSFilter is not going to work



  • @sowen:

    Well…yes, no and maybe....

    the header rewrite

    $rewrite_item[] = array(F_TARGETURL => '(http://www.youtube.com/watch?v=.*)',        F_REPLACETO => '\1&edufilter=XXXXXXXXXXXXXXXXXXXXXXXX', F_MODE => 'i');

    Forces the users to use your specific educational channel, which you can then control.

    However, I do not know how to rewrite the header to force all proxy users to use "safety mode".

    YouTube Safety Mode is enforced by rewriting a specific cookie in client request headers, while SafeSearch (for google etc...) is enforced by simply adding a string to the request URL (which is what the edufilter filtering does).

    a quick google of "rewrite youtube header to use safety mode" brings up some info, but most of it is at least a couple years old and I'm not sure how (or if) it could be implemented in pfSense / squidguard.


    Youtube Safe Search

    RewriteCond URL .youtube.com.
    RewriteHeader Cookie: (.*) PREF=f2=8000000

    RewriteRule (.)?youtube.com(.?.*) $1youtube.com$2&safety_mode=true [I,L]



    ; === Safety Mode for YouTube ===
        <proxy bc_safesearch_youtube_cookies="">url.domain=youtube.com
        request.header.cookie="PREF=" action.BC_SafeSearch_YouTube_Cookie_Rewrite(yes)
        action.BC_SafeSearch_YouTube_Cookie_append(yes)
              define action BC_SafeSearch_YouTube_Cookie_Rewrite
              rewrite( request.header.Cookie, "(PREF=[^,]+)", "$(1)&f2=8000000" )
              end
              define action BC_SafeSearch_YouTube_Cookie_append
              append( request.header.Cookie, "PREF=f2=8000000" )
              end
    ; === End of Safety Mode for YouTube ===
    ***********************</proxy>

    Do I need edit cookies in the individual browser? If so, then its not an feasible option because cookies will erased if we clear the history.
    Somehow SquidGuard has to come up with the solution for this.