Domain Rewrite

[mrbluecoat]

Ref: #21

Would it be possible to implement a domain-changes capability similar to the query-changes option? This would enable the following types of scenarios:

• youtube.com --> restrict.youtube.com
• bing.com --> strict.bing.com
• www.google.com --> forcesafesearch.google.com (alternate to vss querystring option)
• duckduckgo.com --> safe.duckduckgo.com

[mrbluecoat]

Does virtual-host solve this? e.g. virtual-host youtube.com restrict.youtube.com

[mrbluecoat]

For now I'm using an IP-based workaround with /etc/hosts and CoreDNS but it's not ideal considering the number of domains YouTube uses.

[andybalholm]

I think you should be able to do it with virtual-host.

[mrbluecoat]

Sadly, no (at least for my use case) due to:

virtual-host only works with HTTP, not with HTTPS

No worries, though, my workaround should suffice for now.

[andybalholm]

It might work with HTTPS if the “virtual” host actually exists, as it would in your use case.

On Oct 22, 2020, at 10:20 AM, Mr. Blue Coat notifications@github.com wrote:

Sadly, no (at least for my use case) due to:

virtual-host only works with HTTP, not with HTTPS

No worries, though, my workaround should suffice for now.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/andybalholm/redwood/issues/55#issuecomment-714527783, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGUELEMZCNHKVZF3OC7XQDSMA5RPANCNFSM4S2SZQOQ.

[mrbluecoat]

I tried it with my example domains above and none of them exhibited the expected behavior (e.g. none defaulted to safe search settings).

[andybalholm]

Are you ssl-bumping the requests?

[mrbluecoat]

I think so, but maybe I didn't configure it correctly?

I used https://github.com/FiloSottile/mkcert to create and install the cert on the server and copied the rootCA.pem to the client and installed it there as well in system and manually in the Chrome browser. I then configured Redwood via:

/etc/redwood/redwood.conf

virtual-host youtube.com restrict.youtube.com
virtual-host bing.com strict.bing.com
virtual-host www.google.com forcesafesearch.google.com
virtual-host duckduckgo.com safe.duckduckgo.com

/etc/redwood/acls.conf

acl connect method CONNECT
ssl-bump tls-cert /root/.local/share/mkcert/rootCA.pem
ssl-bump tls-key /root/.local/share/mkcert/rootCA-key.pem
ssl-bump connect

When I browse to any of the virtual hosts listed above I'm not redirected and the safe search settings remain as default.

[andybalholm]

The tls-cert and tls-key lines belong in redwood.conf, without the ssl-bump prefix.

Andy

On Oct 22, 2020, at 1:12 PM, Mr. Blue Coat notifications@github.com wrote:

I think so, but maybe I didn't configure it correctly?

I used https://github.com/FiloSottile/mkcert to create and install the cert on the server and copied the rootCA.pem to the client and installed it there as well in system and manually in the Chrome browser. I then configured Redwood via:

/etc/redwood/redwood.conf

virtual-host youtube.com restrict.youtube.com virtual-host bing.com strict.bing.com virtual-host www.google.com forcesafesearch.google.com virtual-host duckduckgo.com safe.duckduckgo.com /etc/redwood/acls.conf

acl connect method CONNECT ssl-bump tls-cert /root/.local/share/mkcert/rootCA.pem ssl-bump tls-key /root/.local/share/mkcert/rootCA-key.pem ssl-bump connect When I browse to any of the virtual hosts listed above I'm not redirected and the safe search settings remain as default.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[mrbluecoat]

Woot! That did it - thanks for the help!

[mrbluecoat]

https://github.com/andybalholm/redwood-config is great! Is it linked in this repo README? The examples really help to understand the config structure.

[andybalholm]

It's mentioned in the README in the config directory, but maybe adding something to the main README would be good.