'safe search' policies for various websites (can be used when front ending proxy or transparently) - CESANet

Problem this snippet solves:

Working for the education sector we have a lot of requests to "sanitise" some content online, prominently this is done via our quite comprehensive web filtering solution.. but sometimes the requirement is not to block/all .. but to rewrite.. we have elected to use our BigIP deployment to handle rewrites purely because the iRule language is so comprehensive (mostly)

The only change that needs to occur for these policies when traffic is being forward straight-on vs passed to a pool member (i.e. load balancing proxy servers) is the 'forward' statement e.g.

Code :

ltm rule cesanet.forward-google_safe-search {
    when HTTP_REQUEST {
                set localip [IP::remote_addr]
                set webhost [HTTP::host]
                set weburi [HTTP::uri]
                #log local0. "$localip accessed $webhost$weburi"
                if {[HTTP::host] contains "google"} {
                         if {([HTTP::uri] contains "/search?") or ([HTTP::uri] contains "/s?")} {
                                  if { not([HTTP::uri] contains "&safe=active") } {
                                            HTTP::redirect "[HTTP::uri]&safe=active"
                                  }
                         }
        }
                forward
}
}

ltm rule cesanet.proxy-google_safe-search {
    when HTTP_REQUEST {
                if {[HTTP::host] contains "google"} {
                         if {([HTTP::uri] contains "/search?") or ([HTTP::uri] contains "/s?")} {
                                  if { not([HTTP::uri] contains "&safe=active") } {
                                            HTTP::redirect "[HTTP::uri]&safe=active"
                                  }
                         }
        }
}
}

# So now knowing that .. please see below our current (2013-07-25) list of 'safe search' rules . We have also created a "Youtube for schools" rule that is linked to a datagroup to allow support for that service aswell

ltm rule cesanet.proxy-bing_safe_search {
    when HTTP_REQUEST {
                if {[HTTP::host] contains "bing"} {
                         if {([HTTP::uri] contains "/search?") or ([HTTP::uri] contains "/s?")} {
                                  if { not([HTTP::uri] contains "&adlt=strict") } {
                                            HTTP::redirect "[HTTP::uri]&adlt=strict"
                                  }
                         }
        }
}
}

ltm rule cesanet.proxy-google_safe-search {
    when HTTP_REQUEST {
                if {[HTTP::host] contains "google"} {
                         if {([HTTP::uri] contains "/search?") or ([HTTP::uri] contains "/s?")} {
                                  if { not([HTTP::uri] contains "&safe=active") } {
                                            HTTP::redirect "[HTTP::uri]&safe=active"
                                  }
                         }
        }
}
}

ltm rule cesanet.proxy-yahoo_safe-search {
when HTTP_REQUEST {
                if {[HTTP::host] contains "yahoo"} {
                         if {([HTTP::uri] contains "/search")} {
                                  if { not([HTTP::uri] contains "&vm=r") } {
                                            HTTP::redirect "[HTTP::uri]&vm=r"
                                  }
                         }
        }
}
}

ltm rule cesanet.proxy-youtube_safety_mode {
    when HTTP_REQUEST {
                if {[HTTP::host] contains "youtube"} {
                     if { [HTTP::cookie exists "PREF"] } {
                             HTTP::cookie value "PREF" "[HTTP::cookie value "PREF"]&f2=8000000"
                     }
        }
}
}

ltm rule cesanet.proxy-youtube_schools {
    when HTTP_REQUEST {
    if { ( [class match [IP::remote_addr] equals youtube_schools] ) } {
        if {[HTTP::host] contains "youtube"} {
                           HTTP::header insert "X-YouTube-Edu-Filter" "[class lookup [IP::client_addr] youtube_schools]"
}
    }
}
}
Published Mar 18, 2015
Version 1.0
No CommentsBe the first to comment