Hi, I know that this might sound like stupid but, I have been trying to block youtube.com/shorts/, idc if it returns an error message or anything like that, I just want to break the YouTube shorts, not YouTube as a whole, but only YouTube shorts, so is there a way to do it?
No, this is not possible at the router level. You may be able to do it at the application level (i.e. your OS or browser) by configuring filters on your host device. But, no, there is no way that OpenWrt (or any router) can help you with this.
1 Like
Why not? Squid + MITM certs + blocklists.
Good luck with that.
2 Likes
Dude, search for "Squid SSL bumping" and combine it with filters (Squid can do it). But it will require for you to install certificate onto your devices.
I remember it worked 10 years ago. Is it broken now?
Https happened.
1 Like
So MITM certificates no longer works?
https://wiki.squid-cache.org/Features/SslPeekAndSplice - looks like it is supported. I don't see why one can't combine it with squid's filters.
Only if you manage to UL it to the client, and it's accepted.
1 Like
I use my own certificate authority every day, why wouldn't it work in this case?
Sure, there are some special cases like banking software or TVs without ability to upload certs but in general case it should work.
Give it a shot...(I'm being serious here)... If you can demonstrate a method of blocking specific URL paths (without blocking the entire domain name/IP address), I'm sure this would be of interest to a lot of people since this question has been asked in various forms many times in these forums. A successful implementation of such blocking methods could be tested/repliated by others based on a "how-to" on the forums and then eventually that could be made into a wiki article.
3 Likes
Challenge accepted. I'll try it tomorrow.
4 Likes
You will win, assuming you can install your certs on the users device. With quite a few exceptions, of course. Because of HSTS, ....
Non-trivial, though.
1 Like
Unfortunately package for squid is compiled without 'enable-ssl-crtd' required for SSL bumping. Privoxy (which could be used for URL parsing and filtering) is compiled without SSL at all. I believe that's the main reason why no one is using this functionality in OpenWrt.
These are the things I tried:
https://www.privoxy.org/user-manual/config.html#CA-CERT-FILE
https://www.privoxy.org/user-manual/actions-file.html#HTTPS-INSPECTION
https://www.privoxy.org/user-manual/actions-file.html#PATH-PATTERN
I used certificates generated by easy-rsa package.
P.S. I'll check it on Debian a bit later (just as a proof of concept).
1 Like
here's a very high level write up of the same thing
The reason I claimed that it works was from my ~10 years old experience in a company where they used Squid filtering with SSL bumping extensively. I see it is no longer called "bumping" but concept remains the same. Privoxy seems to have advanced filtering capabilities which can even alter delivered text content, not only URL path or parameters.
My only question is how it interacts with Android apps (if it works at all). Both IOS and Android support certificate installation (actually I use one for my own VPN).
https://github.com/Barre/privaxy - ha! Where is even project like this... Actually you can try for yourself. It allows to save CA certificate. You can install it where your heart pleases.
1 Like