[git.ipfire.org] IPFire 2.x development tree branch, next, updated. fd4cea1e34a81dcb8691e1527da51e26ccb7ec17
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via fd4cea1e34a81dcb8691e1527da51e26ccb7ec17 (commit) via 661ab1538964bf3b114689b7d173c4f372785b8b (commit) via 76630c43368bb52095873e90836000f9f44952e9 (commit) via 6b2801d62e9884a124683d4f583fbe5a752d6e2e (commit) from 9d959ac151e10c8bf82ceec516da32e986481fd1 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit fd4cea1e34a81dcb8691e1527da51e26ccb7ec17 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat May 11 04:24:29 2019 +0100
core132: Ship changes to unbound
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 661ab1538964bf3b114689b7d173c4f372785b8b Author: Michael Tremer michael.tremer@ipfire.org Date: Sat May 11 04:19:37 2019 +0100
unbound: Add Safe Search
This is a feature that will filter adult content from search engine's results.
The old method of rewriting the HTTP request no longer works.
This method changes the DNS response for supported search engines which violates our belief in DNSSEC and won't allow these search engines to ever enable DNSSEC.
However, there is no better solution available to this and this an optional feature, too.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 76630c43368bb52095873e90836000f9f44952e9 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat May 11 04:18:08 2019 +0100
core132: Ship updated urlfilter.cgi
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6b2801d62e9884a124683d4f583fbe5a752d6e2e Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Apr 30 17:06:08 2019 +0100
URL Filter: Drop Safe Search feature
This is not working for quite some time now because all search engines have moved over to HTTPS. Therefore we no longer can manipulate the URL query string.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/132/filelists/files | 3 + config/unbound/unbound.conf | 3 + doc/language_issues.de | 1 + doc/language_issues.en | 1 - doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + html/cgi-bin/urlfilter.cgi | 62 ++------ src/initscripts/system/unbound | 230 ++++++++++++++++++++++++++++++ 13 files changed, 253 insertions(+), 54 deletions(-)
Difference in files: diff --git a/config/rootfiles/core/132/filelists/files b/config/rootfiles/core/132/filelists/files index 67d009f9c..2b14c1aa7 100644 --- a/config/rootfiles/core/132/filelists/files +++ b/config/rootfiles/core/132/filelists/files @@ -2,7 +2,9 @@ etc/system-release etc/issue etc/mime.types etc/rc.d/init.d/suricata +etc/rc.d/init.d/unbound etc/suricata/suricata.yaml +etc/unbound/unbound.conf opt/pakfire/lib/functions.pl opt/pakfire/pakfire srv/web/ipfire/cgi-bin/captive.cgi @@ -10,6 +12,7 @@ srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/firewall.cgi srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/routing.cgi +srv/web/ipfire/cgi-bin/urlfilter.cgi srv/web/ipfire/cgi-bin/zoneconf.cgi usr/lib/firewall/rules.pl usr/sbin/convert-snort diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index e20c3330d..4d492a5bc 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -81,6 +81,9 @@ server: # Include any forward zones include: "/etc/unbound/forward.conf"
+ # Include safe search settings + include: "/etc/unbound/safe-search.conf" + remote-control: control-enable: yes control-use-cert: no diff --git a/doc/language_issues.de b/doc/language_issues.de index 0a8b93ad5..6bc94f798 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -707,6 +707,7 @@ WARNING: translation string unused: uptime and users WARNING: translation string unused: urlfilter background image WARNING: translation string unused: urlfilter background text WARNING: translation string unused: urlfilter enable jpeg +WARNING: translation string unused: urlfilter safesearch WARNING: translation string unused: urlfilter update information WARNING: translation string unused: urlfilter update notification WARNING: translation string unused: urlfilter update results diff --git a/doc/language_issues.en b/doc/language_issues.en index bc41cfe23..8cc104347 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1989,7 +1989,6 @@ WARNING: untranslated string: urlfilter restore results = Restore results WARNING: untranslated string: urlfilter restore settings = Restore URL filter settings WARNING: untranslated string: urlfilter restore success = URL filter configuration has been restored. The URL filter must be restarted to activate the new settings. WARNING: untranslated string: urlfilter restore text = To restore a previously saved configuration upload the .tar.gz backup file below -WARNING: untranslated string: urlfilter safesearch = Enable SafeSearch WARNING: untranslated string: urlfilter sat = S WARNING: untranslated string: urlfilter saturday = Sat WARNING: untranslated string: urlfilter save and restart = Save and Restart diff --git a/doc/language_issues.es b/doc/language_issues.es index 676e55092..5e3467eef 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -631,6 +631,7 @@ WARNING: translation string unused: uptime and users WARNING: translation string unused: urlfilter background image WARNING: translation string unused: urlfilter background text WARNING: translation string unused: urlfilter enable jpeg +WARNING: translation string unused: urlfilter safesearch WARNING: translation string unused: urlfilter update information WARNING: translation string unused: urlfilter update notification WARNING: translation string unused: urlfilter update results diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 82268463f..4af8190bb 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -747,6 +747,7 @@ WARNING: translation string unused: uptime and users WARNING: translation string unused: urlfilter background image WARNING: translation string unused: urlfilter background text WARNING: translation string unused: urlfilter enable jpeg +WARNING: translation string unused: urlfilter safesearch WARNING: translation string unused: urlfilter update information WARNING: translation string unused: urlfilter update notification WARNING: translation string unused: urlfilter update results diff --git a/doc/language_issues.it b/doc/language_issues.it index 4156ed534..dce48892c 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -720,6 +720,7 @@ WARNING: translation string unused: uptime and users WARNING: translation string unused: urlfilter background image WARNING: translation string unused: urlfilter background text WARNING: translation string unused: urlfilter enable jpeg +WARNING: translation string unused: urlfilter safesearch WARNING: translation string unused: urlfilter update information WARNING: translation string unused: urlfilter update notification WARNING: translation string unused: urlfilter update results diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 8f41d2032..9dfe2f9ff 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -715,6 +715,7 @@ WARNING: translation string unused: uptime and users WARNING: translation string unused: urlfilter background image WARNING: translation string unused: urlfilter background text WARNING: translation string unused: urlfilter enable jpeg +WARNING: translation string unused: urlfilter safesearch WARNING: translation string unused: urlfilter update information WARNING: translation string unused: urlfilter update notification WARNING: translation string unused: urlfilter update results diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 676e55092..5e3467eef 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -631,6 +631,7 @@ WARNING: translation string unused: uptime and users WARNING: translation string unused: urlfilter background image WARNING: translation string unused: urlfilter background text WARNING: translation string unused: urlfilter enable jpeg +WARNING: translation string unused: urlfilter safesearch WARNING: translation string unused: urlfilter update information WARNING: translation string unused: urlfilter update notification WARNING: translation string unused: urlfilter update results diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 11a424458..274872394 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -634,6 +634,7 @@ WARNING: translation string unused: uptime and users WARNING: translation string unused: urlfilter background image WARNING: translation string unused: urlfilter background text WARNING: translation string unused: urlfilter enable jpeg +WARNING: translation string unused: urlfilter safesearch WARNING: translation string unused: urlfilter update information WARNING: translation string unused: urlfilter update notification WARNING: translation string unused: urlfilter update results diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 297901f65..7891e53e2 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -748,6 +748,7 @@ WARNING: translation string unused: uptime and users WARNING: translation string unused: urlfilter background image WARNING: translation string unused: urlfilter background text WARNING: translation string unused: urlfilter enable jpeg +WARNING: translation string unused: urlfilter safesearch WARNING: translation string unused: urlfilter update information WARNING: translation string unused: urlfilter update notification WARNING: translation string unused: urlfilter update results diff --git a/html/cgi-bin/urlfilter.cgi b/html/cgi-bin/urlfilter.cgi index c3c327eec..28ffc8114 100644 --- a/html/cgi-bin/urlfilter.cgi +++ b/html/cgi-bin/urlfilter.cgi @@ -138,7 +138,6 @@ $filtersettings{'BLOCK_IP_ADDR'} = 'off'; $filtersettings{'BLOCK_ALL'} = 'off'; $filtersettings{'ENABLE_EMPTY_ADS'} = 'off'; $filtersettings{'ENABLE_GLOBAL_WHITELIST'} = 'off'; -$filtersettings{'ENABLE_SAFESEARCH'} = 'off'; $filtersettings{'ENABLE_LOG'} = 'off'; $filtersettings{'ENABLE_USERNAME_LOG'} = 'off'; $filtersettings{'ENABLE_CATEGORY_LOG'} = 'off'; @@ -1057,9 +1056,6 @@ $checked{'ENABLE_EMPTY_ADS'}{$filtersettings{'ENABLE_EMPTY_ADS'}} = "checked='ch $checked{'ENABLE_GLOBAL_WHITELIST'}{'off'} = ''; $checked{'ENABLE_GLOBAL_WHITELIST'}{'on'} = ''; $checked{'ENABLE_GLOBAL_WHITELIST'}{$filtersettings{'ENABLE_GLOBAL_WHITELIST'}} = "checked='checked'"; -$checked{'ENABLE_SAFESEARCH'}{'off'} = ''; -$checked{'ENABLE_SAFESEARCH'}{'on'} = ''; -$checked{'ENABLE_SAFESEARCH'}{$filtersettings{'ENABLE_SAFESEARCH'}} = "checked='checked'"; $checked{'ENABLE_LOG'}{'off'} = ''; $checked{'ENABLE_LOG'}{'on'} = ''; $checked{'ENABLE_LOG'}{$filtersettings{'ENABLE_LOG'}} = "checked='checked'"; @@ -1473,21 +1469,17 @@ print <<END <td width='25%' class='base'>$Lang::tr{'urlfilter enable log'}:</td> <td><input type='checkbox' name='ENABLE_LOG' $checked{'ENABLE_LOG'}{'on'} /></td> </tr> -<tr> - <td class='base'>$Lang::tr{'urlfilter safesearch'}:</td> - <td><input type='checkbox' name='ENABLE_SAFESEARCH' $checked{'ENABLE_SAFESEARCH'}{'on'} /></td> - <td class='base'>$Lang::tr{'urlfilter username log'}:</td> - <td><input type='checkbox' name='ENABLE_USERNAME_LOG' $checked{'ENABLE_USERNAME_LOG'}{'on'} /></td> -</tr> <tr> <td class='base'>$Lang::tr{'urlfilter empty ads'}:</td> <td><input type='checkbox' name='ENABLE_EMPTY_ADS' $checked{'ENABLE_EMPTY_ADS'}{'on'} /></td> - <td class='base'>$Lang::tr{'urlfilter category log'}:</td> - <td><input type='checkbox' name='ENABLE_CATEGORY_LOG' $checked{'ENABLE_CATEGORY_LOG'}{'on'} /></td> + <td class='base'>$Lang::tr{'urlfilter username log'}:</td> + <td><input type='checkbox' name='ENABLE_USERNAME_LOG' $checked{'ENABLE_USERNAME_LOG'}{'on'} /></td> </tr> <tr> <td class='base'>$Lang::tr{'urlfilter block ip'}:</td> <td><input type='checkbox' name='BLOCK_IP_ADDR' $checked{'BLOCK_IP_ADDR'}{'on'} /></td> + <td class='base'>$Lang::tr{'urlfilter category log'}:</td> + <td><input type='checkbox' name='ENABLE_CATEGORY_LOG' $checked{'ENABLE_CATEGORY_LOG'}{'on'} /></td> </tr> <tr> <td class='base'>$Lang::tr{'urlfilter block all'}:</td> @@ -2834,47 +2826,15 @@ sub writeconfigfile } }
- if ((($filtersettings{'ENABLE_REWRITE'} eq 'on') && (@repositoryfiles)) || ($filtersettings{'ENABLE_SAFESEARCH'} eq 'on')) - { + if (($filtersettings{'ENABLE_REWRITE'} eq 'on') && (@repositoryfiles)) { print FILE "rewrite rew-rule-1 {\n";
- if (($filtersettings{'ENABLE_REWRITE'} eq 'on') && (@repositoryfiles)) - { - print FILE " # rewrite localfiles\n"; - foreach (@repositoryfiles) - { - print FILE " s@.*/$_$@http://$netsettings%7B%27GREEN_ADDRESS%27%7D:$http_port/repository/$_%5C@i%5..."; - } - } - - if ($filtersettings{'ENABLE_SAFESEARCH'} eq 'on') + print FILE " # rewrite localfiles\n"; + foreach (@repositoryfiles) { - print FILE " # rewrite safesearch\n"; - print FILE " s@(.*\Wgoogle\.\w+/(webhp|search|imghp|images|grphp|groups|nwshp|frghp|froogle)\?)(.*)(\bsafe=\w+)(.*)@\1\3safe=strict\5@i\n"; - print FILE " s@(.*\Wgoogle\.\w+/(webhp|search|imghp|images|grphp|groups|nwshp|frghp|froogle)\?)(.*)@\1safe=strict\&\3@i\n"; - print FILE " s@(.*\Wsearch\.yahoo\.\w+/search\W)(.*)(\bvm=\w+)(.*)@\1\2vm=r\4@i\n"; - print FILE " s@(.*\Wsearch\.yahoo\.\w+/search\W.*)@\1\&vm=r@i\n"; - print FILE " s@(.*\Walltheweb\.com/customize\?)(.*)(\bcopt_offensive=\w+)(.*)@\1\2copt_offensive=on\4@i\n"; - print FILE " s@(.*\Wbing\.\w+/)(.*)(\badlt=\w+)(.*)@\1\2adlt=strict\4@i\n"; - print FILE " s@(.*\Wbing\.\w+/.*)@\1\&adlt=strict@i\n"; + print FILE " s@.*/$_$@http://$netsettings%7B%27GREEN_ADDRESS%27%7D:$http_port/repository/$_%5C@i%5..."; } - print FILE "}\n\n"; - - if ((!($filtersettings{'UNFILTERED_CLIENTS'} eq '')) && ($filtersettings{'ENABLE_SAFESEARCH'} eq 'on')) { - print FILE "rewrite rew-rule-2 {\n"; - if (($filtersettings{'ENABLE_REWRITE'} eq 'on') && (@repositoryfiles)) - { - print FILE " # rewrite localfiles\n"; - foreach (@repositoryfiles) - { - print FILE " s@.*/$_$@http://$netsettings%7B%27GREEN_ADDRESS%27%7D:$http_port/repository/$_%5C@i%5..."; - } - } else { - print FILE " # rewrite nothing\n"; - } - print FILE "}\n\n"; - } }
if (!($filtersettings{'UNFILTERED_CLIENTS'} eq '')) { @@ -3083,10 +3043,6 @@ sub writeconfigfile if (!($filtersettings{'UNFILTERED_CLIENTS'} eq '')) { print FILE " unfiltered {\n"; print FILE " pass all\n"; - if ($filtersettings{'ENABLE_SAFESEARCH'} eq 'on') - { - print FILE " rewrite rew-rule-2\n"; - } print FILE " }\n\n"; } if (!($filtersettings{'BANNED_CLIENTS'} eq '')) { @@ -3215,7 +3171,7 @@ sub writeconfigfile print FILE " logfile".$ident." urlfilter.log\n"; } } - if ((($filtersettings{'ENABLE_REWRITE'} eq 'on') && (@repositoryfiles)) || ($filtersettings{'ENABLE_SAFESEARCH'} eq 'on')) + if (($filtersettings{'ENABLE_REWRITE'} eq 'on') && (@repositoryfiles)) { print FILE " rewrite rew-rule-1\n"; } diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index fbb096e0d..3e372ff65 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -14,6 +14,7 @@ TEST_DOMAIN_FAIL="dnssec-failed.org"
INSECURE_ZONES= USE_FORWARDERS=1 +ENABLE_SAFE_SEARCH=off
# Cache any local zones for 60 seconds LOCAL_TTL=60 @@ -481,6 +482,234 @@ fix_time_if_dns_fail() { fi }
+# Sets up Safe Search for various search engines +write_safe_search_conf() { + local google_tlds=( + google.ad + google.ae + google.al + google.am + google.as + google.at + google.az + google.ba + google.be + google.bf + google.bg + google.bi + google.bj + google.bs + google.bt + google.by + google.ca + google.cat + google.cd + google.cf + google.cg + google.ch + google.ci + google.cl + google.cm + google.cn + google.co.ao + google.co.bw + google.co.ck + google.co.cr + google.co.id + google.co.il + google.co.in + google.co.jp + google.co.ke + google.co.kr + google.co.ls + google.com + google.co.ma + google.com.af + google.com.ag + google.com.ai + google.com.ar + google.com.au + google.com.bd + google.com.bh + google.com.bn + google.com.bo + google.com.br + google.com.bz + google.com.co + google.com.cu + google.com.cy + google.com.do + google.com.ec + google.com.eg + google.com.et + google.com.fj + google.com.gh + google.com.gi + google.com.gt + google.com.hk + google.com.jm + google.com.kh + google.com.kw + google.com.lb + google.com.ly + google.com.mm + google.com.mt + google.com.mx + google.com.my + google.com.na + google.com.nf + google.com.ng + google.com.ni + google.com.np + google.com.om + google.com.pa + google.com.pe + google.com.pg + google.com.ph + google.com.pk + google.com.pr + google.com.py + google.com.qa + google.com.sa + google.com.sb + google.com.sg + google.com.sl + google.com.sv + google.com.tj + google.com.tr + google.com.tw + google.com.ua + google.com.uy + google.com.vc + google.com.vn + google.co.mz + google.co.nz + google.co.th + google.co.tz + google.co.ug + google.co.uk + google.co.uz + google.co.ve + google.co.vi + google.co.za + google.co.zm + google.co.zw + google.cv + google.cz + google.de + google.dj + google.dk + google.dm + google.dz + google.ee + google.es + google.fi + google.fm + google.fr + google.ga + google.ge + google.gg + google.gl + google.gm + google.gp + google.gr + google.gy + google.hn + google.hr + google.ht + google.hu + google.ie + google.im + google.iq + google.is + google.it + google.je + google.jo + google.kg + google.ki + google.kz + google.la + google.li + google.lk + google.lt + google.lu + google.lv + google.md + google.me + google.mg + google.mk + google.ml + google.mn + google.ms + google.mu + google.mv + google.mw + google.ne + google.nl + google.no + google.nr + google.nu + google.pl + google.pn + google.ps + google.pt + google.ro + google.rs + google.ru + google.rw + google.sc + google.se + google.sh + google.si + google.sk + google.sm + google.sn + google.so + google.sr + google.st + google.td + google.tg + google.tk + google.tl + google.tm + google.tn + google.to + google.tt + google.vg + google.vu + google.ws + ) + + ( + # Nothing to do if safe search is not enabled + if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then + exit 0 + fi + + # This all belongs into the server: section + echo "server:" + + # Bing + echo " local-zone: bing.com transparent" + echo " local-data: "www.bing.com CNAME strict.bing.com."" + + # DuckDuckGo + echo " local-zone: duckduckgo.com transparent" + echo " local-data: "duckduckgo.com CNAME safe.duckduckgo.com."" + + # Google + local domain + for domain in ${google_tlds[@]}; do + echo " local-zone: ${domain} transparent" + echo " local-data: "www.${domain} CNAME forcesafesearch.google.com."" + done + + # Yandex + echo " local-zone: yandex.ru transparent" + echo " local-data: "yandex.ru A 213.180.193.56"" + ) > /etc/unbound/safe-search.conf +} + case "$1" in start) # Print a nicer messagen when unbound is already running @@ -494,6 +723,7 @@ case "$1" in # Update configuration files write_tuning_conf write_forward_conf + write_safe_search_conf
boot_mesg "Starting Unbound DNS Proxy..." loadproc /usr/sbin/unbound || exit $?
hooks/post-receive -- IPFire 2.x development tree
-
Michael Tremer