Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Router that can block URL patterns
4 points by chopete3 on Jan 27, 2023 | hide | past | favorite | 7 comments
This is for parental control. Is there any router or access point can block URL with a pattern.

For example I want to block all videos starting with https://www.youtube.com/shorts/*

There appears to be many routers that promise parental control but all limited to adding one URL at a time. Of course they all have pre-created rules.

A few that I found.

https://firewalla.com/products/firewalla-gold?variant=42638546993396

https://shop.opnsense.com/product/dec750-opnsense-desktop-security-appliance/

https://help.firewalla.com/hc/en-us/community/posts/360041883594-Feature-request-Block-Wildcard-URLs-like-vpn-on-kids-devices-



Squid can be configured as a MitM SSL Bump proxy and it can filter URL's, content type, mime-types, etc... but you have to generate your own self signed CA cert and install it on the devices that would be using it. The configuration varies by version a little so try to find examples specific to the version of Squid that is available in your OS repository. Here [1] are some basic instructions that include a few version config diffs.

The few sites that do public key pinning will not work with this and will have to be configured in Squid as NoBump. Paypal, a few google sub-domains, eff.org. Most sites have abandoned public key pinning.

Squid can be installed on most operating systems and it does not have to be the home or business router. One can configure DHCP to tell specific devices by mac address or vendor type to use a different gateway. Those devices will need your self signed CA cert.

[1] - https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBum...


I recommend looking for an on-device parental control solution instead.

Routers can block IP addresses or ports. DNS servers can block specific domains.

But everything after domain.tld/* is sent over a TLS connection, so the only way to block that at the network level would be by breaking encryption (for example, installing a custom root certificate on all client devices and using a man-in-the-middle proxy on a network appliance).

All major operating systems (desktop and mobile) offer parental control options; most only work with the default browser (Edge on Windows) so either block the installation of 3rd party browsers (using the same system parental controls) or look for a 3rd party parental control solution that works with your browser. If they're using an app instead of a browser, things can get complicated.


Pfsense comes to mind. All solutions will need to be trusted as a root CA, by all devices routed through them, to filter URL patterns. No CA trust needed to do DNS or TLS setup filtering, but those options can only filter the hostname.


This seems a good option. They also have ready-to-buy router products. https://www.pfsense.org/products/

Netgate 1100 is a good starting point device.

This also refers to the Squid and SquidGuard for URL/URI filtering, as the other commenter mentioned.

https://docs.netgate.com/pfsense/en/latest/recipes/http-clie...


Does https://pi-hole.net not have that?


Pi-hole operates at the DNS layer and as such, has no visibility beyond the host name of sites.


Correct. We have tried it. They all operate the domain name level. I am looking for something that operates at the URL level. The goal is not block youtube completely but the just the shorts.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: