from Hacker News

Ask HN: Router that can block URL patterns

by chopete3 on 1/27/23, 11:34 PM with 7 comments

This is for parental control. Is there any router or access point can block URL with a pattern.

For example I want to block all videos starting with https://www.youtube.com/shorts/*

There appears to be many routers that promise parental control but all limited to adding one URL at a time. Of course they all have pre-created rules.

A few that I found.

https://firewalla.com/products/firewalla-gold?variant=42638546993396

https://shop.opnsense.com/product/dec750-opnsense-desktop-security-appliance/

https://help.firewalla.com/hc/en-us/community/posts/360041883594-Feature-request-Block-Wildcard-URLs-like-vpn-on-kids-devices-

  • by LinuxBender on 1/27/23, 11:42 PM

    Squid can be configured as a MitM SSL Bump proxy and it can filter URL's, content type, mime-types, etc... but you have to generate your own self signed CA cert and install it on the devices that would be using it. The configuration varies by version a little so try to find examples specific to the version of Squid that is available in your OS repository. Here [1] are some basic instructions that include a few version config diffs.

    The few sites that do public key pinning will not work with this and will have to be configured in Squid as NoBump. Paypal, a few google sub-domains, eff.org. Most sites have abandoned public key pinning.

    Squid can be installed on most operating systems and it does not have to be the home or business router. One can configure DHCP to tell specific devices by mac address or vendor type to use a different gateway. Those devices will need your self signed CA cert.

    [1] - https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBum...

  • by gigel82 on 1/28/23, 1:21 AM

    I recommend looking for an on-device parental control solution instead.

    Routers can block IP addresses or ports. DNS servers can block specific domains.

    But everything after domain.tld/* is sent over a TLS connection, so the only way to block that at the network level would be by breaking encryption (for example, installing a custom root certificate on all client devices and using a man-in-the-middle proxy on a network appliance).

    All major operating systems (desktop and mobile) offer parental control options; most only work with the default browser (Edge on Windows) so either block the installation of 3rd party browsers (using the same system parental controls) or look for a 3rd party parental control solution that works with your browser. If they're using an app instead of a browser, things can get complicated.

  • by ericalexander0 on 1/27/23, 11:44 PM

    Pfsense comes to mind. All solutions will need to be trusted as a root CA, by all devices routed through them, to filter URL patterns. No CA trust needed to do DNS or TLS setup filtering, but those options can only filter the hostname.

  • by _448 on 1/28/23, 1:50 PM

    Does https://pi-hole.net not have that?