[Dnsmasq-discuss] dnsmasq + apache for less annoying web?
Grant Coady
grant_nospam@dodo.com.au
Wed, 02 Mar 2005 19:12:44 +1100
Greetings,
Peter Willis pointed me at:
http://psypete.hatethesystem.com/tips/ad_blocking/http_redirection.txt
Which offers a clue, but double handles domain names, but
combining that example with an anti-proxy method from the
apache FAQ, one can setup an efficient deny_domain list.
I present this information because I found it useful, perhaps
others have different approaches or comments?
This is how I see it:
o Dropping uninteresting domains in the firewall no good
as user forced to endure timeouts.
o Blocking javascript globally is no good as some sites
require scripting for correct operation.
o Apache virtual server operation makes the first server
the default. This first entry may be used to filter
anything as 'valid' virtual hosts are explicitly named
later in the configuration.
o Dnsmasq may include other configuration files, we may
use this feature to maintain a single deny_domain list.
o Reading page source and finding 'pop-under version 1.8...'
javascript indicates blocking *.js from known domains may
prove a good thing.
o Returning a script.js instead of an image for .js requests
seems safer to me, so I return 'splat.js' (//splat!)
o It is very easy to build on other people's efforts, but
there may be errors lurking...
Changes:
Added a line to /etc/dnsmasq:
conf-file=/usr/local/etc/deny_domains
Which contains:
address=/2o7.net/192.168.1.1
address=/6to23.com/192.168.1.1
address=/adbureau.net/192.168.1.1
. . . (103 entries)
Added the following to the start of virtual hosting section
in /etc/apache/httpd.conf (much context included, the 'req_ref'
is logger request + referer, from 'combined' minus user-agent):
. . .
# Use name-based virtual hosting.
#
NameVirtualHost *:80
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
#<VirtualHost *:80>
# ServerAdmin webmaster@dummy-host.example.com
# DocumentRoot /www/docs/dummy-host.example.com
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>
# First server listed is the default server, based on information from
# http://httpd.apache.org/docs/misc/FAQ.html Q.22, we setup the default
# to return an error to hosts seeking an open proxy.
# All public access virtual servers have their document root one level
# down from the server document root set above; the main root is
# available only to local machines. Grant Coady -- 2005-02-03
#<VirtualHost *>
# ServerName default.only
# <Location />
# Order allow,deny
# Deny from all
# </Location>
#</VirtualHost>
# idea: http://psypete.hatethesystem.com/tips/ad_blocking/http_redirection.txt
# problem with their solution is it requires naming each unwanted domain,
# instead we try to merge it with the default 'unknown host' that denies
# access by IP address. Our deny_list is part of dnsmasq, right now with
# the above commented out setting, the server returns 'forbidden' for
# access as 192.168.1.1 -- no need for IP alias games, nor maintaining
# duplicated ad-host-deny-list. That's the plan, let's see now...
<VirtualHost *>
ServerName default.only
DocumentRoot /var/www/web/splat
ErrorLog /var/log/apache/splat-error.log
CustomLog /var/log/apache/splat-access.log req_ref
<Directory "/var/www/web/splat">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
RewriteEngine On
RewriteCond \.js$ [nocase]
RewriteRule .* splat.js
RewriteRule .* index.gif [last]
</Directory>
# FIXME don't think I need next bit?
# <IfModule mod_dir.c>
# DirectoryIndex index.html index.htm index.shtml index.cgi index.pl index.php
# </IfModule>
</VirtualHost>
. . .
Results?
Apache access log shows deny_domain list members are receiving
87 byte image, the 10 byte splat.js but mainly a 304 (no new
file) response.
Normal access by valid virtual domain names is unaffected.
Works for me so far...
Cheers,
Grant.