Ataraxia Consulting

Peace of mind for consulting

Limit access to only Google Maps using Squid

Recently I needed a small kiosk for some truck drivers to easily use [google maps](http://maps.google.com) to verify their routes. But I wanted to make sure that's all they were using the kiosk for. I had considered writing my own google maps portal, and I may still yet, but for now I implemented the limitation as an acl in [squid](http://www.squid-cache.org). I can't say this will always work, as it's at google's discretion to change urls and hostnames anytime, but it works for me as of now. I hope someone else finds this information useful. These are the domains I've allowed so far: - - -
# Primary domains for most traffic
acl GMAPS dstdomain maps.google.com maps.gstatic.com

# Some stock google images come from here
acl GMAPS dstdomain ssl.gstatic.com

# These aren't strictly necessary, but I didn't think it would be harmful to add
acl GMAPS dstdomain safebrowsing.clients.google.com
acl GMAPS dstdomain cache.pack.google.com

# Nearly every query hits this, I couldn't find good information about it
# Some suggest it's related to ads, things work without it but I couldn't
# find a good reason not to include it
acl GMAPS dstdomain id.google.com

# Map Images
acl GMAPSREG dstdom_regex -i ^mt[0-9]+\.google\.com$
# Earth/Satellite images
acl GMAPSREG dstdom_regex -i ^khm[0-9]+\.google\.com$
# Street view
acl GMAPSREG dstdom_regex -i ^cbk[0-9]+\.google\.com$
# Location Images
acl GMAPSREG dstdom_regex -i ^t[0-9]+\.gstatic\.com$

# Printing a map calls the chart api
acl GMAPSURL url_regex -i ^http://www\.google\.com/chart\?

#... further down near the end of the http_access stanzas

http_access allow GMAPS localnet
http_access allow GMAPSREG localnet
http_access allow GMAPSURL localnet

# And finally deny all other access to this proxy
http_access deny all

Posted in  google sysadmin

blog comments powered by Disqus