Greetings, Peter Willis pointed me at: http://psypete.hatethesystem.com/tips/ad_blocking/http_redirection.txt
Which offers a clue, but double handles domain names, but combining that example with an anti-proxy method from the apache FAQ, one can setup an efficient deny_domain list. I present this information because I found it useful, perhaps others have different approaches or comments? This is how I see it: o Dropping uninteresting domains in the firewall no good as user forced to endure timeouts. o Blocking javascript globally is no good as some sites require scripting for correct operation. o Apache virtual server operation makes the first server the default. This first entry may be used to filter anything as 'valid' virtual hosts are explicitly named later in the configuration. o Dnsmasq may include other configuration files, we may use this feature to maintain a single deny_domain list. o Reading page source and finding 'pop-under version 1.8...' javascript indicates blocking *.js from known domains may prove a good thing. o Returning a script.js instead of an image for .js requests seems safer to me, so I return 'splat.js' (//splat!) o It is very easy to build on other people's efforts, but there may be errors lurking... Changes: Added a line to /etc/dnsmasq: conf-file=/usr/local/etc/deny_domains Which contains: address=/2o7.net/192.168.1.1 address=/6to23.com/192.168.1.1 address=/adbureau.net/192.168.1.1 . . . (103 entries) Added the following to the start of virtual hosting section in /etc/apache/httpd.conf (much context included, the 'req_ref' is logger request + referer, from 'combined' minus user-agent): . . . # Use name-based virtual hosting. # NameVirtualHost *:80 # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for requests without a known # server name. # #<VirtualHost *:80> # ServerAdmin webmas...@dummy-host.example.com # DocumentRoot /www/docs/dummy-host.example.com # ServerName dummy-host.example.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common #</VirtualHost> # First server listed is the default server, based on information from # http://httpd.apache.org/docs/misc/FAQ.html Q.22, we setup the default # to return an error to hosts seeking an open proxy. # All public access virtual servers have their document root one level # down from the server document root set above; the main root is # available only to local machines. Grant Coady -- 2005-02-03 #<VirtualHost *> # ServerName default.only # <Location /> # Order allow,deny # Deny from all # </Location> #</VirtualHost> # idea: http://psypete.hatethesystem.com/tips/ad_blocking/http_redirection.txt # problem with their solution is it requires naming each unwanted domain, # instead we try to merge it with the default 'unknown host' that denies # access by IP address. Our deny_list is part of dnsmasq, right now with # the above commented out setting, the server returns 'forbidden' for # access as 192.168.1.1 -- no need for IP alias games, nor maintaining # duplicated ad-host-deny-list. That's the plan, let's see now... <VirtualHost *> ServerName default.only DocumentRoot /var/www/web/splat ErrorLog /var/log/apache/splat-error.log CustomLog /var/log/apache/splat-access.log req_ref <Directory "/var/www/web/splat"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all RewriteEngine On RewriteCond \.js$ [nocase] RewriteRule .* splat.js RewriteRule .* index.gif [last] </Directory> # FIXME don't think I need next bit? # <IfModule mod_dir.c> # DirectoryIndex index.html index.htm index.shtml index.cgi index.pl index.php # </IfModule> </VirtualHost> . . . Results? Apache access log shows deny_domain list members are receiving 87 byte image, the 10 byte splat.js but mainly a 304 (no new file) response. Normal access by valid virtual domain names is unaffected. Works for me so far... Cheers, Grant.