Blocking YouTube Shorts with Nginx and NextDNS

There is no need to explain how distracting YouTube Shorts can be especially when it comes to kids watching them. However there is no easy way to block them as from the technical point of view they are almost indistinguishable from normal YouTube videos which you will be interested in keeping.

However, I have found an article of someone from LinkedIn blocking YouTube shorts with CloudFlare Zero Trust, but for various reasons this solution is not that I can implement in my home local network easily. So I decided to go another route…

How to block YouTube shorts?

Shorts are almost indistinguishable from normal YouTube videos as they are both served from *.googlevideo.com subdomains, but when YouTube requests them, it adds &ctier=SH parameter to the query. So perhaps blocking all requests in a form of https://*.googlevideo.com/*&ctier=SH* would work.

However, as you may already noticed, such requests use HTTPS protocol which can not be easily filtered without SSL decryption. All enterprise-grade firewalls like Palo Alto support SSL decryption and filtering, but in order this to work, you need to trust their root CA certificate from your devices. Also cost of such solution can be incredibly high for home purpose use.

But there is an alternative…

How to setup NextDNS?

With NextDNS, which allows blocking resources by domain, you can easily rewrite DNS responses and send folks from your local network to fake googlevideo.com server, which will act as a man in the middle proxy blocking specific URL patterns. The configuration of NextDNS is extremely simple.

Now we need to setup a server which will take us 2 steps: generating a self signed certificate and configuring Nginx. Assuming you use Ubuntu…

How to generate a self signed certificate?

1. Create /certs directory and san.cnf file:

mkdir /certs
cd certs
touch san.cnf

2. Add the following configuration into san.cnf file:

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_req
prompt             = no

[ req_distinguished_name ]
CN = *.googlevideo.com

[ req_ext ]
subjectAltName = @alt_names

[ v3_req ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.googlevideo.com
DNS.2 = *.a1.googlevideo.com
DNS.3 = *.c.googlevideo.com
DNS.4 = *.dai.googlevideo.com

3. Generate a private key:

openssl genrsa -out mydomain.key 2048

4. Create a self signed certificate:

openssl req -x509 -nodes -days 365 -key mydomain.key -out mydomain.crt -config san.cnf

How to setup Nginx?

1. Install Nginx:

apt update
apt install nginx

2. Edit /etc/nginx/nginx.conf and add the following configuration into http section:

# Use DNS server to resolve IP address of a domain
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

server {
        # Listeon on HTTPS
        listen 443 ssl http2;

        # Listen on any domain
        server_name _;

        # Use self signed certificates
        ssl_certificate /certs/mydomain.crt;
        ssl_certificate_key /certs/mydomain.key;

        location / {
                # Block YouTube shorts based on query parameter
                if ($arg_ctier = "SH") {
                        return 403;
                }

                # Proxy pass to the same domain
                set $backend_host $host;
                proxy_pass https://$backend_host$request_uri;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_ssl_server_name on;
                proxy_ssl_protocols TLSv1.2 TLSv1.3;
                proxy_ssl_ciphers HIGH:!aNULL:!MD5;
        }
}

3. Restart Nginx

 service nginx restart

Now that’s going to work, partially… If you access YouTube, you will see that no videos would load and this is because your browser does not trust the self signed certificate we generated.

How to make browser trust a self signed certificate?

1. Access https://googlevideo.com.
2. Click on Not Secure -> Certificate is not valid -> Details -> Export -> Save.

3. Install this certificate as a root on Windows or add (and trust) this certificate into a System section of Keychain in Mac.

Instead of a conclusion

It looks like kids did not notice that Youtube Shorts were no longer working so they were simply watching Old School YouTube this morning and having fun.

I am still trying to figure out how to properly install a self signed certificate on iPhone or Samsung TV and this is what my next article is going to be about. Enjoy from you laptops for now!