How to setup interception HTTP proxy with squid
- Audience: Advanced sysadmins
- Requires: MacPorts >= 1.9, squid3
Installing and running squid on a Mac OS X system is as easy as "sudo port install squid; sudo port load squid" and to configure your browser to use it as a proxy on port 3128. Now, to setup a interception proxy with squid on Mac OS X is more tricky. This howto is explaining how to install and configure an interception squid running on Snow Leopard.
We'll focus on a setup where the Mac OS X system running squid is also the Internet gateway of your local network and all outgoing HTTP request will transit through the box. Here are the high-level steps required to get the thing to work:
- install and configure squid
- configure Mac OS X kernel
- configure Mac OS X firewall
You'll need to install the squid3 port to have the ipfw_transparent feature. Install squid with the following command:
sudo port install squid3 +ipfw_transparent
The ipfw_transparent variant is required to run squid as interception proxy. Now make squid a daemon automatically starting at boot:
sudo port load squid3
Note: Configuration of an interception squid implies several changes of your system and requires a reboot of your system. Make sure you understand every step before executing it.
Step 1: Configure squid.conf
You should find squid's configuration files under /opt/local/etc/squid/. Edit squid.conf to tell squid to listen for intercepted connections on port 3129:
http_port 3129 intercept
Save the file and send a signal to squid to reload its configuration:
$ sudo squid -k reconfigure
Check squid's cache.log file:
$ sudo less +F /opt/local/var/squid/logs/cache.log
You should find a line like "Accepting intercepted HTTP connections at 0.0.0.0:3129, FD 18."
If you find it, it means your squid server is now ready to intercept HTTP connections of the computers on your LAN.
Step 2: Configure Mac OS X kernel'
We'll need later to use an "ipfw fwd" rule and it seems such a forward rule isn't working good with Mac OS X 10.6 (Snow Leopard). The workaround is to disable the net.inet.ip.scopedroute (thanks to Pavel Klukin http://discussions.apple.com/thread.jspa?threadID=2308812&tstart=0 )
Run the following command:
$ sudo bash -c "echo net.inet.ip.scopedroute=0 >> /etc/sysctl.conf"
And reboot your system to activate the change.
Any information about this obscure kernel parameter is welcome.
Step 3: Configure Mac OS X firewall
Mac OS X firewall - ipfw - needs now to be configured to redirect HTTP connections towards squid's interception port.
Ideally only one rule should be needed to redirect connections to squid:
$ sudo ipfw add 1013 fwd 127.0.0.1,3129 tcp from any to any 80 recv INTERFACE
Where INTERFACE is the network interface on which your LAN is connected to (usually en0 or en1 but it can also be a vlan0 interface). The rule number is here 1013, you may adapt it to your ipfw configuration.
If you're running a web server on your Mac OS X machine, you'll need a rule to match HTTP traffic destinated to your web server prior the forward rule. Your ipfw ruleset should be like the following:
$ sudo ipfw add 1012 allow tcp from any to me 80 in $ sudo ipfw add 1013 fwd 127.0.0.1,3129 tcp from any to any 80 recv INTERFACE
If your firewall has a "deny ip from any to any" rule at the end (which is most likely to be the case) it is safer to add 2 rules: one to match and allow packets sent from squid to the clients and a second one to match squid's own outgoing HTTP requests. So you might configure your firewall like:
$ sudo ipfw add 1010 allow tcp from any to me 80 in $ sudo ipfw add 1011 allow tcp from any 80 to any out $ sudo ipfw add 1012 allow tcp from me to any dst-port 80 out $ sudo ipfw add 1013 fwd 127.0.0.1,3129 tcp from any to any 80 recv INTERFACE
At this stage your interception squid should work. Try to access some Internet web-sites from your client computers and check squid's access.log file for HITS/MISS.
You'll find more documentation about squid transparent/interception configuration here: