| | 1 | [wiki:howto <- Back to the HOWTO section] |
| | 2 | |
| | 3 | = How to setup interception HTTP proxy with squid = |
| | 4 | |
| | 5 | * Audience: Advanced sysadmins |
| | 6 | * Requires: MacPorts >= 1.9, squid3 |
| | 7 | |
| | 8 | ---- |
| | 9 | |
| | 10 | == Introduction == |
| | 11 | |
| | 12 | Installing and running squid on a Mac OS X system is as easy as "sudo port install squid; sudo launchctl load -w /Library/LaunchDaemons/org.macports.Squid.plist" and to configure your browser to use it as a proxy on port 3128. Now, to setup a interception proxy with squid on Mac OS X is more tricky. This howto is explaining how to install and configure an interception squid running on Snow Leopard. |
| | 13 | |
| | 14 | We'll focus on a setup where the Mac OS X system running squid is also the Internet gateway of your local network and all outgoing HTTP request will transit through the box. Here are the high-level steps required to get the thing to work: |
| | 15 | * install and configure squid |
| | 16 | * configure Mac OS X kernel |
| | 17 | * configure Mac OS X firewall |
| | 18 | |
| | 19 | ---- |
| | 20 | |
| | 21 | == Installation == |
| | 22 | |
| | 23 | You'll need to install the squid3 port to have the ipfw_transparent feature. Install squid with the following command: |
| | 24 | |
| | 25 | {{{ |
| | 26 | sudo port install squid3 +ipfw_transparent |
| | 27 | }}} |
| | 28 | |
| | 29 | The ipfw_transparent variant is required to run squid as interception proxy. Now make squid a daemon automatically starting at boot: |
| | 30 | |
| | 31 | {{{ |
| | 32 | sudo launchctl load -w /Library/LaunchDaemons/org.macports.Squid.plist |
| | 33 | }}} |
| | 34 | |
| | 35 | ---- |
| | 36 | |
| | 37 | == Configuration == |
| | 38 | |
| | 39 | Note: Configuration of an interception squid implies several changes of your system and requires a reboot of your system. Make sure you understand every step before executing it. |
| | 40 | |
| | 41 | === Step 1: ''Configure squid.conf'' === |
| | 42 | |
| | 43 | You should find squid's configuration files under /opt/local/etc/squid/. Edit squid.conf to tell squid to listen for intercepted connections on port 3129: |
| | 44 | |
| | 45 | {{{ |
| | 46 | http_port 3129 intercept |
| | 47 | }}} |
| | 48 | |
| | 49 | Save the file and send a signal to squid to reload its configuration: |
| | 50 | |
| | 51 | {{{ |
| | 52 | $ sudo squid -k reconfigure |
| | 53 | }}} |
| | 54 | |
| | 55 | Check squid's cache.log file: |
| | 56 | |
| | 57 | {{{ |
| | 58 | $ sudo less +F /opt/local/var/squid/logs/cache.log |
| | 59 | }}} |
| | 60 | |
| | 61 | You should find a line like "Accepting intercepted HTTP connections at 0.0.0.0:3129, FD 18." |
| | 62 | |
| | 63 | If you find it, it means your squid server is now ready to intercept HTTP connections of the computers on your LAN. |
| | 64 | |
| | 65 | |
| | 66 | === Step 2: ''Configure Mac OS X kernel' === |
| | 67 | |
| | 68 | We'll need later to use an "ipfw fwd" rule and it seems such a forward rule isn't working good with Mac OS X 1.6 (Snow Leopard). The workaround is to disable the net.inet.ip.scopedroute (thanks to Pavel Klukin http://discussions.apple.com/thread.jspa?threadID=2308812&tstart=0 ) |
| | 69 | |
| | 70 | Run the following command: |
| | 71 | {{{ |
| | 72 | $ sudo echo "net.inet.ip.scopedroute=0" >> /etc/sysctl.conf |
| | 73 | }}} |
| | 74 | |
| | 75 | And __reboot__ your system to activate the change. |
| | 76 | |
| | 77 | Any information about this obscure kernel parameter is welcome. |
| | 78 | |
| | 79 | === Step 3: ''Configure Mac OS X firewall'' === |
| | 80 | |
| | 81 | Mac OS X firewall - ipfw - needs now to be configured to redirect HTTP connections towards squid's interception port. |
| | 82 | |
| | 83 | Ideally only one rule should be needed to redirect connections to squid: |
| | 84 | {{{ |
| | 85 | $ sudo ipfw add 1013 fwd 127.0.0.1,3129 tcp from any to any 80 recv INTERFACE |
| | 86 | }}} |
| | 87 | |
| | 88 | Where INTERFACE is the network interface on which your LAN is connected to (usually en0 or en1 but it can also be a vlan0 interface). The rule number is here 1013, you may adapt it to your ipfw configuration. |
| | 89 | |
| | 90 | If you're running a web server on your Mac OS X machine, you'll need a rule to match HTTP traffic destinated to your web server prior the forward rule. Your ipfw ruleset should be like the following: |
| | 91 | |
| | 92 | {{{ |
| | 93 | $ sudo ipfw add 1012 allow tcp from any to me 80 in |
| | 94 | $ sudo ipfw add 1013 fwd 127.0.0.1,3129 tcp from any to any 80 recv INTERFACE |
| | 95 | }}} |
| | 96 | |
| | 97 | If your firewall has a "deny ip from any to any" rule at the end (which is most likely to be the case) it is safer to add 2 rules: one to match and allow packets sent from squid to the clients and a second one to match squid's own outgoing HTTP requests. So you might configure your firewall like: |
| | 98 | |
| | 99 | {{{ |
| | 100 | $ sudo ipfw add 1010 allow tcp from any to me 80 in |
| | 101 | $ sudo ipfw add 1011 allow tcp from any 80 to any out |
| | 102 | $ sudo ipfw add 1012 allow tcp from me to any dst-port 80 out |
| | 103 | $ sudo ipfw add 1013 fwd 127.0.0.1,3129 tcp from any to any 80 recv INTERFACE |
| | 104 | }}} |
| | 105 | |
| | 106 | At this stage your interception squid should work. Try to access some Internet web-sites from your client computers and check squid's access.log file for HITS/MISS. |
| | 107 | |
| | 108 | ---- |
| | 109 | |
| | 110 | == More documentation == |
| | 111 | |
| | 112 | You'll find more documentation about squid transparent/interception configuration here: |
| | 113 | |
| | 114 | * http://wiki.squid-cache.org/SquidFaq/InterceptionProxy |
| | 115 | * http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdIpfw |
| | 116 | * http://oreilly.com/catalog/webcaching/chapter/ch05.html#t2 |
| | 117 | * http://discussions.apple.com/thread.jspa?threadID=2308812&tstart=0 |
| | 118 | |
| | 119 | ---- |
| | 120 | |
| | 121 | |
| | 122 | [wiki:howto <- Back to the HOWTO section] |
