| 1 | [wiki:howto <- Back to the HOWTO section] |
| 2 | |
| 3 | = How to setup interception HTTP proxy with squid = |
| 4 | |
| 5 | * Audience: Advanced sysadmins |
| 6 | * Requires: MacPorts >= 1.9, squid3 |
| 7 | |
| 8 | ---- |
| 9 | |
| 10 | == Introduction == |
| 11 | |
| 12 | Installing and running squid on a Mac OS X system is as easy as "sudo port install squid; sudo launchctl load -w /Library/LaunchDaemons/org.macports.Squid.plist" and to configure your browser to use it as a proxy on port 3128. Now, to setup a interception proxy with squid on Mac OS X is more tricky. This howto is explaining how to install and configure an interception squid running on Snow Leopard. |
| 13 | |
| 14 | We'll focus on a setup where the Mac OS X system running squid is also the Internet gateway of your local network and all outgoing HTTP request will transit through the box. Here are the high-level steps required to get the thing to work: |
| 15 | * install and configure squid |
| 16 | * configure Mac OS X kernel |
| 17 | * configure Mac OS X firewall |
| 18 | |
| 19 | ---- |
| 20 | |
| 21 | == Installation == |
| 22 | |
| 23 | You'll need to install the squid3 port to have the ipfw_transparent feature. Install squid with the following command: |
| 24 | |
| 25 | {{{ |
| 26 | sudo port install squid3 +ipfw_transparent |
| 27 | }}} |
| 28 | |
| 29 | The ipfw_transparent variant is required to run squid as interception proxy. Now make squid a daemon automatically starting at boot: |
| 30 | |
| 31 | {{{ |
| 32 | sudo launchctl load -w /Library/LaunchDaemons/org.macports.Squid.plist |
| 33 | }}} |
| 34 | |
| 35 | ---- |
| 36 | |
| 37 | == Configuration == |
| 38 | |
| 39 | Note: Configuration of an interception squid implies several changes of your system and requires a reboot of your system. Make sure you understand every step before executing it. |
| 40 | |
| 41 | === Step 1: ''Configure squid.conf'' === |
| 42 | |
| 43 | You should find squid's configuration files under /opt/local/etc/squid/. Edit squid.conf to tell squid to listen for intercepted connections on port 3129: |
| 44 | |
| 45 | {{{ |
| 46 | http_port 3129 intercept |
| 47 | }}} |
| 48 | |
| 49 | Save the file and send a signal to squid to reload its configuration: |
| 50 | |
| 51 | {{{ |
| 52 | $ sudo squid -k reconfigure |
| 53 | }}} |
| 54 | |
| 55 | Check squid's cache.log file: |
| 56 | |
| 57 | {{{ |
| 58 | $ sudo less +F /opt/local/var/squid/logs/cache.log |
| 59 | }}} |
| 60 | |
| 61 | You should find a line like "Accepting intercepted HTTP connections at 0.0.0.0:3129, FD 18." |
| 62 | |
| 63 | If you find it, it means your squid server is now ready to intercept HTTP connections of the computers on your LAN. |
| 64 | |
| 65 | |
| 66 | === Step 2: ''Configure Mac OS X kernel' === |
| 67 | |
| 68 | We'll need later to use an "ipfw fwd" rule and it seems such a forward rule isn't working good with Mac OS X 1.6 (Snow Leopard). The workaround is to disable the net.inet.ip.scopedroute (thanks to Pavel Klukin http://discussions.apple.com/thread.jspa?threadID=2308812&tstart=0 ) |
| 69 | |
| 70 | Run the following command: |
| 71 | {{{ |
| 72 | $ sudo echo "net.inet.ip.scopedroute=0" >> /etc/sysctl.conf |
| 73 | }}} |
| 74 | |
| 75 | And __reboot__ your system to activate the change. |
| 76 | |
| 77 | Any information about this obscure kernel parameter is welcome. |
| 78 | |
| 79 | === Step 3: ''Configure Mac OS X firewall'' === |
| 80 | |
| 81 | Mac OS X firewall - ipfw - needs now to be configured to redirect HTTP connections towards squid's interception port. |
| 82 | |
| 83 | Ideally only one rule should be needed to redirect connections to squid: |
| 84 | {{{ |
| 85 | $ sudo ipfw add 1013 fwd 127.0.0.1,3129 tcp from any to any 80 recv INTERFACE |
| 86 | }}} |
| 87 | |
| 88 | Where INTERFACE is the network interface on which your LAN is connected to (usually en0 or en1 but it can also be a vlan0 interface). The rule number is here 1013, you may adapt it to your ipfw configuration. |
| 89 | |
| 90 | If you're running a web server on your Mac OS X machine, you'll need a rule to match HTTP traffic destinated to your web server prior the forward rule. Your ipfw ruleset should be like the following: |
| 91 | |
| 92 | {{{ |
| 93 | $ sudo ipfw add 1012 allow tcp from any to me 80 in |
| 94 | $ sudo ipfw add 1013 fwd 127.0.0.1,3129 tcp from any to any 80 recv INTERFACE |
| 95 | }}} |
| 96 | |
| 97 | If your firewall has a "deny ip from any to any" rule at the end (which is most likely to be the case) it is safer to add 2 rules: one to match and allow packets sent from squid to the clients and a second one to match squid's own outgoing HTTP requests. So you might configure your firewall like: |
| 98 | |
| 99 | {{{ |
| 100 | $ sudo ipfw add 1010 allow tcp from any to me 80 in |
| 101 | $ sudo ipfw add 1011 allow tcp from any 80 to any out |
| 102 | $ sudo ipfw add 1012 allow tcp from me to any dst-port 80 out |
| 103 | $ sudo ipfw add 1013 fwd 127.0.0.1,3129 tcp from any to any 80 recv INTERFACE |
| 104 | }}} |
| 105 | |
| 106 | At this stage your interception squid should work. Try to access some Internet web-sites from your client computers and check squid's access.log file for HITS/MISS. |
| 107 | |
| 108 | ---- |
| 109 | |
| 110 | == More documentation == |
| 111 | |
| 112 | You'll find more documentation about squid transparent/interception configuration here: |
| 113 | |
| 114 | * http://wiki.squid-cache.org/SquidFaq/InterceptionProxy |
| 115 | * http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdIpfw |
| 116 | * http://oreilly.com/catalog/webcaching/chapter/ch05.html#t2 |
| 117 | * http://discussions.apple.com/thread.jspa?threadID=2308812&tstart=0 |
| 118 | |
| 119 | ---- |
| 120 | |
| 121 | |
| 122 | [wiki:howto <- Back to the HOWTO section] |