[wiki:howto <- Back to the HOWTO section] = How to setup interception HTTP proxy with squid = * Audience: Advanced sysadmins * Requires: MacPorts >= 1.9, squid3 ---- == Introduction == Installing and running squid on a Mac OS X system is as easy as "sudo port install squid; sudo port load squid" and to configure your browser to use it as a proxy on port 3128. Now, to setup a interception proxy with squid on Mac OS X is more tricky. This howto is explaining how to install and configure an interception squid running on Snow Leopard. We'll focus on a setup where the Mac OS X system running squid is also the Internet gateway of your local network and all outgoing HTTP request will transit through the box. Here are the high-level steps required to get the thing to work: * install and configure squid * configure Mac OS X kernel * configure Mac OS X firewall ---- == Installation == You'll need to install the squid3 port to have the ipfw_transparent feature. Install squid with the following command: {{{ sudo port install squid3 +ipfw_transparent }}} The ipfw_transparent variant is required to run squid as interception proxy. Now make squid a daemon automatically starting at boot: {{{ sudo port load squid3 }}} ---- == Configuration == Note: Configuration of an interception squid implies several changes of your system and requires a reboot of your system. Make sure you understand every step before executing it. === Step 1: ''Configure squid.conf'' === You should find squid's configuration files under /opt/local/etc/squid/. Edit squid.conf to tell squid to listen for intercepted connections on port 3129: {{{ http_port 3129 intercept }}} Save the file and send a signal to squid to reload its configuration: {{{ $ sudo squid -k reconfigure }}} Check squid's cache.log file: {{{ $ sudo less +F /opt/local/var/squid/logs/cache.log }}} You should find a line like "Accepting intercepted HTTP connections at 0.0.0.0:3129, FD 18." If you find it, it means your squid server is now ready to intercept HTTP connections of the computers on your LAN. === Step 2: ''Configure Mac OS X kernel' === We'll need later to use an "ipfw fwd" rule and it seems such a forward rule isn't working good with Mac OS X 10.6 (Snow Leopard). The workaround is to disable the net.inet.ip.scopedroute (thanks to Pavel Klukin http://discussions.apple.com/thread.jspa?threadID=2308812&tstart=0 ) Run the following command: {{{ $ sudo bash -c "echo net.inet.ip.scopedroute=0 >> /etc/sysctl.conf" }}} And __reboot__ your system to activate the change. Any information about this obscure kernel parameter is welcome. === Step 3: ''Configure Mac OS X firewall'' === Mac OS X firewall - ipfw - needs now to be configured to redirect HTTP connections towards squid's interception port. Ideally only one rule should be needed to redirect connections to squid: {{{ $ sudo ipfw add 1013 fwd 127.0.0.1,3129 tcp from any to any 80 recv INTERFACE }}} Where INTERFACE is the network interface on which your LAN is connected to (usually en0 or en1 but it can also be a vlan0 interface). The rule number is here 1013, you may adapt it to your ipfw configuration. If you're running a web server on your Mac OS X machine, you'll need a rule to match HTTP traffic destinated to your web server prior the forward rule. Your ipfw ruleset should be like the following: {{{ $ sudo ipfw add 1012 allow tcp from any to me 80 in $ sudo ipfw add 1013 fwd 127.0.0.1,3129 tcp from any to any 80 recv INTERFACE }}} If your firewall has a "deny ip from any to any" rule at the end (which is most likely to be the case) it is safer to add 2 rules: one to match and allow packets sent from squid to the clients and a second one to match squid's own outgoing HTTP requests. So you might configure your firewall like: {{{ $ sudo ipfw add 1010 allow tcp from any to me 80 in $ sudo ipfw add 1011 allow tcp from any 80 to any out $ sudo ipfw add 1012 allow tcp from me to any dst-port 80 out $ sudo ipfw add 1013 fwd 127.0.0.1,3129 tcp from any to any 80 recv INTERFACE }}} At this stage your interception squid should work. Try to access some Internet web-sites from your client computers and check squid's access.log file for HITS/MISS. ---- == More documentation == You'll find more documentation about squid transparent/interception configuration here: * http://wiki.squid-cache.org/SquidFaq/InterceptionProxy * http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdIpfw * http://oreilly.com/catalog/webcaching/chapter/ch05.html#t2 * http://discussions.apple.com/thread.jspa?threadID=2308812&tstart=0 ---- [wiki:howto <- Back to the HOWTO section]