[MacPorts] howto/SetupInterceptionSquid added

Wed Dec 29 08:53:00 PST 2010

Added page "howto/SetupInterceptionSquid" by fclaire at free.fr from 89.234.183.50*
Page URL: <https://trac.macports.org/wiki/howto/SetupInterceptionSquid>
Content:
-------8<------8<------8<------8<------8<------8<------8<------8<--------
[wiki:howto <- Back to the HOWTO section]

= How to setup interception HTTP proxy with squid =

 * Audience: Advanced sysadmins
 * Requires: MacPorts >= 1.9, squid3

----

== Introduction ==

Installing and running squid on a Mac OS X system is as easy as "sudo port install squid; sudo launchctl load -w /Library/LaunchDaemons/org.macports.Squid.plist" and to configure your browser to use it as a proxy on port 3128. Now, to setup a interception proxy with squid on Mac OS X is more tricky. This howto is explaining how to install and configure an interception squid running on Snow Leopard.

We'll focus on a setup where the Mac OS X system running squid is also the Internet gateway of your local network and all outgoing HTTP request will transit through the box. Here are the high-level steps required to get the thing to work:
 * install and configure squid
 * configure Mac OS X kernel
 * configure Mac OS X firewall

----

== Installation ==

You'll need to install the squid3 port to have the ipfw_transparent feature. Install squid with the following command:

{{{
sudo port install squid3 +ipfw_transparent
}}}

The ipfw_transparent variant is required to run squid as interception proxy. Now make squid a daemon automatically starting at boot:

{{{
sudo launchctl load -w /Library/LaunchDaemons/org.macports.Squid.plist
}}}

----

== Configuration ==

Note: Configuration of an interception squid implies several changes of your system and requires a reboot of your system. Make sure you understand every step before executing it.

=== Step 1: ''Configure squid.conf'' ===

You should find squid's configuration files under /opt/local/etc/squid/. Edit squid.conf to tell squid to listen for intercepted connections on port 3129:

{{{
http_port 3129 intercept
}}}

Save the file and send a signal to squid to reload its configuration:

{{{
$ sudo squid -k reconfigure
}}}

Check squid's cache.log file:

{{{
$ sudo less +F /opt/local/var/squid/logs/cache.log
}}}

You should find a line like "Accepting  intercepted HTTP connections at 0.0.0.0:3129, FD 18."

If you find it, it means your squid server is now ready to intercept HTTP connections of the computers on your LAN.

=== Step 2: ''Configure Mac OS X kernel' ===

We'll need later to use an "ipfw fwd" rule and it seems such a forward rule isn't working good with Mac OS X 1.6 (Snow Leopard). The workaround is to disable the net.inet.ip.scopedroute (thanks to Pavel Klukin http://discussions.apple.com/thread.jspa?threadID=2308812&tstart=0 )

Run the following command:
{{{
$ sudo echo "net.inet.ip.scopedroute=0" >> /etc/sysctl.conf
}}}

And __reboot__ your system to activate the change. 

Any information about this obscure kernel parameter is welcome.

=== Step 3: ''Configure Mac OS X firewall'' ===

Mac OS X firewall - ipfw - needs now to be configured to redirect HTTP connections towards squid's interception port.

Ideally only one rule should be needed to redirect connections to squid:
{{{
$ sudo ipfw add 1013 fwd 127.0.0.1,3129 tcp from any to any 80 recv INTERFACE
}}}

Where INTERFACE is the network interface on which your LAN is connected to (usually en0 or en1 but it can also be a vlan0 interface). The rule number is here 1013, you may adapt it to your ipfw configuration.

If you're running a web server on your Mac OS X machine, you'll need a rule to match HTTP traffic destinated to your web server prior the forward rule. Your ipfw ruleset should be like the following: 

{{{
$ sudo ipfw add 1012 allow tcp from any to me 80 in
$ sudo ipfw add 1013 fwd 127.0.0.1,3129 tcp from any to any 80 recv INTERFACE
}}}

If your firewall has a "deny ip from any to any" rule at the end (which is most likely to be the case) it is safer to add 2 rules: one to match and allow packets sent from squid to the clients and a second one to match squid's own outgoing HTTP requests. So you might configure your firewall like:

{{{
$ sudo ipfw add 1010 allow tcp from any to me 80 in
$ sudo ipfw add 1011 allow tcp from any 80 to any out
$ sudo ipfw add 1012 allow tcp from me to any dst-port 80 out
$ sudo ipfw add 1013 fwd 127.0.0.1,3129 tcp from any to any 80 recv INTERFACE
}}}

At this stage your interception squid should work. Try to access some Internet web-sites from your client computers and check squid's access.log file for HITS/MISS.

----

== More documentation ==

You'll find more documentation about squid transparent/interception configuration here:

 * http://wiki.squid-cache.org/SquidFaq/InterceptionProxy
 * http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdIpfw
 * http://oreilly.com/catalog/webcaching/chapter/ch05.html#t2
 * http://discussions.apple.com/thread.jspa?threadID=2308812&tstart=0

----

[wiki:howto <- Back to the HOWTO section]
-------8<------8<------8<------8<------8<------8<------8<------8<--------

* The IP shown here might not mean anything if the user or the server is
behind a proxy.

--
MacPorts <http://www.macports.org/>
Ports system for Mac OS

This is an automated message. Someone at http://www.macports.org/ added your email
address to be notified of changes on howto/SetupInterceptionSquid. If it was not you, please
report to .