Installing Squid Proxy Server on Mac OS X Snow Leopard

My goal is to set up a very basic proxy server on my Mac box on campus, so that I can have full access to subscription-based academic journals via the proxy on my laptop even when I am off campus.  Some schools provide such (library) proxies but my school unfortunately does not.  I want to set it up such that the proxy requires a password authentication in order not to make it wide open to the public.

Getting and Installing Squid

Download a tarball for a stable version from the repository.  The version that I use here is 2.7.  I assume the file is downloaded to /usr/local/src/squid.

$ cd /usr/local/src/squid
$ gunzip -c squid-2.7.STABLE9.tar.gz | tar xvf -
$ cd squid-2.7.STABLE9
$ ./configure
$ make
$ sudo make install
$ cd helpers/basic_auth/NCSA
$ make
$ sudo make install
$ sudo chown -R nobody /usr/local/squid/var
$ sudo /usr/local/squid/sbin/squid -z

Squid will be installed at /usr/local/squid.  (The last command is necessary to run a daemon as user nobody.)

Configure Squid

First, prepare a NCSA-compliant encrypted password file for a user (here with username johndoe):

$ cd /usr/local/squid/etc
$ sudo touch squid_passwd
$ sudo chmod o+r squid_passwd
$ sudo htpasswd squid_passwd johndoe
New password:
Re-type new passwod:
Adding passwod for user johndoe

Now, edit /usr/local/squid/etc/squid.conf. The following lines need to be added:

# Add this to the auth_param section
auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/squid_passwd

# Add this to the bottom of the ACL section
acl ncsa_users proxy_auth REQUIRED

# Add this at the top of the http_access section
http_access allow ncsa_users

Finally, run the server:

$ sudo /usr/local/squid/sbin/squid -N -d 1 -D

Firewall will prompt me to see if I allow incoming connections to squid.  Say “allow.”

The IP address or host name of your Mac box at the port 3128 will be available as a proxy server now.

Launch Squid on Startup with launchd

Under the directory /Library/LaunchDaemons, create a file named squid.plist with the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>squid</string>
    <key>OnDemand</key>
    <false/>
    <key>ProgramArguments</key>
    <array>
      <string>/usr/local/squid/sbin/squid</string>
      <string>-N</string>
      <string>-d 1</string>
      <string>-D</string>
    </array>
    <key>ServiceIPC</key>
    <false/>
  </dict>
</plist>

Then issuing

$ sudo launchctl load -w /Library/LaunchDaemons/squid.plist

will launch squid.  On reboot, the proxy should also be working automatically.



This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink.

23 Responses to Installing Squid Proxy Server on Mac OS X Snow Leopard

  1. euKarpov says:

    Good choice, it perfectly substitutes native proxy server and solves many problems of Mac users into not friendly network.

  2. euKarpov says:

    Oh, sorry. Native proxy for Mac does not exist. )

  3. Pingback: Tweets that mention Installing Squid Proxy Server on Mac OS X Snow Leopard « Biboroku -- Topsy.com

  4. Tri says:

    Hello!

    I am working at the upper secondary school which has more than 300 Mac-users

    Security of the network is a big issue at the school and the school needs to setup a proxy server.

    I decided to use Squid 2.7 stable on Mac Server OS 10.5 and I stuck where to run the server

    Could someone help me?

    Thank you very much

    ————————————————–

    server:~ admin$ sudo /usr/local/squid/sbin/squid -N -d 1 -D

    Password:

    2010/06/14 14:29:46| Starting Squid Cache version 2.7.STABLE9 for i686-apple-darwin9.8.0…

    2010/06/14 14:29:46| Process ID 3309

    2010/06/14 14:29:46| With 256 file descriptors available

    2010/06/14 14:29:46| Using kqueue for the IO loop

    2010/06/14 14:29:46| ipcacheAddEntryFromHosts: Bad IP address ‘fe80::1%lo0′

    2010/06/14 14:29:46| DNS Socket created at 0.0.0.0, port 49441, FD 6

    2010/06/14 14:29:46| Adding domain work.local from /etc/resolv.conf

    2010/06/14 14:29:46| Adding nameserver 192.168.1.2 from /etc/resolv.conf

    2010/06/14 14:29:46| helperOpenServers: Starting 5 ‘ncsa_auth’ processes

    2010/06/14 14:29:46| logfileOpen: opening log /usr/local/squid/var/logs/access.log

    2010/06/14 14:29:46| Unlinkd pipe opened on FD 16

    2010/06/14 14:29:46| Swap maxSize 102400 + 8192 KB, estimated 8507 objects

    2010/06/14 14:29:46| Target number of buckets: 425

    2010/06/14 14:29:46| Using 8192 Store buckets

    2010/06/14 14:29:46| Max Mem size: 8192 KB

    2010/06/14 14:29:46| Max Swap size: 102400 KB

    2010/06/14 14:29:46| logfileOpen: opening log /usr/local/squid/var/logs/store.log

    2010/06/14 14:29:46| Rebuilding storage in /usr/local/squid/var/cache (DIRTY)

    2010/06/14 14:29:46| Using Least Load store dir selection

    2010/06/14 14:29:46| Set Current Directory to /usr/local/squid/var/cache

    2010/06/14 14:29:46| Loaded Icons.

    2010/06/14 14:29:46| Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 17.

    2010/06/14 14:29:46| Accepting ICP messages at 0.0.0.0, port 3130, FD 18.

    2010/06/14 14:29:46| WCCP Disabled.

    2010/06/14 14:29:46| Ready to serve requests.

    2010/06/14 14:29:46| WARNING: basicauthenticator #1 (FD 7) exited

    2010/06/14 14:29:46| WARNING: basicauthenticator #2 (FD 8) exited

    2010/06/14 14:29:46| WARNING: basicauthenticator #3 (FD 9) exited

    2010/06/14 14:29:46| Too few basicauthenticator processes are running

    FATAL: The basicauthenticator helpers are crashing too rapidly, need help!

    ————————————————–

    Regards

    Tri Nguyen

  5. Alex says:

    Have you gotten it to work authenticating against Open Directory?

    • nomo17k says:

      I have never attempted to use Open Directory, since I’m not very interested in learning a proprietary technology…

      • Alex says:

        Ok – how about LDAP in general?

      • nomo17k says:

        No, I haven’t tried with LDAP. I’m only running the proxy on Mac as a sort of last resort, you know. I haven’t paid that much attention to security measure, etc.

      • Andrew says:

        I’m not sure what you mean by ‘proprietary’. Open Directory is comprised of three open source technologies:
        – OpenLDAP
        – Kerberos
        – Password Server

        The integration of the three is very clever.

        • nomo17k says:

          What I meant is that the technology is still only relevant for OS X (which is proprietary). I’m not a sysadmin, so anything that’s not standardized openly can become a pain in the butt to deal with when I have to switch around different OSes.

  6. Proxy List says:

    Nice article,keep up good work.

  7. benjamin says:

    Nice blog…I am sure this has helped many a lost soul.

    I attempted to use the above with version 3.1.8 and all went well until the last step:

    $ sudo /usr/local/squid/sbin/squid -N -d 1 -D

    and I received the following error message:

    2010/10/04 14:16:56| WARNING: -D command-line option is obsolete.
    2010/10/04 14:16:56| Can’t use proxy auth because no authentication schemes are fully configured.
    FATAL: ERROR: Invalid ACL: acl ncsa_users proxy_auth REQUIRED

    Squid Cache (Version 3.1.8): Terminated abnormally.
    CPU Usage: 0.033 seconds = 0.013 user + 0.020 sys
    Maximum Resident Size: 1622016 KB
    Page faults with physical i/o: 0

    I wil look through the squid docs to find the fix (I should have done this anyway before trying to install a more current version than the one noted), but if you have a quick fix, let me know.

    Thanks.

  8. benjamin says:

    Found it…

    For anyone running the 3.1.8 version, this is the new suggested minimum auth_param lines to be added to the top of the squid.conf file:

    auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/squid_passwd
    auth_param basic children 5
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours

    Also, if you happen to be connected to the internet drop the -D parameter when running.

  9. raymond says:

    it work´s :) thank u …

  10. steve says:

    Hi

    Found this article while looking for how to get OpenLDAP going on OSX.

    Your article is very similar to mine http://www.hutsby.net/2011/01/compiling-squid-on-osx.html.

    I’ve not found how to run as nobody (yet).

    The only thing about using the NCSA auth module is that your credentials are going over the Internet in clear text.

    • Taro says:

      The only thing about using the NCSA auth module is that your credentials are going over the Internet in clear text.

      That sure is an important consideration depending on one’s security needs. Thanks for the comment.

  11. steve says:

    Actually I just found out that simply running under sudo, you get two processes: one started by root, and a second spawned from the first running as nobody.

  12. metronet says:

    This post helped me get squid running because the startup .plist and Squid.Wrapper from macports doesn’t want to work. I copied the squid.plist above, modified the sbin/squid path and added to startup item using launchctl load. Working great, thank you!

  13. nauval2007 says:

    I follow your instruction. My squid is running, but I have no cache. My cache folder size always the same. Any idea? I use squid 2.7 stable 9.

    • Taro says:

      Unfortunately I have no idea at the moment. I used Squid as a proxy and not necessarily as a local cache, so it’s not surprising if this installation note doesn’t cover how to configure cache properly.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>