My goal is to set up a very basic proxy server on my Mac box on campus, so that I can have full access to subscription-based academic journals via the proxy on my laptop even when I am off campus. Some schools provide such (library) proxies but my school unfortunately does not. I want to set it up such that the proxy requires a password authentication in order not to make it wide open to the public.
Getting and Installing Squid
Download a tarball for a stable version from the repository. The version that I use here is 2.7. I assume the file is downloaded to /usr/local/src/squid.
$ cd /usr/local/src/squid
$ gunzip -c squid-2.7.STABLE9.tar.gz | tar xvf -
$ cd squid-2.7.STABLE9
$ ./configure
$ make
$ sudo make install
$ cd helpers/basic_auth/NCSA
$ make
$ sudo make install
$ sudo chown -R nobody /usr/local/squid/var
$ sudo /usr/local/squid/sbin/squid -zSquid will be installed at /usr/local/squid. (The last command is necessary to run a daemon as user nobody.)
Configure Squid
First, prepare a NCSA-compliant encrypted password file for a user (here with username johndoe):
$ cd /usr/local/squid/etc
$ sudo touch squid_passwd
$ sudo chmod o+r squid_passwd
$ sudo htpasswd squid_passwd johndoe
New password:
Re-type new passwod:
Adding passwod for user johndoeNow, edit /usr/local/squid/etc/squid.conf. The following lines need to be added:
# Add this to the auth_param section
auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/squid_passwd
# Add this to the bottom of the ACL section
acl ncsa_users proxy_auth REQUIRED
# Add this at the top of the http_access section
http_access allow ncsa_usersFinally, run the server:
$ sudo /usr/local/squid/sbin/squid -N -d 1 -DFirewall will prompt me to see if I allow incoming connections to squid. Say “allow.”
The IP address or host name of your Mac box at the port 3128 will be available as a proxy server now.
Launch Squid on Startup with launchd
Under the directory /Library/LaunchDaemons, create a file named squid.plist with the following content:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>squid</string>
<key>OnDemand</key>
<false/>
<key>ProgramArguments</key>
<array>
<string>/usr/local/squid/sbin/squid</string>
<string>-N</string>
<string>-d 1</string>
<string>-D</string>
</array>
<key>ServiceIPC</key>
<false/>
</dict>
</plist>Then issuing
$ sudo launchctl load -w /Library/LaunchDaemons/squid.plistwill launch squid. On reboot, the proxy should also be working automatically.
Good choice, it perfectly substitutes native proxy server and solves many problems of Mac users into not friendly network.
Oh, sorry. Native proxy for Mac does not exist. )
Pingback: Tweets that mention Installing Squid Proxy Server on Mac OS X Snow Leopard « Biboroku -- Topsy.com
Hello!
I am working at the upper secondary school which has more than 300 Mac-users
Security of the network is a big issue at the school and the school needs to setup a proxy server.
I decided to use Squid 2.7 stable on Mac Server OS 10.5 and I stuck where to run the server
Could someone help me?
Thank you very much
————————————————–
server:~ admin$ sudo /usr/local/squid/sbin/squid -N -d 1 -D
Password:
2010/06/14 14:29:46| Starting Squid Cache version 2.7.STABLE9 for i686-apple-darwin9.8.0…
2010/06/14 14:29:46| Process ID 3309
2010/06/14 14:29:46| With 256 file descriptors available
2010/06/14 14:29:46| Using kqueue for the IO loop
2010/06/14 14:29:46| ipcacheAddEntryFromHosts: Bad IP address ‘fe80::1%lo0′
2010/06/14 14:29:46| DNS Socket created at 0.0.0.0, port 49441, FD 6
2010/06/14 14:29:46| Adding domain work.local from /etc/resolv.conf
2010/06/14 14:29:46| Adding nameserver 192.168.1.2 from /etc/resolv.conf
2010/06/14 14:29:46| helperOpenServers: Starting 5 ‘ncsa_auth’ processes
2010/06/14 14:29:46| logfileOpen: opening log /usr/local/squid/var/logs/access.log
2010/06/14 14:29:46| Unlinkd pipe opened on FD 16
2010/06/14 14:29:46| Swap maxSize 102400 + 8192 KB, estimated 8507 objects
2010/06/14 14:29:46| Target number of buckets: 425
2010/06/14 14:29:46| Using 8192 Store buckets
2010/06/14 14:29:46| Max Mem size: 8192 KB
2010/06/14 14:29:46| Max Swap size: 102400 KB
2010/06/14 14:29:46| logfileOpen: opening log /usr/local/squid/var/logs/store.log
2010/06/14 14:29:46| Rebuilding storage in /usr/local/squid/var/cache (DIRTY)
2010/06/14 14:29:46| Using Least Load store dir selection
2010/06/14 14:29:46| Set Current Directory to /usr/local/squid/var/cache
2010/06/14 14:29:46| Loaded Icons.
2010/06/14 14:29:46| Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 17.
2010/06/14 14:29:46| Accepting ICP messages at 0.0.0.0, port 3130, FD 18.
2010/06/14 14:29:46| WCCP Disabled.
2010/06/14 14:29:46| Ready to serve requests.
2010/06/14 14:29:46| WARNING: basicauthenticator #1 (FD 7) exited
2010/06/14 14:29:46| WARNING: basicauthenticator #2 (FD 8) exited
2010/06/14 14:29:46| WARNING: basicauthenticator #3 (FD 9) exited
2010/06/14 14:29:46| Too few basicauthenticator processes are running
FATAL: The basicauthenticator helpers are crashing too rapidly, need help!
————————————————–
Regards
Tri Nguyen
Tri — I’m afraid I cannot provide effective help here, as I don’t have the problem and therefore cannot reproduce it. Your best bet is to search for a solution in the mailing list archive or ask Squid people directly:
http://www.squid-cache.org/Support/mailing-lists.dyn
Cheers,
Taro
Have you gotten it to work authenticating against Open Directory?
I have never attempted to use Open Directory, since I’m not very interested in learning a proprietary technology…
Ok – how about LDAP in general?
No, I haven’t tried with LDAP. I’m only running the proxy on Mac as a sort of last resort, you know. I haven’t paid that much attention to security measure, etc.
I’m not sure what you mean by ‘proprietary’. Open Directory is comprised of three open source technologies:
- OpenLDAP
- Kerberos
- Password Server
The integration of the three is very clever.
What I meant is that the technology is still only relevant for OS X (which is proprietary). I’m not a sysadmin, so anything that’s not standardized openly can become a pain in the butt to deal with when I have to switch around different OSes.
Nice article,keep up good work.
Nice blog…I am sure this has helped many a lost soul.
I attempted to use the above with version 3.1.8 and all went well until the last step:
$ sudo /usr/local/squid/sbin/squid -N -d 1 -D
and I received the following error message:
2010/10/04 14:16:56| WARNING: -D command-line option is obsolete.
2010/10/04 14:16:56| Can’t use proxy auth because no authentication schemes are fully configured.
FATAL: ERROR: Invalid ACL: acl ncsa_users proxy_auth REQUIRED
Squid Cache (Version 3.1.8): Terminated abnormally.
CPU Usage: 0.033 seconds = 0.013 user + 0.020 sys
Maximum Resident Size: 1622016 KB
Page faults with physical i/o: 0
I wil look through the squid docs to find the fix (I should have done this anyway before trying to install a more current version than the one noted), but if you have a quick fix, let me know.
Thanks.
Yeah, I cannot really comment on this one since I’m still running the old version on my server.
Found it…
For anyone running the 3.1.8 version, this is the new suggested minimum auth_param lines to be added to the top of the squid.conf file:
auth_param basic program /usr/local/squid/libexec/ncsa_auth /usr/local/squid/etc/squid_passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
Also, if you happen to be connected to the internet drop the -D parameter when running.
Thanks, benjamin. Will incorporate this when I update my server to a new version.
it work´s
thank u …
Hi
Found this article while looking for how to get OpenLDAP going on OSX.
Your article is very similar to mine http://www.hutsby.net/2011/01/compiling-squid-on-osx.html.
I’ve not found how to run as nobody (yet).
The only thing about using the NCSA auth module is that your credentials are going over the Internet in clear text.
That sure is an important consideration depending on one’s security needs. Thanks for the comment.
Actually I just found out that simply running under sudo, you get two processes: one started by root, and a second spawned from the first running as nobody.
This post helped me get squid running because the startup .plist and Squid.Wrapper from macports doesn’t want to work. I copied the squid.plist above, modified the sbin/squid path and added to startup item using launchctl load. Working great, thank you!
I follow your instruction. My squid is running, but I have no cache. My cache folder size always the same. Any idea? I use squid 2.7 stable 9.
Unfortunately I have no idea at the moment. I used Squid as a proxy and not necessarily as a local cache, so it’s not surprising if this installation note doesn’t cover how to configure cache properly.