Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Use squid to perform upstream web proxy authentication UNIX
I don't know about the rest of you, but my company uses a web proxy that requires authentication, and a lot of web apps just don't work, or work reliably (like Software Update, QuickTime streaming, and a lot of little web apps like the weather menu extras).

If you only have a proxy for HTTP (not HTTPS), you can use Authoxy to automatically add your proxy authentication info into any HTTP requests. You set that up as your proxy, and it adds the login info and forwards the request to the real proxy. However, Authoxy doesn't support HTTPS yet, and there are problems with most of the browsers if one of your proxy servers requires authentication and one doesn't.

Enter the Squid proxy server. Squid can be configured to just forward requests for both HTTP and HTTPS, and to add your login info. However, it's not obvious how to configure it to do so.

Panther proven!

It took a lot of searching to find the right info, but here's the squid.conf you need to get this working. Replace the stuff in angle brackets with your local configuration info:
http_port <the port you want squid to listen on>
cache_peer <your current proxy server> parent <your current proxy port> 0
  no-query default proxy-only login=<user>:<pass>

acl manager proto cache_object
acl localhost src
acl all src
http_access allow all
never_direct allow all
icp_access deny all

cache_effective_user squid
cache_effective_group wheel
You can install squid with fink, but if you want to use HTTPS, it has to be specially compiled. I installed it from source, and had to use "--enable-ssl" as a parameter to the configure script. You also need to make a "squid" user. I'll leave it to other hints to tell you how to do this. After you compile it and install it, run
 % sudo chown -R squid.wheel /usr/local/squid
You then have to run it once with special parameters to create your caches:
 % sudo /usr/local/squid/sbin/squid -z
Then you can run it (either manually or with a startup item) by just using:
 % sudo /usr/local/squid/sbin/squid
In your network preferences, just set your HTTP and HTTPS proxies to localhost, and the ports to the values you entered in squid.conf.

[robg adds: I have not tested this one...]
  • Currently 3.75 / 5
  You rated: 5 / 5 (4 votes cast)

Use squid to perform upstream web proxy authentication | 13 comments | Create New Account
Click here to return to the 'Use squid to perform upstream web proxy authentication' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Use squid to perform upstream web proxy authentication
Authored by: Ranger Rick on Feb 28, '03 10:21:33AM

Just an FYI, you can still install squid with Fink -- the "squid-ssl" package has SSL support enabled.

[ Reply to This | # ]
Use squid to perform upstream web proxy authentication
Authored by: pmccann on Mar 01, '03 02:18:55AM

Thanks very much for taking the time to document this: my university uses an authenticating proxy server, and the apple apps have been hamstrung by their inability to communicate through that server. Authoxy is a partial answer, but this seems to fill in all the missing pieces. Takes a little setting up, but *works*.

(I installed via fink as per the first comment. In case anyone's wondering about the user creation piece of the puzzle: just duplicate the sshd user using NetinfoManager, change the user ID to something not in use, change the name to "squid" and then save your changes. Consider all the usual warnings as given. You'll now need to chase down the relevant files/directory and change the owner/group as per the hint: I changed /sw/etc/squid.conf /sw/sbin/squid /sw/var/cache/squid /sw/var/log/squid /sw/etc/daemons/squid-ssl.xml which might be more than needed.)


[ Reply to This | # ]
Use squid to perform upstream web proxy authentication
Authored by: houchin on Mar 02, '03 03:41:41PM

One more note I just discovered.

If you're not running a local firewall and want to prevent others from using your local proxy, you can change the "http_access allow all" line to "http_access allow localhost"

This works with Chimera/Camino, and probably Mozilla/Netscape, and will deny anyone trying to proxy through your system. It will NOT work with Internet Explorer, which appears to not make a loopback connection to localhost. I had to change it back to all to get IE to work (which I unfortunately must use to get reasonable Flash performance so my daughter can maintain her addiction.

[ Reply to This | # ]
Don't install Squid - use Privoxy!
Authored by: Tony Arnold on Mar 02, '03 06:59:54AM

Uhhh, you really don't want to install Squid. It's a complete web proxy server, and uses your computer's resources accordingly. This is sorta the reason Privoxy was branched from Squid. It is specifically for proxying connections on a local machine, and in my experience is a lot faster (and easier to setup) than Squid.

Before you go installing squid, go take a look at - it is Squid, without the extras that you're not going to use.

[ Reply to This | # ]
Authored by: Tony Arnold on Mar 02, '03 07:02:12AM

Sorry, Privoxy was branched from Internet Junkbuster - Authoxy is based on Privoxy...

All this inbreeding is making me dizzy :)

[ Reply to This | # ]
Authored by: LightYear on Mar 02, '03 11:40:33PM
Authoxy is based on Privoxy

It is? As Authoxy's developer I must admit I'm not in total agreement. I'd say closer to 'inspired by' than 'based on' :-)
Before I began writing Authoxy, I used Privoxy. It was workable as an authentication solution (I didn't really use any of the privacy stuff), but hardly a perfect solution. So I wrote Authoxy from scratch. There is no shared code between Authoxy and Privoxy. I think I did steal the naming idea though, sorry for the confusion!
HTTPS support is coming in Authoxy folks! I have a couple of things to work on in the mean time (support for .pac files is next), but it is on the agenda. Do check out Privoxy or Squid for now though, if you are brave enough.
As an aside, I must admit it is rewarding to have worked on Authoxy until very late last night, and then find it mentioned on the first page of MacOSXHints (which I really try to frequent), along with VersionTracker and MacUpdate, this morning.

My .sig is on .holiday

[ Reply to This | # ]

Authoxy & iCal
Authored by: zakaria on Mar 04, '03 07:20:46AM

Could Authoxy be the solution to the iCal publis&subscribe problem ? iCal always tries to use port 80 during publish&subscribe. We have a proxy without authentication but with port 81. So couldn't authoxy redirect iCals request to the correct proxy ? I gave it a shot but so far it didn't work... Anybody an idea for the iCal-problem ?

[ Reply to This | # ]
Authoxy & iCal
Authored by: LightYear on Mar 06, '03 12:48:51AM

Unfortunately, as far as I can tell, iCal makes no attempt whatsoever to use the proxy settings in System Preferences. I'm confident, that if one could point iCal at Authoxy, subscribe and publish would work, but as it stands, iCal and Authoxy have no way of knowing about each other. Quite frustrating really, considering so many of Apple's other apps do what one would imagine is the right thing, and pay attention to the user Proxy settings.

If you (or anyone else) would like to discuss this further, please email me. I'll keep an eye on the situation, but there really is not a lot I can do from my end.

My .sig is on .holiday

[ Reply to This | # ]
How do you add the authentication info to Privoxy?
Authored by: houchin on Mar 02, '03 03:37:51PM

I can't tell from your correction is you're still suggesting to use Privoxy over Squid. If you are still making this suggestion, how do you add the username and password? From the privoxy docs, it doesn't appear that this is possible.

[ Reply to This | # ]
How do you add the authentication info to Privoxy?
Authored by: LightYear on Mar 06, '03 12:59:16AM

It certainly is possible, at least for HTTP. I imagine for HTTPS also, I've just never had reason to find out. You are right though, it is not obvious from the Docs how one goes about it.

I wrote up a method for adding proxy authentication to Privoxy quite a while ago, and would be happy to try to dig it up for anyone who is interested. Just send me an email.

As far as I can remember, there was basically two steps. You first had to use the proxy forwarding (might be called tunneling, can't remember) feature to get privoxy to pass everything on to your proxy. That required editing a file, using a fairly descriptive example in the file.

The other thing to add was a +add-header or something, which would add your authentication string to each request. The tricky bit is getting that string. The easiest way I found was to use a packet sniffer like MacSniffer or Sniffles, and grab a packet going out of your browser to the proxy. The header should start with something like "GET HTTP/1.0", and then a little further on, will be soemthing like:
Authentication: BASIC YFNXpasnfoFEOEPAee=
Thats the line you copy into Privoxy's configuration file as a header to be included.

Hope that helps.

My .sig is on .holiday

[ Reply to This | # ]
Use squid to perform upstream web proxy authentication
Authored by: TvE on Mar 03, '03 04:34:51AM

Has anyone found a solution to THIS problem:
I need to authenticate http to a M$ based proxy, apparently only IE
can use the NTLM protocol (other browsers just gives me an
errormessage - "407 not authenticated" i think...), but not reliably -
meaning that I can only surf for less then 5 minutes at a time (not
very productive).

So - How do you get "out" through a M$ based proxy from a Mac?

[ Reply to This | # ]
Use squid to perform upstream web proxy authentication
Authored by: jeffosx on Mar 03, '03 05:45:00AM

i use "NTLM Authorization Proxy Server"

with a couple of applescripts to start and kill it

bit slow and IE works the best (safari struggles to match) but update works. They block all the other apps anyway...

authoxy author is trying to add this to make a nice workaround....


[ Reply to This | # ]
Use squid to perform upstream web proxy authentication
Authored by: TvE on Mar 04, '03 03:34:51AM

I'll have to try it out as soon as I am back from three weeks of

[ Reply to This | # ]