Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Make Little Snitch and GlimmerBlocker work together Network
I've used LittleSnitch for some years now and consider it a must-have. Short explanation: LittleSnitch is a network filter that watches your applications for outgoing connections (interesting how many applications establish connections to Google, by the way). Perhaps I'm a little paranoid, or maybe you like it as well.

In any event, some months ago I tried GlimmerBlocker, a software proxy between your browser and the internet with the ability to filter ads on websites, manipulate websites, and much more if you have a little background knowledge on how the web works. Something I also can't live without after using it for a while.

By accident, I discovered that LittleSnitch and GlimmerBlocker can't really coexist (at least if you are using Safari, because it uses the system-wide proxy setting as do all other applications). When you use GlimmerBlocker, all web traffic will be redirected to GlimmerBlocker, and GlimmerBlocker will be the outgoing connection LittleSnitch catches. So, it's no different if you're surfing websites with Safari, Mail is checking for emails, or eyeTV is looking for updates: LittleSnitch will pop up with "Glimmer Blocker want's to connect to...".

Before I was able to tell LittleSnitch to allow Safari all connections, but Mail to only allow connections to gmail.com (to not load any images in emails), but no longer once GlimmerBlocker is installed.

If you want to use LittleSnitch and GlimmerBlocker together, read the rest for my workaround, but be warned: Please do all of this only if you have some background knowledge of the network preferences and Apache. You may harm your network preferences and kill the internet on your machine if you don't know what you are doing here!

You need:
  • As expected: LittleSnitch and GlimmerBlocker
  • Apache webserver started with the PHP module activated
I want to create a .pac file that -- depending on the user agent -- will tell the system to take GlimmerBlocker as proxy (for Safari), or do a direct connection to the internet (for the rest of my applications). Unfortunately, there's no way, in a .pac file, to say "If request is from application A, then do this, but if the request is from application B, then do that." Instead, we'll use PHP, which knows which application is asking to do what.

Starting the Apache webserver is quite easy: Just go to the Sharing preferences and be sure Web Sharing is activated. You may need some googling to activate the PHP module that's not activated by default (I wonder why, dear Apple). Of course, activation of PHP is at your own risk.

Executive summary version: Find httpd.conf (in the directoy /etc/httpd/ (pre-10.5) or /etc/apache2/ (10.5 and 10.6)) and make a copy of it, just in case. Open it with root privileges, and remove the # at the beginning of the line that reads #LoadModule php5_modul.... (If there's no # you're fine, as PHP is already active.) If you had to change the config, you have to restart the webserver.

Now to the .pac file. Create a new plaintext file with the following content:
<?php
header("Content-type: application/x-ns-proxy-autoconfig");
header("Date: " . gmdate('D, d M Y H:i:s \G\M\T', time()));
header("Last-Modified: " . gmdate('D, d M Y H:i:s \G\M\T', time()));
header("Expires: " . gmdate('D, d M Y H:i:s \G\M\T', time()+60*30));
$proxy = (strpos($_SERVER['HTTP_USER_AGENT'], "Safari") === false) ? "DIRECT" : "PROXY 127.0.0.1:8228";
?>
function FindProxyForURL(url, host) {
	return '<?= $proxy ?>';
	}
Save this as proxy.php in the /Library/WebServer/Documents/ folder. It's some PHP code that checks if the application sending a request is Safari, or if it's something else.

If it's Safari, the PAC command PROXY 127.0.0.1:8228 is placed in a variable (assuming that GlimmerBlocker runs on your local machine on port 8228 -- so the request will be directed to GlimmerBlocker). If it's any other application, it will get a direct connection to the internet without any proxy (assuming that you don't have any proxy -- otherwise you have to include a PROXY xxx.xxx.xxx.xxx:xxxx line, too)

Now in the Network System Preferences panel, go to the Advanced options of your Ethernet or AirPort, and then to the Proxies tab. In pre-10.6, you have to choose the PAC method from a pull-down menu; in 10.6, you have to check Automatic proxy configuration and uncheck all other checkboxes.

For the URL, choose http://127.0.0.1/proxy.php (assuming you have saved the script as proxy.php in the directory /Library/WebServer/Documents), then click on OK and apply. This did it for me.

[robg adds: I haven't tested this one.]
    •    
  • Currently 2.77 / 5
  You rated: 5 / 5 (22 votes cast)
 
[20,738 views]  

Make Little Snitch and GlimmerBlocker work together | 20 comments | Create New Account
Click here to return to the 'Make Little Snitch and GlimmerBlocker work together' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Make Little Snitch and GlimmerBlocker work together
Authored by: ghay on Jan 04, '10 08:22:53AM

I use both, and have done for > 6 months.
I haven't experienced this problem at all.



[ Reply to This | # ]
Make Little Snitch and GlimmerBlocker work together
Authored by: emale on Jan 04, '10 09:07:46AM

I haven't experienced any problem either because everything is just working fine. But try the following: Delete the rule of one application you are using (e.g. iTunes or Mail) in LittleSnitch and use it (go to the iTMS or check for new mail). Is LittleSnitch popping up? Now delete the GlimmerBlocker rule in LittleSnitch and try again. There should pop up a LittleSnitch dialog on asking if you allow GlimmerBlocker to connect to the server.
If not, you are fine and probably haven't defined GlimmerBlocker as your global proxy in system preferences...



[ Reply to This | # ]
Make Little Snitch and GlimmerBlocker work together
Authored by: puzzlebobble on Jan 04, '10 09:11:05AM

I suspect that is because you have given Glimmerblocker permission, in Littlesnitch, to access any destination.

It took me a while to figure out why this hint was needed. The problem with just giving glimmer blocker open access is that any application, such as Mail, that uses Glimmerblocker can now access any destination that glimmerblocker allows; but the hint's author wants to restrict applications further (eg. mail can access gmail only as described in the hint).



[ Reply to This | # ]
Make Little Snitch and GlimmerBlocker work together
Authored by: emale on Jan 05, '10 03:25:12AM

Your suspect is correct. But if you don't give GlimmerBlocker the right to access any server in LittleSnitch, surfing the web is more annoying than something else because of the constant LittleSnitch popups.
If you visit the same websites for all the time...okay. If you visit different websites each day...a problem.



[ Reply to This | # ]
Make Little Snitch and GlimmerBlocker work together
Authored by: clusty on Jan 04, '10 12:22:29PM

do not really see the point fo this hint.
I used both together and they worked just fine
Maybe you are using older versions of glimmer and snith?



[ Reply to This | # ]
Make Little Snitch and GlimmerBlocker work together
Authored by: superp on Jan 04, '10 03:11:18PM

Both work fine indeed, in the sense that no network traffic is stopped. Including the traffic you blocked in Little Snitch before.

A big thank you to the original poster, this is exactly what I was looking for. As I am no PHP expert, I rewrote the whole thing in Perl and made it write all requests and replies to a log file. Now I can configure on a client-by-client basis which clients go through Glimmer's ad filters (Omniweb, Safari) and which ones go to LSnitch where they are either blocked or allowed to pass. Beautiful.

Note that most apps pick up the proxy configuration once, when they start.



[ Reply to This | # ]
Make Little Snitch and GlimmerBlocker work together
Authored by: kaz219 on Jan 05, '10 01:50:25AM

could you post your perl version? Thanks.



[ Reply to This | # ]
Make Little Snitch and GlimmerBlocker work together
Authored by: superp on Jan 05, '10 06:38:53AM
#!/usr/bin/perl

###############################################################################
#                                                                             #
# Automatic Proxy Configuration (.pac file) server                            #
#                                                                             #
# A horribly simple and simply horrible CGI script to configure               #
# some applications to use a proxy, and all others to not use a proxy,        #
# thereby solving GlimmerBlocker vs LittleSnitch conflicts.                   #
#                                                                             #
# Based on a hint by macosxhints.com user 'emale' and ensuing discussion      #
# http://www.macosxhints.com/article.php?story=20091228114759199              #
#                                                                             #
# Published as is, without any guarantees, YMMV, etc. etc.                    #
# Comments and suggestions: see macosxhints discussion above                  #
###############################################################################

use strict;

my $VERSION = 0.1;
my ($proxy, $reply, $usingproxy, $pac);

###### configurable bits ######

# response to use a proxy. 'PROXY 127.0.0.1:8228' is GlimmerBlocker's default
$proxy = 'PROXY 127.0.0.1:8228';

# default response. 'DIRECT' means no proxy
$reply = 'DIRECT';

# list of user agents which should use the proxy, separated by |
# Apps matching $usingproxy receive the $proxy reply, all others the default $reply.
$usingproxy = 'OmniWeb|Safari';

###### no configurable bits below ######

# build reply. This is the interesting part.
$reply = $proxy if $ENV{HTTP_USER_AGENT} =~ m/$usingproxy/;
$pac = "Content-type: application/x-ns-proxy-autoconfig\n\nfunction FindProxyForURL(url, host) { return '$reply'; }";

# write to log
open FH, '>>/private/tmp/pacserver.log' or warn "pacserver could not open log\n";
print FH scalar localtime() . " '$reply' for $ENV{HTTP_USER_AGENT}\n";
close FH;

# send reply
if ($ENV{PATH_INFO} eq '/status' ) {
	print "Content-type: text/html; charset=utf-8\n\n
"; # yes, I know. Bite me.
}

print $pac;


[ Reply to This | # ]
Make Little Snitch and GlimmerBlocker work together
Authored by: VMatas on Jan 05, '10 11:36:57PM

Sorry for a dumb question - can you explain, where i need to put this perl *.pac file?



[ Reply to This | # ]
Make Little Snitch and GlimmerBlocker work together
Authored by: superp on Jan 07, '10 04:23:35AM
Sorry, my bad, I was just responding to the request to donate the Perl code. The script is a CGI script, which means you need a webserver running, same as for the original hint. Put it wherever you keep CGI scripts for your webserver. On Mac OS X, that would be /Library/WebServer/CGI-Executables by default, and make it executable by changing to that folder and:
chmod 755 pacserver
Test the script by pointing your browser to http://127.0.0.1/cgi-bin/pacserver/status

That should give a response like

Content-type: application/x-ns-proxy-autoconfig

function FindProxyForURL(url, host) { return 'PROXY 127.0.0.1:8228'; }
If that works, enter http://127.0.0.1/cgi-bin/pacserver as the Proxy Configuration File in System Preferences (as per the original hint).

[ Reply to This | # ]
Make Little Snitch and GlimmerBlocker work together
Authored by: emale on Jan 05, '10 03:21:40AM

I haven't experienced any problem either because everything is just working fine. But try the following: Delete the rule of one application you are using (e.g. iTunes or Mail) in LittleSnitch and use it (go to the iTMS or check for new mail). Is LittleSnitch popping up? Now delete the GlimmerBlocker rule in LittleSnitch and try again. There should pop up a LittleSnitch dialog on asking if you allow GlimmerBlocker to connect to the server.
If not, you are fine and probably haven't defined GlimmerBlocker as your global proxy in system preferences...

It's not because of an old version of GlimmerBlocker or LittleSnitch - it's because of the way this both applications are working.



[ Reply to This | # ]
"Disable remote images" Mail preference
Authored by: PCheese on Jan 05, '10 12:11:16AM

A useful hint, but I wondered about your example use of Little Snitch to block images in HTML messages. Are you aware there is a checkbox to "Display remote images in HTML messages" in Mail Preferences under Viewing? In this particular case, Little Snitch's advantage might the ability to selectively show images from certain domains and not from others (i.e. advertisers), but that won't be specific enough to distinguish tracking images from layout images. I've found Mail's all-or-nothing option to be more than enough for me.



[ Reply to This | # ]
"Disable remote images" Mail preference
Authored by: emale on Jan 05, '10 03:20:09AM

Sorry for that dumb example. I have to admit that I'm using Entourage and not Mail and wrote it that way because Mail is even more known ;-)



[ Reply to This | # ]
Make Little Snitch and GlimmerBlocker work together
Authored by: McSvenster on Jan 15, '10 02:42:22AM

Thank You for this hint! Works perfect for me ( I chose the perl-way becaus of the clear configuration-option; thanks for sharing this!)

Sven



[ Reply to This | # ]
GlimmerBlocker 1.4.4 can be a pac server
Authored by: superp on Feb 03, '10 08:45:26AM
The latest version of GlimmerBlocker can now be used as a pac server too. In other words, if you do not want to use "Web Sharing" as Apple calls Apache, you do not have to. See release notes for GlimmerBlocker 1.4.4

[ Reply to This | # ]
GlimmerBlocker 1.4.4 can be a pac server
Authored by: Pmac on Feb 11, '10 05:50:15PM

The Pac sever solution works fine for Little Snitch as described on the GlimmerBlocker site: http://glimmerblocker.org/wiki/LittleSnitch

Just one small glitch when you restart GlimmerBlocker, the Web Proxy is re-enabled along with the Automatic Proxy, which screws up the workaround for LS.



[ Reply to This | # ]
GlimmerBlocker 1.4.4 can be a pac server
Authored by: superp on Mar 11, '10 03:45:17AM

System Preferences -> GlimmerBlocker -> Network -> Ask for confirmation of changes...

will catch that.



[ Reply to This | # ]
GlimmerBlocker 1.4.4 can be a pac server
Authored by: Pmac on Mar 22, '10 03:58:00PM

Well, that's pretty cool!

Thanks!



[ Reply to This | # ]
Make Little Snitch and GlimmerBlocker work together
Authored by: ktolis on Jul 29, '12 06:12:40AM

NetNewsWire doesn't work with this setup, at least not with 10.8
I have tried modifying the script by adding also detection for "NetNewsWire" agent.
I've tested it with curl and the script works as expected.
I've setup NetNewsWire to not refresh on startup and it can load the tabs that are already open. It will also load any tab you type in the url manually.
But as soon as you try to do a 'refresh' it will crash immediately.
Did anyone see this problem before?
Any workaround might be appreciated!



[ Reply to This | # ]
Safari OS X 10.9 Mavericks User Agent
Authored by: wheeles on Feb 02, '14 11:19:35AM

It's worth noting that in OS X 10.9 Mavericks, Safari uses com.apple.Webkit.Networking as User Agent when requesting proxy auto configuration.

Depending on the scripting language you use, you may need to employ: com\.apple\.WebKit\.Networking as the User Agent string you are trying to detect.



[ Reply to This | # ]