Make Little Snitch and GlimmerBlocker work together

Jan 04, '10 07:30:00AM

Contributed by: emale

I've used LittleSnitch for some years now and consider it a must-have. Short explanation: LittleSnitch is a network filter that watches your applications for outgoing connections (interesting how many applications establish connections to Google, by the way). Perhaps I'm a little paranoid, or maybe you like it as well.

In any event, some months ago I tried GlimmerBlocker, a software proxy between your browser and the internet with the ability to filter ads on websites, manipulate websites, and much more if you have a little background knowledge on how the web works. Something I also can't live without after using it for a while.

By accident, I discovered that LittleSnitch and GlimmerBlocker can't really coexist (at least if you are using Safari, because it uses the system-wide proxy setting as do all other applications). When you use GlimmerBlocker, all web traffic will be redirected to GlimmerBlocker, and GlimmerBlocker will be the outgoing connection LittleSnitch catches. So, it's no different if you're surfing websites with Safari, Mail is checking for emails, or eyeTV is looking for updates: LittleSnitch will pop up with "Glimmer Blocker want's to connect to...".

Before I was able to tell LittleSnitch to allow Safari all connections, but Mail to only allow connections to gmail.com (to not load any images in emails), but no longer once GlimmerBlocker is installed.

If you want to use LittleSnitch and GlimmerBlocker together, read the rest for my workaround, but be warned: Please do all of this only if you have some background knowledge of the network preferences and Apache. You may harm your network preferences and kill the internet on your machine if you don't know what you are doing here!

You need:

I want to create a .pac file that -- depending on the user agent -- will tell the system to take GlimmerBlocker as proxy (for Safari), or do a direct connection to the internet (for the rest of my applications). Unfortunately, there's no way, in a .pac file, to say "If request is from application A, then do this, but if the request is from application B, then do that." Instead, we'll use PHP, which knows which application is asking to do what.

Starting the Apache webserver is quite easy: Just go to the Sharing preferences and be sure Web Sharing is activated. You may need some googling to activate the PHP module that's not activated by default (I wonder why, dear Apple). Of course, activation of PHP is at your own risk.

Executive summary version: Find httpd.conf (in the directoy /etc/httpd/ (pre-10.5) or /etc/apache2/ (10.5 and 10.6)) and make a copy of it, just in case. Open it with root privileges, and remove the # at the beginning of the line that reads #LoadModule php5_modul.... (If there's no # you're fine, as PHP is already active.) If you had to change the config, you have to restart the webserver.

Now to the .pac file. Create a new plaintext file with the following content:
<?php
header("Content-type: application/x-ns-proxy-autoconfig");
header("Date: " . gmdate('D, d M Y H:i:s \G\M\T', time()));
header("Last-Modified: " . gmdate('D, d M Y H:i:s \G\M\T', time()));
header("Expires: " . gmdate('D, d M Y H:i:s \G\M\T', time()+60*30));
$proxy = (strpos($_SERVER['HTTP_USER_AGENT'], "Safari") === false) ? "DIRECT" : "PROXY 127.0.0.1:8228";
?>
function FindProxyForURL(url, host) {
	return '<?= $proxy ?>';
	}
Save this as proxy.php in the /Library/WebServer/Documents/ folder. It's some PHP code that checks if the application sending a request is Safari, or if it's something else.

If it's Safari, the PAC command PROXY 127.0.0.1:8228 is placed in a variable (assuming that GlimmerBlocker runs on your local machine on port 8228 -- so the request will be directed to GlimmerBlocker). If it's any other application, it will get a direct connection to the internet without any proxy (assuming that you don't have any proxy -- otherwise you have to include a PROXY xxx.xxx.xxx.xxx:xxxx line, too)

Now in the Network System Preferences panel, go to the Advanced options of your Ethernet or AirPort, and then to the Proxies tab. In pre-10.6, you have to choose the PAC method from a pull-down menu; in 10.6, you have to check Automatic proxy configuration and uncheck all other checkboxes.

For the URL, choose http://127.0.0.1/proxy.php (assuming you have saved the script as proxy.php in the directory /Library/WebServer/Documents), then click on OK and apply. This did it for me.

[robg adds: I haven't tested this one.]

Comments (20)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20091228114759199