MacPorts で Squid のインストール

海外からのアクセスを制限しているサイト対策に、 自宅鯖に Proxy をインストール。

$ sudo port install squid

設定ファイル(/opt/local/etc/squid/squid.conf)の編集。

追加した設定は以下の通り。

# アクセスを許可していないホストからも、
# ユーザ名／パスワードによる認証許可すればプロキシサーバーを利用できるようにする。
auth_param basic program /opt/local/libexec/ncsa_auth /opt/local/etc/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl password proxy_auth REQUIRED

http_access allow password

# プロキシ経由でアクセスしていることをアクセス先に知られないようにする
header_access X-Forwarded-For deny all
header_access Via deny all
header_access Cache-Control deny all

visible_hostname www.fraction.jp

# プロキシサーバーを使用しているマシンのローカルIPアドレスを隠蔽化
forwarded_for off

ほぼ、Fedoraで自宅サーバー構築 の設定通り。

起動。

$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.Squid.plist

失敗。

/var/log/messages を読むと、「/opt/local/libexec/ncsa_auth」が無いよ、っていうエラー。

400 Bad Request-Devel :: ssm: Squid の認証ライブラリ を参考に、/opt/local/libexec/ncsa_auth をインストール。

• squid の tarball を適当なところにコピー。
• make
• ncsa_auth の make と install

こんな感じ。

[yuanying@Kohrin] ~
$ cp /opt/local/var/macports/distfiles/squid/squid-2.7.STABLE4.tar.bz2 ~/Documents/temp/squid/
[yuanying@Kohrin] ~
$ cd ~/Documents/temp/squid/
[yuanying@Kohrin] ~/Documents/temp/squid
$ bzip2 -dc squid-2.7.STABLE4.tar.bz2 | tar xvf -
[yuanying@Kohrin] ~/Documents/temp/squid
$ cd squid-2.7.STABLE4/
[yuanying@Kohrin] ~/Documents/temp/squid/squid-2.7.STABLE4
$ ./configure --prefix=/opt/local CPPFLAGS=-I/opt/local/include
[yuanying@Kohrin] ~/Documents/temp/squid/squid-2.7.STABLE4
$ make
[yuanying@Kohrin] ~/Documents/temp/squid/squid-2.7.STABLE4
$ cd helpers/basic_auth/NCSA/
[yuanying@Kohrin] ~/Documents/temp/squid/squid-2.7.STABLE4/helpers/basic_auth/NCSA
$ make
[yuanying@Kohrin] ~/Documents/temp/squid/squid-2.7.STABLE4/helpers/basic_auth/NCSA
$ sudo make install

再起動。

$ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.Squid.plist
$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.Squid.plist

以上。

環境

• Mac OS X 10.5.5
• MacPorts 1.600

参考にしたサイト

• プロキシサーバー構築(Squid) - Fedoraで自宅サーバー構築
• 400 Bad Request-Devel :: ssm: Squid の認証ライブラリ

設定ファイルの diff

$ diff -u squid.conf.default squid.conf
--- squid.conf.default  2008-09-24 22:25:27.000000000 +0900
+++ squid.conf  2008-09-25 01:00:26.000000000 +0900
@@ -88,6 +88,8 @@
    #   Then, set this line to something like
    #
    #   auth_param basic program /opt/local/libexec/ncsa_auth /opt/local/etc/passwd
+# ADDED Yuanying
+auth_param basic program /opt/local/libexec/ncsa_auth /opt/local/etc/passwd
    #
    #   "children" numberofchildren
    #   The number of authenticator processes to spawn. If you start too few
@@ -95,7 +97,8 @@
    #   verifications, slowing it down. When credential verifications are
    #   done via a (slow) network you are likely to need lots of
    #   authenticator processes.
-#  auth_param basic children 5
+# UNCOMMENTED Yuanying
+auth_param basic children 5
    #
    #   "concurrency" numberofconcurrentrequests
    #   The number of concurrent requests/channels the helper supports.
@@ -108,7 +111,8 @@
    #   Specifies the realm name which is to be reported to the client for
    #   the basic proxy authentication scheme (part of the text the user
    #   will see when prompted their username and password).
-#  auth_param basic realm Squid proxy-caching web server
+# UNCOMMENTED Yuanying
+auth_param basic realm Squid proxy-caching web server
    #
    #   "credentialsttl" timetolive
    #   Specifies how long squid assumes an externally validated
@@ -119,7 +123,8 @@
    #   using an one-time password system (such as SecureID). If you are using
    #   such a system, you will be vulnerable to replay attacks unless you
    #   also use the max_user_ip ACL in an http_access rule.
-#  auth_param basic credentialsttl 2 hours
+# UNCOMMENTED Yuanying
+auth_param basic credentialsttl 2 hours
    #
    #   "casesensitive" on|off
    #   Specifies if usernames are case sensitive. Most user databases are
@@ -621,6 +626,9 @@
    acl Safe_ports port 777     # multiling http
    acl CONNECT method CONNECT

+# ADDED Yuanying
+acl password proxy_auth REQUIRED
+
    #  TAG: http_access
    #   Allowing or Denying access based on defined access lists
    #
@@ -664,6 +672,9 @@
    # from where browsing should be allowed
    http_access allow localnet

+# ADDED Yuanying
+http_access allow password
+
    # And finally deny all other access to this proxy
    http_access deny all

@@ -1117,6 +1128,7 @@
    # Squid normally listens to port 3128
    http_port 3128

+
    #  TAG: https_port
    # Note: This option is only available if Squid is rebuilt with the
    #       --enable-ssl option
@@ -3081,6 +3093,11 @@
    #
    #Default:
    # none
+# ADDED Yuanying
+header_access X-Forwarded-For deny all
+header_access Via deny all
+header_access Cache-Control deny all
+

    #  TAG: header_replace
    #   Usage:   header_replace header_name message
@@ -3373,6 +3390,8 @@
    #
    #Default:
    # none
+# ADDED Yuanying
+visible_hostname www.fraction.jp

    #  TAG: unique_hostname
    #   If you want to have multiple machines with the same
@@ -4723,6 +4742,9 @@
    #
    #Default:
    # forwarded_for on
+# ADDED Yuanying
+forwarded_for off
+

    #  TAG: cachemgr_passwd
    #   Specify passwords for cachemgr operations.