Wednesday, 2 March 2011

Squid proxy server setup for iTunes authentication through another proxy

Yay, nice new shinny iPads. What could possibly go wrong. Doh! iTunes doesn't like the proxy server.

After speaking with the Network administrator, he showed me a mac already in use with ipod touches. The set-up on this machine uses a deamon called "Squid", which acts as a local proxy server. So this authenitcates itself with the real proxy server, and all programs on the machine communicate with squid as a localhost, so everything works just fine. It starts at startup,but I think it should start at login.

Here's the config files, squid.conf:

# ----------------------------------------------------------------------
# WARNING - do not edit this template unless you know what you are doing
# ----------------------------------------------------------------------

# the parent cache
cache_peer parent 8080 7 no-query no-digest no-netdb-exchange default login=username:password

# disk and memory cache settings

acl everything src all
cache deny everything
maximum_object_size 4096 KB

# store coredumps in the first cache dir
coredump_dir /usr/local/squid/var/logs

# the hostname squid displays in error messages
visible_hostname localhost

# log & process ID file details
cache_access_log /usr/local/squid/var/logs/squid-access.log
cache_log /usr/local/squid/var/logs/squid-cache.log
cache_store_log /usr/local/squid/var/logs/squid-store
pid_filename /tmp/

# Squid listening port
http_port 8080

# Access Control lists
acl localhost src
acl to_localhost dst
acl manager proto cache_object
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl allowed src

acl godirect dstdomain

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# protect web apps running on the proxy host from external users
http_access deny to_localhost

# rules for client access go here
http_access allow localhost
http_access allow allowed

# after allowed hosts, deny all other access to this proxy
# don't list any other access settings below this point
http_access deny all

# specify which hosts have direct access (bypassing the parent proxy)
always_direct allow godirect
always_direct deny all

# hierarchy stop list (squid-recommended)
hierarchy_stoplist cgi-bin ?

# refresh patterns (squid-recommended)
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

always_direct deny all
never_direct allow all

To get this running there is some things to run, there might be a GUI. But thinking about it, the machine was running 10.6, and I'm running 10.5, doh! I'll have to check out if it works on this first.

So, it doesn't come with 10.5. Downloaded latest version and found this website. Didn't work. You need a compiler which doesn't come on the mac, doh! Tried installing GCC compiler, which doesn't work either! Doh!

So I searched for a GUI for Squid and found SquidMan. Works very nicely, with no messing about with compiling, yay. Had a little trouble getting it to work. What is also good is that you can manipulate the config file it uses! So I copied and pasted from above, but errors came up about permission to write to log files. I left the log files section alone and pasted the rest but it came up with permission denied.

In the end, I just used the default settings, under General I put HTTP port to 8080, Visible hostame to localhost.

Under parent I put "Use a parent proxy server", hostname port 8080, and ticked "Parent requires authentication. But putting username and password here doesn't seem to work. Leaving them blank asks you for a username and password when the service starts and works without putting domains in. Yay!

No comments:

Post a Comment