Monday, March 10, 2008

Apple Mac OSX, Squid and Scansafe

The Scansafe service does not not formally support using squid as your traffic concentrator - they would rather you use the Connector. The Connector of course is Windows only which if you don't use Windows is bad, also the Connector sends the user information as extra encrypted header detail, which is good.

So if you don't use Windows then you can use Squid as your concentrator, but user information (because Sansafe is granular to user level so you want to have user-based and groups based policies) is sent clear.

If you can live with this, then you'll need to modify your squid.conf file.

Heres mine (NB lines may be wrapped):

cache_peer scansafe.tower.ip parent 8080 7 no-query no-digest no-netdb-exchange login=*

scansafe.tower.ip - is the tower Scansafe tell you to use
parent - you can choose parent or sibling or multicast. Only parent applies
# 8080 - is the port Scansafe use
# 7 - in theory this is not required because we're not doing the ICMP query, but for some reason you need it
# no-query - means squid will not use ICMP query to see if the next hop is available
# no-digest - again goes with not using ICMP
# no-netdb-exchange - this goes with the no-query setting
# login=* - this passes your user details through. Username only, not password!

cache_dir ufs /opt/squid/var/cache 100 16 256

# you'll notice the non-standard structure here. Its due to installing squid on OSX

auth_param basic program /opt/squid/libexec/ncsa_auth /opt/squid/etc/squid_pwd

# this is for the authentication routine. ncsa_auth only support basic clear text so you will see the passwords passing over the wire. The presumption here is that this is for a small network, like mine.

acl no_auth_required dstdomain "/opt/squid/etc/no_auth_required
http_access allow no_auth_required
acl ncsa_users proxy_auth required
http_access allow manager localhost
http_access deny manager
http_access allow ncsa_users
http_access deny !Safe_ports
acl BadSites dstdomain "/opt/squid/etc/bad-sites.squid
http_access deny BadSites
acl no_scansafe dstdomain "/opt/squid/etc/no_scansafe
always_direct allow no_scansafe
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow allowed
http_access deny all
always_direct deny all
never_direct allow all

# All these options allow me control of what is passed to Scansafe, and what sites require authentication. For example, I don't mind access to the Apple updates sites. Likewise if a site s not accessible under any circumstances, then I add it to BadSites.


Anonymous said...

Purewire let's you use Squid by default.

QuiteTall said...

interesting... do they have a special build to pass user credentials?

Anonymous said...

You can also install the scansafe connector onto any redhat linux distribution :)

QuiteTall said...

yes, which is nice if you run RH, but causes you work if you run only OSX...

actually I don't see the problem, the connector is only java, they could make a OSX one of they wanted...