Squid on Mac OS X With Ad Blocking
5th Jun 2005, 09:38:03
Outdated!
This article is rather outdated. View the updated article.
To quote www.squid-cache.org "Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP data objects." I use Squid not only to save bandwidth, but also to block advertisements. There are also performance gains - watch how puzzled your freinds are when they bring round their Mac and download the 10.4.1 update in seven seconds!
You need the right tools
We're going to build Squid from source, but it's not hard to do. In order to do this, you will need Xcode, which is on the Tiger DVD. If you don't have tiger yet, you can still install Squid, but install Xcode 1.5 first (free membership or Apple ID required).
Start building
As of 4th June 2005, the latest version of Squid was 2.5.STABLE10, but there may be a later version by the time you read this. Just copy the URL of the latest version from the top of this page at www.squid-cache.org. Download and unpack the source code:
mkdir ~/source
cd ~/source
curl -O http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE10.tar.bz2
tar xjf squid-2.5.STABLE10.tar.bz2
You must select any options you want when you build Squid. I chose SSL support because I want to proxy secure sites and also specified delay pools, since when properly configured, they can prevent users hogging the bandwidth.
cd squid-2.5.STABLE10
./configure --enable-ssl --enable-delay-pools
make
sudo make install
Configure Squid
Your Squid will now reside in /usr/local/squid. It's now time to tune its configuration to match your Mac, which you do by editing
/usr/local/squid/etc/squid.conf, here's my configuration file with comments you might find useful (download):
# Server details
#Squid must run as a regular user and group - ***NOT ROOT***
cache_effective_user nobody
cache_effective_group wheel
#Tell Squid to listen to port 3128, but substitute your Mac's IP address!
http_port 172.16.0.81:3128
http_port 127.0.0.1:3128
#Tell your users who to contact if there's a problem - shown on error pages
cache_mgr foo@example.com
#Tells Squid how to identify itself in error pages
visible_hostname Power-Mac.local.
# Caches
#Where do you want Squid to store it's cache? I have a 120GB drive I use, but you may not, the commented out values might make more sense for you:
#cache_dir ufs /usr/local/squid/var/cache 7000 16 256
#If you specify a cache outside /usr/local/squid, chown -R nobody:wheel it so squid has full access!
cache_dir ufs /Volumes/Squid 102835 247 256
cache_swap_low 90
cache_swap_high 95
cache_mem 32 MB
maximum_object_size 1 GB
# Cache tweaks
#These are useful tweaks to aggressively cache things that don't change often:
refresh_pattern . 0 20% 4320
refresh_pattern -i \.gz$ 4320 100% 43200 reload-into-ims
refresh_pattern -i \.bz2$ 4320 100% 43200 reload-into-ims
refresh_pattern -i \.dmg$ 4320 100% 43200 reload-into-ims
refresh_pattern -i \.bin$ 4320 100% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern -i download.microsoft.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern -i uk.download.windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
#Ad filtering
#Leave this commented out for now
#redirect_program /usr/local/bin/wrapzap
# Logs
#Just to let squid know where to keep its logs.
cache_log /usr/local/squid/var/logs/cache.log
cache_access_log /usr/local/squid/var/logs/access.log
cache_store_log none
#This can help troubleshooting, but leave commented out for now, it degrades performance
#cache_store_log /usr/local/squid/var/logs/store.log
# keep 4 versions of the logs
logfile_rotate 4
# Access control
# Who is allowed to access Squid?
acl All src 0/0
acl Manager proto cache_object
# Allow proxy to access itself
acl Localhost src 127.0.0.1/32
# What ports should squid be allowed to proxy? These are sensible values
acl Safe_ports port 80 21 443 563 70 210 280 488 591 777 1025-65535
acl SSL_ports port 443 563
acl CONNECT method CONNECT
# Replace this with your lan's actual network address
acl SpruceWayNetwork src 172.16.0.0/24
http_access allow Manager Localhost
http_access deny Manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow SpruceWayNetwork
http_access allow Localhost
http_access deny All
#The cache manager lets you see some squid stats
cachemgr_passwd ******* all
Run Squid!
Firstly, chown the Squid's directory so it can write where it needs to:
sudo chown -R nobody:wheel /usr/local/squid
Now, create the cache directories (might take a while):
sudo /usr/local/squid/sbin/squid -z
The moment of truth, time to start Squid!:
sudo /usr/local/squid/sbin/squid -D
OK, we're nearly there now, we just have to open port 3128 in the firewall:
...and set your browser to use the proxy.
I hope it works. If you want Squid to start at boot, download this file, uncompress it and copy the Squid folder to
/Library/StartupItems.
Block Advertisements
Squid does not have the ability to block ads by default, you have to install adzapper to do it.
Firstly, fetch the scripts and place them in /usr/local/bin
sudo curl http://adzapper.sourceforge.net/scripts/squid_redirect -o /usr/local/bin/squid_redirect
sudo curl http://adzapper.sourceforge.net/scripts/wrapzap -o /usr/local/bin/wrapzap
Optionally, edit the wrapzap script:
By default, adzapper scrawls "This ad zapped" where ads would normally be. This is useful for troubleshooting, but probably not what you want. To make ads disappear, find this line
ZAP_MODE= # or "CLEAR"
and change it to
ZAP_MODE=CLEAR # or "CLEAR"
Any self-respecting geek has their own web server, so, fetch the replacement images, put them on your web server and edit this line to match:
ZAP_BASE=http://adzapper.sourceforge.net/zaps # a local web server will be better
The final step is to uncomment the redirector line in squid.conf, and reload squid with:
sudo /usr/local/squid/sbin/squid -k reconfigure
The squid_redirect seems to be updated often in order to refine what content gets blocked. For extra credit, insert something like this line in your
/etc/crontab:
00 1 * * 1 root curl http://adzapper.sourceforge.net/scripts/squid_redirect -o /usr/local/bin/squid_redirect
I will leave it to the reader to decide whether their conscience allows them to block ads, but here's the type of improvement you can expect:
It's worth noting that adzapper does not generally block unobtrusive ads such as Google's adwords. Perhaps (yeah, right!) this might encourage advertisers to use less flashing, spinning, several-hundred-k adverts if more people used it?