SetupSquidTransparentProxy

= Squid Transparent Proxy on Palm Pre =

Ok, someone asked for it, so I figured it out, how to do it for fun and profit:

Preparation
First, you need to have root access to your device. How to get root, is described here. It would be a good idea to know a little about linux and networking too. Be warned: this can make your networking unfunctional!

Next thing you need to do is to install the package Optware Advanced Linux Command Line Installer from Preware, which installs ipkg-opt!

Installing Squid
Login to the pre console and make your root disk writable:

Type this command to install the squid optware package

Ignore the errors for the moment, we'll get to it soon.

Create a basic proxy config
Change to the directory /opt/etc/squid and move the file squid.conf which is already there to somewhere else. Now create a new squid.conf, which should have the following contents:

Basically this is a config for a transparent proxy, thus a browser will be redirected to it without knowing that it is actually connected to a proxy. We must configure it this way because the WebOS browser cannot be configured to use a proxy.

Note that we have added a single ACL here, which denies access to some random site *g*. Any other requests will be allowed. SSL (HTTPS) will not be passed through the proxy because this requires the browser to connect to it using a proxy request.

You WILL need to modify the squid.conf variable cache_peer, it points to your upstream proxy, e.g. your companys proxy. Refer to the comments for the syntax.

Prepare the directories for squid
Squid needs a directory where to store it's files, as content it caches and logfiles. You may consider to disable caching and logging. But caching may be a good idea if your traffic is limited, so you'll save some. Logging is always usefull for debugging. If you want to turn it off, use /dev/null as target for the logfiles.

Next you need let squid to prepare the directory structure using the -z option:

You should not see any errors here!

Starting squid
The installer already added it to the startup daemons, now we will start it manually:

Look in /var/cache/squid/cache.log for any errors. Use ps to see if it really runs. You may consider to install lynx and test the proxy:

If you see a google textmode site, it works.

Turn it off if everything is ok:

Add the rules to the squid startup file
Now comes the ugly part. I'll not explain it in detail: we install some iptable Rules. We tell iptables to forward any traffic destined to tcp port 80 to localhost port 3128 (this is where squid listens for incoming connections). To avoid that the requests of the proxy itself are forwarded to localhost (which would create a loop), we add a rule telling iptables to not forward web traffic if it were generated by user nobody (the user squid runs as).

To do that, edit /opt/etc/init.d/S80squid so that it looks like this:

Configure network to startup squid if WIFI comes up
Now we need to alter the behavior of the palm network manager so that it starts squid if WIFI comes up and stops it when WIFI goes down.

Change to directory /etc/pmnetconfig/.

In the file if-up modify this part:

to

In the file if-down modify this part:

to:

See it working
So, let's see how it works. Enable WIFI and fire up the browser and see if it works. You should see your requests on the remote proxy.

If you added an ACL as mentioned earlier, a message like the following should appear if you enter the url of your favourite enemy vendor (the one we configured above):



Blocking Adverts
Now squid is set up, we can use it for ad blocking. There are two steps to this:

Obtain a block list
An excellent ad block list is maintained at http://pgl.yoyo.org/as/. We need to download it in a suitable format for squid, which can be done by running the following command:

(Technical details: the wget command downloads the URL given in single quotes, then we strip the HTML mark-up and blank lines using grep. The filename at the end is where the black list will be stored.)

Configure squid to use the block list
Now we need to tell squid to block the list of URLs in the file we've just created. Open the /opt/etc/squid/squid.conf file we created above, and scroll down to where it reads:

Replace this line with:

Finally, restart squid:

To test it's working, open a browser and try to visit ads.msn.com (one of the blocked URLs). The error given should be similar to the screenshot given above.

If in the future you need to update the ad blocking list, run the commands:

For further details of filtering URLs using squid, please refer to the excelent documentation of the squid cache project.