How do I setup a Forward Proxy on OS X Lion server?

Hagerty,

this is not really a OS X Lion function....

You could setup a reverse proxy with "Snow Leopard Server" using the "Mobile Gateway".

To establish forward proxy, is typically done by changing the DHCP options to provide the clients with the required proxy information.

As part of IP address allocation the client machines can be provided with this information, including: gateways, dns servers, proxy locations, ntp time machines, etc etc...

If you are asking about running the proxy on the box, then I would not do this directly but instead create a Unix (FreeBSD or Linux) based VM to setup what ever "Open Source" proxy you might want to use. This is simpler than installing and running them native within the "Lion Server".

I have "Lion Server" running VMWare and running a number of servers, including SIP Proxy, Caching Server and Apache & Tomcat Servers all hosted within virtual machines.

This is easier to manage (due to isolation) than trying to put them all directly on single "Lion Server".

Cheers,

Zebity.

I have not tried it under Lion but did under Leopard Server and see no reason why you cannot do so under Lion Server.

If you are using Lion Server as your DHCP server you can configure DHCP option code 252 to 'advertise' your Proxy server. (Actually Leopard and Snow Leopard servers can also provide this DHCP option code.)

Snow Leopard (not Leopard) or later clients now have an option in -

System Preferences --> Network --> Advanced --> Proxies

to turn on Automatic Proxy Configuration which should cause the Mac clients to listen for this setting.

For configuring your Mac OS X server DHCP server to add the DHCP option code setting you will probably need a utility I wrote to make it easier to generate the text you need to add to /etc/bootpd.plist see http://web.me.com/jelockwood/MyUtilities/dhcp.html (get it quick before Apple kill MobileMe).

Of course now you need a proxy server. The one I used is the free open-source Squid proxy server. I downloaded and compiled it (means you need XCode). I then also downloaded and compiled the LDAP PAM module so Squid could authenticate users via Open Directory, this made it possible to log activity against user names. Authentication is optional, but if you don't then Squid will only be able to log activity against IP addresses and will also be unable to limit access.

The following links are old but are what I used to get started see http://www.afp548.com/article.php?story=20041207040115940 and http://www.afp548.com/article.php?story=20040903184124948

Having successfully achieved all the above, I then went completely over the top and setup a MySQL database to store the Squid log of activity, and then setup FileMaker Pro to link to MySQL via ODBC to make it easier to produce pretty reports and do searches.

Note: When I setup the PAM module I found that as it uses standard LDAP commands to talk to Open Directory that it could only authenticate with a users shortname (aka. uid) and not their full name (aka. cn).

You can extend Squid by adding DansGuardian which provides a means of blacklisting websites or categories of websites. I did not try this myself.