Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Probably next step would be to confirm whether or not requests made with vpn are hitting the proxy server or not, I assume you can check squid logs for this.
Sorry to reply only now, for some reason mail notifications are somewhat, well, intermittent. No idea why.

Where are those Squid logs to be found? No search for squid+log is giving any result on my machine (with old Find Any File, that usually finds everything).
 

Wowfunhappy

macrumors 68000
Original poster
Mar 12, 2019
1,607
1,981
Where are those Squid logs to be found? No search for squid+log is giving any result on my machine (with old Find Any File, that usually finds everything).

Sorry, Squid logs are actually sent to /dev/null by default. Any problems creating or writing to a log file (such as permissions issues) are fatal error in squid, so after this being the source of issues a few times, I just turned it off.

If you want to see the logs, you need to edit squid.conf and change:

Code:
cache_log /dev/null
access_log none

to

Code:
cache_log /Users/YourName/Desktop/cache.log
access_log /Users/YourName/Desktop/access.log

Afterwards, restart squid. There are much faster ways to do this, but the simplest is probably to restart your computer. Note that while this is active, squid likely won't work when you switch users (because it won't be able to write to its log file).

---

I'll be honest, I'm not currently planning to fix this problem. As far as I can tell, it's a flaw in the third-party VPN software.

Options to consider include:
  • Set up your VPN at the router level. (Or set up Squid at the router level, but putting the VPN there is likely easier, especially if you always connect to the internet via a VPN.)
  • Choose a VPN provider that supports the L2TP protocol natively supported by legacy OS X. (Or the PPTP protocol which is also supported, but apparently PPTP has legitimate security issues.)
    • I don't know for sure that this will work, however if you set up a VPN as a network interface in System Preferences, you can add an HTTPS proxy to that interface just like any other. Hard to believe OS X would ignore that. As a very occasional VPN user myself, I'm personally planning to do this in the fall, when my current subscription expires.
 
Note that while this is active, squid likely won't work when you switch users (because it won't be able to write to its log file).
If I understood @f54da correctly I would have to try and compare the Squid logs of the good and a bad server. But does your last sentence about switching users seem to imply that this wouldn't be possible? I'm a bit lost here… maybe I'm not understanding the sequence properly.
 

Wowfunhappy

macrumors 68000
Original poster
Mar 12, 2019
1,607
1,981
If I understood @f54da correctly I would have to try and compare the Squid logs of the good and a bad server. But does your last sentence about switching users seem to imply that this wouldn't be possible? I'm a bit lost here… maybe I'm not understanding the sequence properly.
You can switch servers, you can't switch OS X user accounts without also editing the log file location, or setting the location to a directory that both users have write access to.

So if you set the log file to save in /Users/JohnSmith/Desktop, everything will work fine while you're logged in as John Smith. However, if you log in as Jane Doe, Squid may refuse to start, because Jane Doe cannot write to /Users/JohnSmith/Desktop.
 

f54da

macrumors 6502
Dec 22, 2021
357
131
>it's a flaw in the third-party VPN software.

I suspect it might be a flaw with how osx treats utun interface. I'd need someone to post the output from CFNetworkCopySystemProxySettings() to confirm though. I wonder if you can set proxy settings programatically for this interface? Or whether using legacy tun/tap instead of native utun makes any difference.
 
You can switch servers, you can't switch OS X user accounts without also editing the log file location, or setting the location to a directory that both users have write access to.

So if you set the log file to save in /Users/JohnSmith/Desktop, everything will work fine while you're logged in as John Smith. However, if you log in as Jane Doe, Squid may refuse to start, because Jane Doe cannot write to /Users/JohnSmith/Desktop.
Got it. We've always had a “policy” of 1 machine = 1 user account, so everybody's their own JohnSmithes. I'm just not used to think in those terms. I'll be back if I can deduct anything from those logs.
 

Wowfunhappy

macrumors 68000
Original poster
Mar 12, 2019
1,607
1,981
@f54da

Sorry for the delay:

CFNetworkCopySystemProxySettings() without VPN:
Code:
{
    ExceptionsList =     (
        "*.local",
        "169.254/16"
    );
    FTPPassive = 1;
    HTTPEnable = 0;
    HTTPSEnable = 1;
    HTTPSPort = 3128;
    HTTPSProxy = localhost;
    "__SCOPED__" =     {
        en2 =         {
            ExceptionsList =             (
                "*.local",
                "169.254/16"
            );
            FTPPassive = 1;
            HTTPEnable = 0;
            HTTPSEnable = 1;
            HTTPSPort = 3128;
            HTTPSProxy = localhost;
        };
    };
}

CFNetworkCopySystemProxySettings() while connected to a VPN in Viscocity:
Code:
{
    "__SCOPED__" =     {
        en2 =         {
            ExceptionsList =             (
                "*.local",
                "169.254/16"
            );
            FTPPassive = 1;
            HTTPEnable = 0;
            HTTPSEnable = 1;
            HTTPSPort = 3128;
            HTTPSProxy = localhost;
        };
    };
}

The shorter output when a VPN is connected is not a mistake.

Binary used to dump the output is attached.
 

Attachments

  • dump-proxy-settings.zip
    1.5 KB · Views: 63

f54da

macrumors 6502
Dec 22, 2021
357
131
Hmmm. Well that confirms that a proxy is indeed not being used. Possibly related https://developer.apple.com/forums/thread/49749

>The difference between our configurations was that I was connected through VPN and he was not. Sure enough, if I disconnect my VPN, I now see the first interfaces proxy settings properly copied into the root of the dictionary, but when connected through VPN they are not. This appears to be a bug in SCDynamicStoreCopyProxies when running under VPN (the proxy settings for the current adapter are not copied into the root).

Some so-called "galaxy brain ideas", can we manually modify this dictionary to ensure that proxy is copied to the root? It seems `SCDynamicStoreSetValue` is what you would use for this. https://stackoverflow.com/questions/30855724/how-to-programmatically-set-proxy-settings. Or what if we just patch the result of this method to always copy the proxy settings from the active interface to the root of the dict?
 

f54da

macrumors 6502
Dec 22, 2021
357
131
I like the galaxy brain approach


>Im trying to configure proxy programmatically on OS X 10.10. scutil --proxy shows correct settings **and the system actually uses them**, but new settings don't appear on the proxy tab on Network preferences(in System Preferences).

indicating that this is indeed sufficient.


Also I really didn't know that SystemConfiguration.framework on osx existed, apparently there's an `scutil` command you can use. And SCDynamicStoreCopyProxies() does same thing as CFNetworkCopySystemProxySettings()

 

f54da

macrumors 6502
Dec 22, 2021
357
131
I checked my favorite little proxy manager app (NetShade), and it too uses `SystemConfiguration.framework`. The fact that the SO poster wasn't able to get things to reflect in system preferences is probably because he didn't use SCPreferencesCommitChanges and SCPreferencesApplyChanges to make it persistent.

In fact, in disassembling NetShade I see that it does seem to explicitly handle the case of both vpn and proxy enabled correctly, since it pops up a little message saying to expect slightly slower speeds (so I assume they tested this, and given that they modify SCPreferences directly I imagine it works).

[Btw if you want a vpn rec, I really do recommend them. I've only used their proxy, not vpn service, but their app is very cute, and I like the honesty of their articles.]
 

Wowfunhappy

macrumors 68000
Original poster
Mar 12, 2019
1,607
1,981
@RobJos It might be interesting if you could run that binary I posted, and post the output, when:

1. You're not connected to a VPN.
2. You're connected to that one VPN server that uses the proxy for some reason.
3. You're connected to a VPN that does not use the proxy.

[Btw if you want a vpn rec, I really do recommend them. I've only used their proxy, not vpn service, but their app is very cute, and I like the honesty of their articles.]
Thanks, they also support IKEv2, so should be natively supported in System Preferences and thus not have this issue.
 

f54da

macrumors 6502
Dec 22, 2021
357
131
> could run that binary I posted

`scutil --proxy` should theoretically give the same output (haven't checked though)

>IKEv2, so should be natively supported in System Preferences and thus not have this issue.

Maybe. They do also install a tun/tap driver though, so I think they also support alternative protocols. Let me see if I can figure out the right api calls to programatically set proxy settings via SCPreferences, if that works it's probably the best option.

Edit: Actually IKEv2 is only for the app store version, and that too only for 10.11+. The non-MAS version compatible down to 10.6.8 uses OpenVPN.

>NetShade AS uses an IKEv2 VPN infrastructure, built with Apple’s new NetworkExtension framework. This replaces the OpenVPN backend in the standard version of NetShade. With this approach, NetShade no longer needs to install custom software in order to make VPN connections. Instead, it uses the software that’s now built into OS X. This makes for a cleaner app with no external dependencies.
 
Last edited:

f54da

macrumors 6502
Dec 22, 2021
357
131
@Wowfunhappy One more thing, can you noodle around with the `scutil` CLI (it goes into a REPL, do `help` to see commands. You can issue `list`, `get <path>`, then `d.show` to dump dict contents. Get won't print any output, you have to issue `d.show` afterwards).

I'm fairly certain we should be able get this to work to set proxy settings programatically. Maybe one of the approaches https://github.com/chetan51/sidestep/blob/master/ProxySetter.m#L46-L150, https://github.com/google/macops/blob/master/gmacpyutil/gmacpyutil/systemconfig.py#L76-L90, or https://stackoverflow.com/questions/27229645/set-proxy-settings-programmatically-on-os-x

would work. Probably we won't be able to set it permanently, but if we can at least get it working until a network interface change we can pair that with a listener that reapplies things.
 
@RobJos It might be interesting if you could run that binary I posted, and post the output, when:

1. You're not connected to a VPN.
2. You're connected to that one VPN server that uses the proxy for some reason.
3. You're connected to a VPN that does not use the proxy.
Lucky I came across this while scrolling through you folks' posts. Can't understand why I'm not getting the notifications.

Anyway, I'm a bit (= euphemism!) overwhelmed right now, but I'll get to it in time. Just to make sure: the binary, that's the file dump-proxy-settings.zip, right? And the proxy is your Squid proxy? You see, I always use the VPN's SOCKS proxy.

I've been working on the logs, coming shortly.
 
From the access.log. I tried to select, clean up and edit IP addresses etc. (in italics) to the best of my abilities. Note that I when I changed to the bad server, I really got that line five times.

Bootup, good server
127.0.0.1 NONE/200 0 CONNECT www.tunnelblick.net:443 - HIER_NONE/- -
127.0.0.1 TCP_MISS/200 839 GET https://www.tunnelblick.net/ipinfo - HIER_DIRECT/11.22.33.44 text/plain

iTunes, update podcast

127.0.0.1 NONE/200 0 CONNECT podcast_server.net:443 - HIER_NONE/
127.0.0.1 TCP_MISS/200 21009 GET podcast_URL.xml - HIER_DIRECT/55.66.77.88 application/xml

Email image

127.0.0.1 NONE/200 0 CONNECT www.website.com:443 - HIER_NONE/- -
127.0.0.1 TCP_MISS/200 16926 GET ? - HIER_DIRECT/99.10.11.12 image/jpeg
127.0.0.1 TCP_MISS/200 4393 GET https://emailsignature.trustpilot.com/xyz.png - HIER_DIRECT/100.110.120.130 image/png

Change to bad server

127.0.0.1 NONE/200 0 CONNECT www.tunnelblick.net:443 - HIER_NONE/- -
127.0.0.1 NONE/200 0 CONNECT www.tunnelblick.net:443 - HIER_NONE/- -
127.0.0.1 NONE/200 0 CONNECT www.tunnelblick.net:443 - HIER_NONE/- -
127.0.0.1 NONE/200 0 CONNECT www.tunnelblick.net:443 - HIER_NONE/- -
127.0.0.1 NONE/200 0 CONNECT www.tunnelblick.net:443 - HIER_NONE/- -

iTunes, update podcast

127.0.0.1 NONE/200 0 CONNECT podcast_server.net:443 - HIER_NONE/- -
127.0.0.1 TCP_MISS/503 388 GET podcast_URL.xml - HIER_NONE/- text/html

Email image
127.0.0.1 NONE/200 0 CONNECT www.website.com:443 - HIER_NONE/- -
127.0.0.1 TCP_MISS/503 388 GET GET ? - HIER_NONE/- text/html
127.0.0.1 TCP_MISS_ABORTED/000 0 GET https://emailsignature.trustpilot.com/xyz.png - HIER_NONE/- -

Question is then, why those 503's instead of 200's?

From the cache.log.
Maybe less useful, but who am I to judge...

Bootup, good server
5 times: [date / time] kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted

Then about 80 lines similar to:
[date / time] kid1| WARNING: failed to find or read error text file ERR_DIR_LISTING
[date / time] kid1| ERROR: loading file '/Library/Squid/errors/templates/ERR_SHUTTING_DOWN': (2) No such file or directory
[date / time] kid1| WARNING: failed to find or read error text file ERR_SHUTTING_DOWN
[date / time] kid1| ERROR: loading file '/Library/Squid/errors/templates/ERR_PROTOCOL_UNKNOWN': (2) No such file or directory
[date / time] kid1| WARNING: failed to find or read error text file ERR_PROTOCOL_UNKNOWN

Following email access:
[date / time] kid1| Error parsing SSL Server Hello Message on FD 35

Bad server

Following new email access, came right after to the line above.

[date / time] kid1| ERROR: loading file '/Library/Squid/errors/en-us/ERR_DNS_FAIL': (2) No such file or directory
[date / time] kid1| WARNING: Error Pages Missing Language: en-us
[date / time] kid1| ERROR: loading file '/Library/Squid/errors/en-us/ERR_DNS_FAIL': (2) No such file or directory
[date / time] kid1| WARNING: Error Pages Missing Language: en-us

If something's not clear, just ask, I'm keeping the complete logs at their different stages.
 
A possible different approach, suggested by a family member who's been watching my travails. Would it make sense to have applications, in my case the only two applications I need Squid for, bypass the VPN while still using Squid? As discussed in this Stack Exchange thread. Some of it not relevant (VirtualBox VM, for separate reasons), impossible to implement (the IP addresses of a few podcasts can be entered manually, but zillions of calls to email images!?), and much of it is beyond my understanding. Which is why I'm bringing it to your attention.

Possibly complementing it, this other thread.
 

f54da

macrumors 6502
Dec 22, 2021
357
131
> I always use the VPN's SOCKS proxy
I don't understand what you mean by this, since a vpn is different from a socks proxy. Some vpn providers may also offer proxies, but we need to be very precise about the exact the network setup you're using.

It seems that regardless of the server you're using, the first hop is going through squid. So I don't think this is the issue wowfunhappy & I were discussing where proxies are bypassed entirely when using a vpn on osx.

The fact that you're seeing 503 is a bit puzzling. Maybe try https://stackoverflow.com/questions/54480971/503-service-unavailable-with-squid? Could be an ipv6 related issue. That might also explain why one server works but not the other, I guess reachability could be different.
 
  • Like
Reactions: Wowfunhappy
> I always use the VPN's SOCKS proxy
I don't understand what you mean by this, since a vpn is different from a socks proxy. Some vpn providers may also offer proxies, but we need to be very precise about the exact the network setup you're using.
OK, in all the applications that allow for it (browsers, Fetch, VirtualBox and others) I use, have always used, the SOCKS5 proxy offered by my VPN services. But — as far as I know — such an option does not exist in iTunes 10 nor in Entourage (the Microsoft mail application). I can enter it in the Network CP/Advanced/Proxies/SOCKS Proxy setting, but it doesn't seem to make a difference. I hope this clears the misunderstanding.
The fact that you're seeing 503 is a bit puzzling. Maybe try https://stackoverflow.com/questions/54480971/503-service-unavailable-with-squid? Could be an ipv6 related issue. That might also explain why one server works but not the other, I guess reachability could be different.
Most of that StackOverflow post I'm not able to follow, and anyway I wouldn't dare to modify Squid files or enter stuff in the terminal without somebody holding my hand. But, with regard to IPv6 (which is not something I've ever needed to pay attention to — not that I don't agree that your suspicion is relevant), that same Network CP/Advanced/TCP+IP tab has a Configure IPv6 pop-down: Automatically, Manually, or Off. As far as I know it's always been set to Automatically, but the three fields below are empty, regardless of good server, bad server or no VPN.

IPv6 Off apparently makes no difference, and I wouldn't know what to fill in Manually.

However, while proceding to those tests I discovered that quitting Tunnelblick, i.e. not connecting through the VPN (with, I assume, Squid remaining active), leads to the same negative results as the bad servers. Or: it seems that the good server “adds” something that allows Squid to achieve its purpose. Can this be right?

I'll be back as soon as I get a moment to deal with the binary posted by ‪Wowfunhappy.
 
DISCOVERY OF THE DAY (totally by chance). Premise: the VPN software allows for automatically connecting to a specific server at bootup. Later, one can change servers according to one's needs.

Well, as it so happens — that bootup connection server is the “good” server, regardless of IP or location. And: any other server you connect to instead, at a later point during the same session, is a “bad” server.

Moreover: if I select another server as the bootup server, quit and relaunch Tunnelblick, it will automatically connect to the new selection — but it will remain stuck as a bad server, and the good server will still be the server that was connected to at bootup time. Only by rebooting will the newly selected server become the new session's good server.

I'll let you all ponder over this intensely bizarre behaviour (to me, at any rate).

@RobJos It might be interesting if you could run that binary I posted, and post the output, when:

1. You're not connected to a VPN.
2. You're connected to that one VPN server that uses the proxy for some reason.
3. You're connected to a VPN that does not use the proxy.
dump-proxy-settings — in all three cases I get the same output:
Code:
MacHD:~ robjos$ /Users/robjos/Desktop/dump-proxy-settings ; exit;
Illegal instruction
logout

[Process completed]
 

f54da

macrumors 6502
Dec 22, 2021
357
131
> I use, have always used, the SOCKS5 proxy offered by my VPN services
Then you're not using a vpn though, you're using a proxy, and none of the discussion regarding osx ignored proxy settings for a vpn interface matters, meaning the issue is likely not at the os-level in your case (i.e. it's some application specific quirk).
 
> I use, have always used, the SOCKS5 proxy offered by my VPN services
Then you're not using a vpn though, you're using a proxy, and none of the discussion regarding osx ignored proxy settings for a vpn interface matters, meaning the issue is likely not at the os-level in your case (i.e. it's some application specific quirk).
Sorry, I don't quite understand your comment. To the only part I do follow I can only reply that in the Network/Configure how [browser] connects to the Internet preferences of most browsers I know of (and of many applications like those I've listed earlier, as well as in the System Preferences' Network CP), you have something similar to this:

SOCKS5 Proxy.png

where SOCKS Host and Port are data specific to and provided by the VPN services. This is what I've always used, and I've never noticed any interference with what Squid is intended to achieve.

Anyway, as I've posted yesterday, this isn't related (but I may easily be wrong) to the issue being discussed. I've been wondering if something could be done by modifying the software's settings shown in this post, 2nd and 3rd screenshot. But what?
 
Last edited:
[Just found out now that there was something wrong about the links at the end of the previous post - corrected]

Well, thinking at this point that the single servers can be excluded as the cause of this issue, there still is the possibility that there is something inappropriate (wrong/missing/in excess) in the provider's default config files (by the fact that this problem didn't exist with the previous provider — quite different config files). Not knowing how to work on such code, I spent a few hours trying a whole bunch of different combinations in TunnelBlick's settings. No luck whatsoever, though.
 
I have found out that at boot-up, a few seconds after the connection with the server has been established, a new file by the name of “squid.pid” gets created inside the Library/Squid folder, and also that it gets deleted when shutting down. The contents are always the same: a text made of only three digits. In the majority of cases these are in the range 490-499 (a couple of 48x and 5xx as well). While these digits seem to be server-related, the file and its contents remain unchanged throughout the session, regardless of any changes of server connection. I also found that contrary to the permissions of all the other files inside the Squid folder (only System has Read & Write access), in this squid.pid's case it's only the User (Me) that has Read & Write access.

I don't know who/what creates this file, nor what's its use, but I was thinking that the issue of Squid no longer doing what it is supposed to when changing servers in the course of a session might be related to it. I did try to change its permissions to match those of the other Squid files, but (of course?) as it gets regenerated after each restart, that didn't help. And by the way, I couldn't find anything in Tunnelblick or in the config files that had any relation to a .pid extension. Any ideas?
 

Wowfunhappy

macrumors 68000
Original poster
Mar 12, 2019
1,607
1,981
I have found out that at boot-up, a few seconds after the connection with the server has been established, a new file by the name of “squid.pid” gets created inside the Library/Squid folder, and also that it gets deleted when shutting down.
This is expected behavior and has always happened. The file is created by Squid and prevents multiple instances of Squid from running at once.
 
  • Like
Reactions: RobJos
OK, found a fix of sorts. Here's the sequence:

1. Change server
2. Issue shows up
3. Activity Monitor --> Squid (2 processes)
4. Quit both processes. Simultaneously, squid.pid gets deleted in the Library/Squid folder.
5. After ≈15'', both Squid processes relaunch on their own, and a new squid.pid is created.
6. Issue gone. Until the next change of server, that is.

I said “fix of sorts”, because while it's faster than disconnecting the current server and reconnecting to the original boot-up one (not to mention rebooting the computer), it's rather clumsy. Is there a way to streamline this operation, a one-click kind of solution? Me, I don't know anything about Applescripting…
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.