Wireless Hacks. 1917 IndustrialStrength Tips and Tools [Electronic resources] نسخه متنی

Hack 97 Location Support for Tunnels in OS X

Easily choose between encrypted and unencrypted
communications using the Network Location feature in Mac OS
X.

It is
possible [Hack #91] to
encrypt your web traffic by passing it over an SSH tunnel to an HTTP
proxy. While you might think that you would always want to keep your
web traffic encrypted, there are cases where it just
isn't practical to do so. For example, if you are
using a wireless network that makes use of a captive portal (such as
NoCatAuth) that redirects the user to a web page before granting
network access, then your tunnel will fail to connect. Of course,
after you have authenticated, your tunnel will work as it normally
would. But you need to connect to the authentication service
"in the clear" in order to present
your credentials.

Another common reason to disable the tunnel is to download large
volumes of public data from a local network resource. Rather than
force all of the data to be encrypted, routed all the way down to
your tunnel server, and ultimately sent back again and decrypted, it
is probably much more efficient to connect directly and download it
in the clear. Ask yourself the question, "does it
really matter if people on the local wireless know that
I'm downloading a Debian ISO from a local
mirror?"

While in most operating systems you would have to change the
preferences of your browser in order to choose not to use the proxy,
OS X has a much more elegant solution. There is a very flexible
network configuration system built into the OS that allows for
independent settings of every network interface, and storing as many
of these settings as you like. It is called the Network Location
feature, and is accessible at all times from the Apple menu (Figure 7-13).

OS X ships with a default location called
"Automatic". I find it useful to
remove this location, and create a couple of specific new locations:
"Open" and
"Tunnel".

Open Network
Preferences,
either from the Apple menu or in
System Preferences. On the
Location drop-down box, select New
Location... and create a location called
Open. This is the location you would use when
you don't need to use the encrypted tunnel. When you
are happy with these settings, create another location called
Tunnel (as in Figure 7-14).
Select the AirPort interface, and click the
Proxies tab. Check the Web
Proxy (HTTP) box, and add 127.0.0.1 as the hostname and
3128 as the port number.

I also find it useful to add a proxy bypass for the
.local domain, so that the proxy
isn't used when accessing local Rendezvous sites
(although why Apple doesn't do this by default,
I'll never know).

Click Apply Now, and you're all
done. You can now choose whether to use the encrypted proxy by simply
selecting your Location from the Apple menu. It takes a moment or two
for the changes to take, as the interfaces are actually brought down
and back up (and so they need to request a new DHCP lease, register
the changes with any running programs, etc.). Don't
forget to start your SSH tunnel [Hack #91] before trying to use
the Tunnel location.

One word of caution about the bypass settings, and network proxy
settings in general: The bypass box seems only to allow for one
top-level domain, but does allow any number of subdomains or
hostnames. Unfortunately, they are completely ignored by some
applications (notably Mozilla and iTunes). At least at the time of
this writing (OS X 10.2.6), you need to specify separate settings for
your proxies in Mozilla, and disable proxy settings altogether when
using iTunes with remote streams if they get in the way.