Hack 97 Location Support for Tunnels in OS X

Easily choose between encrypted and unencrypted communications using the Network Location feature in Mac OS X.

It is possible [Hack #91] to encrypt your web traffic by passing it over an SSH tunnel to an HTTP proxy. While you might think that you would always want to keep your web traffic encrypted, there are cases where it just isn't practical to do so. For example, if you are using a wireless network that makes use of a captive portal (such as NoCatAuth) that redirects the user to a web page before granting network access, then your tunnel will fail to connect. Of course, after you have authenticated, your tunnel will work as it normally would. But you need to connect to the authentication service "in the clear" in order to present your credentials.

Another common reason to disable the tunnel is to download large volumes of public data from a local network resource. Rather than force all of the data to be encrypted, routed all the way down to your tunnel server, and ultimately sent back again and decrypted, it is probably much more efficient to connect directly and download it in the clear. Ask yourself the question, "does it really matter if people on the local wireless know that I'm downloading a Debian ISO from a local mirror?"

While in most operating systems you would have to change the preferences of your browser in order to choose not to use the proxy, OS X has a much more elegant solution. There is a very flexible network configuration system built into the OS that allows for independent settings of every network interface, and storing as many of these settings as you like. It is called the Network Location feature, and is accessible at all times from the Apple menu (Figure 7-13).

Figure 7-13. Easily jump from one network configuration to another.

OS X ships with a default location called "Automatic". I find it useful to remove this location, and create a couple of specific new locations: "Open" and "Tunnel".

Open Network Preferences, either from the Apple menu or in System Preferences. On the Location drop-down box, select New Location... and create a location called Open. This is the location you would use when you don't need to use the encrypted tunnel. When you are happy with these settings, create another location called Tunnel (as in Figure 7-14). Select the AirPort interface, and click the Proxies tab. Check the Web Proxy (HTTP) box, and add 127.0.0.1 as the hostname and 3128 as the port number.

Figure 7-14. Create an encrypted location called Tunnel.

I also find it useful to add a proxy bypass for the .local domain, so that the proxy isn't used when accessing local Rendezvous sites (although why Apple doesn't do this by default, I'll never know).

Click Apply Now, and you're all done. You can now choose whether to use the encrypted proxy by simply selecting your Location from the Apple menu. It takes a moment or two for the changes to take, as the interfaces are actually brought down and back up (and so they need to request a new DHCP lease, register the changes with any running programs, etc.). Don't forget to start your SSH tunnel [Hack #91] before trying to use the Tunnel location.

One word of caution about the bypass settings, and network proxy settings in general: The bypass box seems only to allow for one top-level domain, but does allow any number of subdomains or hostnames. Unfortunately, they are completely ignored by some applications (notably Mozilla and iTunes). At least at the time of this writing (OS X 10.2.6), you need to specify separate settings for your proxies in Mozilla, and disable proxy settings altogether when using iTunes with remote streams if they get in the way.