If your firewall has enough RAM/CPU, I'd put the proxy on there. It's a lot easier to configure and manage (just redirect port 80 traffic to localhost:8080).
Otherwise, you can put it on a separate machine. Only 1 NIC is required. You have two options for configuring it:
- set the defaultrouter for all the clients on the LAN to the IP of the proxy server; add firewall rules that redirect port 80 traffic to localhost:8080
- use PF redirect rules on the main firewall to redirect outgoing port 80 traffic to the proxy on port 8080 (the dg port)