Re: relayd as transparent HTTPS proxy

Wed, 20 Nov 2013 01:29:54 -0800 

On 18/11/2013 15:09 CET, Gianfranco Gallizia wrote:

Hello everyone, I have a question regarding relayd(8) in OpenBSD 5.3

I was playing a little with relayd as a transparent proxy with URL
filtering using this relayd.conf:


     http protocol httpfilter {
         # Return HTML error pages
         return error

         header change "Connection" to "close"

         # Block requests to unwated hosts
         request url filter file "/etc/blacklist.txt"
     }

     relay httpproxy {
         listen on 127.0.0.1 port 8080
         protocol "httpfilter"
         forward to destination
     }

then I've added this line to my pf.conf:

pass quick inet proto tcp to port http divert-to 127.0.0.1 port 8080

So far everything is working fine: pf redirects all the HTTP traffic on
the standard TCP port and relayd takes care of the rest filtering out
anything I place in /etc/blacklist.txt

Is it possible to do so for HTTPS connections too? I've found a lot of
tutorial/documentation aiming at SSL accelleration but none about
transparent SSL proxy. As far as I know "forward to destination" doesn't
have a ssl option like "forward with ssl to $address".

I fear I am looking at the problem from the wrong side, so I've
decided to ask for advice before messing with the conf files and/or
looking at the source code of relayd.

Thanks for your time,

Gianfranco Gallizia



I did some more research and it seems that I was right about "looking at
the problem form the wrong side". While relayd(8) can work as a
filtering proxy its purpose is to perform well as a load balancer/SSL
accellerator.

I'm back to square one: either I should install something like
squid+squidGuard, generate a Certificate, pay someone to sign it and
then set a MITM HTTPS transparent proxy or I keep the gateway as it is and work on the clients' configuration. 

Since I don't have to work with hundreds or thousands of clients I
decided to keep the gateway as it is now.

I have found that there's a patch[1] to let relayd handle HTTPS as a
transparent proxy but I don't see any good reason to apply that patch
since I'll have to maintain it myself and probably I'll break something
in the process.

[1] http://www.reykfloeter.com/post/41814177050/relayd-ssl-interception

Reply via email to