I think I found something working, I leave it here for others. Any advice is still welcome.
By the way, I'm confused about the "transparent forward" directive in relayd.conf. It doesn't seems to work at all and setting a transparent proxy is not using this keyword. /etc/relayd.conf : http protocol "http" { tcp { nodelay, sack, socket buffer 65536, backlog 100 } include "/etc/relayd.proxy.conf" pass } http protocol "https" { tcp { nodelay, sack, socket buffer 65536, backlog 100 } include "/etc/relayd.proxy.conf" tls { \ cipher-server-preference,\ no tlsv1.0\ } pass } relay "www" { listen on 127.0.0.1 port 8080 protocol "http" forward to destination } relay "wwwtls" { listen on 127.0.0.1 port 8443 tls protocol "https" For tls, you need /etc/ssl/127.0.0.1.crt and /etc/ssl/private/127.0.0.1.key files. Use ln -s to link with your certificate if necessary. In /etc/httpd.conf, leave this : listen on * port 80 listen on * tls port 443 hsts preload tls { certificate ... key ... } And finally, in /etc/pf.conf : pass in on egress proto tcp to port www divert-to 127.0.0.1 port 8080 \ flags S/SA modulate state pass in on egress proto tcp to port https divert-to 127.0.0.1 port 8443 \ flags S/SA modulate state pass out on egress proto tcp all modulate state divert-reply This way, relayd is a transparent proxy, you can changes headers and keep the original source IP (useful for logs). regards.