I think I found something working, I leave it here for others.
Any advice is still welcome.

By the way, I'm confused about the "transparent forward" directive in
relayd.conf. It doesn't seems to work at all and setting a transparent proxy is
not using this keyword.

/etc/relayd.conf : 

        http protocol "http" {
                tcp { nodelay, sack, socket buffer 65536, backlog 100 }
                include "/etc/relayd.proxy.conf"
                pass
        }

        http protocol "https" {
                tcp { nodelay, sack, socket buffer 65536, backlog 100 }
                include "/etc/relayd.proxy.conf"
                tls { \
                        cipher-server-preference,\
                        no tlsv1.0\
                }
                pass

        }
        relay "www" {
                listen on 127.0.0.1 port 8080
                protocol "http"
                forward to destination
        }

        relay "wwwtls" {
                listen on 127.0.0.1 port 8443 tls
                protocol "https"
        

For tls, you need /etc/ssl/127.0.0.1.crt and /etc/ssl/private/127.0.0.1.key
files. Use ln -s to link with your certificate if necessary.

In /etc/httpd.conf, leave this : 

        listen on * port 80
        listen on * tls port 443
        hsts preload
        tls {
                certificate ...
                key ...
        }

And finally, in /etc/pf.conf : 

        pass in on egress proto tcp to port www divert-to 127.0.0.1 port 8080 \
                flags S/SA modulate state
        pass in on egress proto tcp to port https divert-to 127.0.0.1 port 8443 
\
                flags S/SA modulate state

        pass out  on egress proto tcp all modulate state divert-reply


This way, relayd is a transparent proxy, you can changes headers and keep the
original source IP (useful for logs).


regards.

Reply via email to