On 5/08/2016 2:13 p.m., JR Dalrymple wrote: > > For posterity's sake, here are the relevant parts of my working > configuration: > > /etc/pf.conf: > pass in proto tcp to any port 80 divert-to 127.0.0.1 port 3128 > pass in proto tcp to any port 443 divert-to 127.0.0.1 port 3129 > > squid.conf: > http_port 127.0.0.1:3128 intercept > https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/ssl/CA.pem >
FYI: Since OpenBSD 4.4+ the PF divert-to rule performs their implementation of TPROXY. So technically it is more correct to configure "tproxy" option on the listening ports. But the "intercept" will also work - it just makes Squid behave like a NAT instead of fully transparent. Also, both styles can handle IPv6 as well as IPv4. That is currently limited only by your explicit use of 127.0.0.1 in the rules and port declarations. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
