I think I found something working, I leave it here for others.
Any advice is still welcome.
By the way, I'm confused about the "transparent forward" directive in
relayd.conf. It doesn't seems to work at all and setting a transparent proxy is
not using this keyword.
/etc/relayd.conf :
http protocol "http" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
include "/etc/relayd.proxy.conf"
pass
}
http protocol "https" {
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
include "/etc/relayd.proxy.conf"
tls { \
cipher-server-preference,\
no tlsv1.0\
}
pass
}
relay "www" {
listen on 127.0.0.1 port 8080
protocol "http"
forward to destination
}
relay "wwwtls" {
listen on 127.0.0.1 port 8443 tls
protocol "https"
For tls, you need /etc/ssl/127.0.0.1.crt and /etc/ssl/private/127.0.0.1.key
files. Use ln -s to link with your certificate if necessary.
In /etc/httpd.conf, leave this :
listen on * port 80
listen on * tls port 443
hsts preload
tls {
certificate ...
key ...
}
And finally, in /etc/pf.conf :
pass in on egress proto tcp to port www divert-to 127.0.0.1 port 8080 \
flags S/SA modulate state
pass in on egress proto tcp to port https divert-to 127.0.0.1 port 8443
\
flags S/SA modulate state
pass out on egress proto tcp all modulate state divert-reply
This way, relayd is a transparent proxy, you can changes headers and keep the
original source IP (useful for logs).
regards.
