ssl forward proxy with relayd

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

ssl forward proxy with relayd

Bogdan Andu
Hi,

I need to set-up a forward proxy using relayd with ssl.

My /etc/relayd.conf:

prefork 1

http protocol httpfilter {
        return error

        pass
        match label "Prohibited!"
        block url "social.network.example.com/"

        # New configuration directives for SSL Interception
        ssl ca key "/etc/ssl/private/ca.key" password "zdapi321"
        ssl ca cert "/etc/ssl/ca.crt"
}

relay sslinspect {
        listen on 127.0.0.1 port 3128 ssl
        protocol httpfilter
        forward with ssl to destination
}

The password is correct (btw, wouldn't be useful a password-less option?).

And in my  /etc/pf.conf I have:
# Divert incoming HTTPS traffic to relayd
pass in on $ext_if inet proto tcp to port 443 divert-to localhost port 3128


Certificate and key were generated using command (with above password):
$ sudo  openssl req -x509 -days 365 -newkey rsa:2048 -keyout
/etc/ssl/private/ca.key -out /etc/ssl/ca.crt

however when executing :
$  sudo /usr/sbin/relayd  -vv -d -f /etc/relayd.conf
startup
socket_rlimit: max open files 1024
relay_load_certfiles: using ca certificate /etc/ssl/ca.crt
socket_rlimit: max open files 1024
relay_load_certfiles: using ca key /etc/ssl/private/ca.key
/etc/relayd.conf:39: cannot load certificates for relay sslinspect
no actions, nothing to do
hce exiting, pid 26488
ca exiting, pid 30372
pfe exiting, pid 11774
relay exiting, pid 12430

System: 5.6/amd64

Why the certificate cannot be loaded?

Thanks,

/Bogdan