Skip to content

Commit 1e335cc

Browse files
blink-so[bot]f0ssel
blink-so[bot]
and
f0ssel
committed
Fix macOS PF rules to route traffic to HTTP proxy with TLS termination
- Change PF rules to redirect all TCP traffic to port 8080 (HTTP proxy with TLS termination) - Previously was incorrectly routing to port 8443 (HTTPS proxy) - HTTP proxy with TLS termination can handle both HTTP and HTTPS traffic - Fixes 'client sent HTTP request to HTTPS server' error on macOS - Update comments and logging to reflect correct proxy usage Co-authored-by: f0ssel <[email protected]>
1 parent 3511a46 commit 1e335cc

File tree

1 file changed

+5
-5
lines changed

1 file changed

+5
-5
lines changed

namespace/macos.go

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -222,28 +222,28 @@ func (m *MacOSNetJail) createPFRules() (string, error) {
222222
# COMPREHENSIVE APPROACH: Intercept ALL TCP traffic from the jailed group
223223
# This ensures NO TCP traffic can bypass the proxy by using alternative ports
224224
225-
# First, redirect ALL TCP traffic arriving on lo0 to our HTTPS proxy port
226-
# The HTTPS proxy can handle both HTTP and HTTPS traffic
225+
# First, redirect ALL TCP traffic arriving on lo0 to our HTTP proxy with TLS termination
226+
# The HTTP proxy with TLS termination can handle both HTTP and HTTPS traffic
227227
rdr pass on lo0 inet proto tcp from any to any -> 127.0.0.1 port %d
228228
229229
# Route ALL TCP traffic from boundary group to lo0 where it will be redirected
230230
pass out route-to (lo0 127.0.0.1) inet proto tcp from any to any group %d keep state
231231
232232
# Also handle ALL TCP traffic on the specific interface from the group
233-
pass out on %s route-to (lo0 127.0.0.1) inet proto tcp from any to any group %d keep state
233+
pass out route-to (lo0 127.0.0.1) on %s inet proto tcp from any to any group %d keep state
234234
235235
# Allow all loopback traffic
236236
pass on lo0 all
237237
`,
238238
m.restrictedGid,
239239
iface,
240-
m.httpsProxyPort, // Use HTTPS proxy port for all TCP traffic
240+
m.httpProxyPort, // Use HTTP proxy with TLS termination for all TCP traffic
241241
m.restrictedGid,
242242
iface,
243243
m.restrictedGid,
244244
)
245245

246-
m.logger.Debug("Comprehensive TCP jailing enabled for macOS", "group_id", m.restrictedGid, "proxy_port", m.httpsProxyPort)
246+
m.logger.Debug("Comprehensive TCP jailing enabled for macOS", "group_id", m.restrictedGid, "proxy_port", m.httpProxyPort)
247247
return rules, nil
248248
}
249249

0 commit comments

Comments
 (0)