Thanks all, for the several helpful responses in this thread. Here's what I currently have, in /etc/pf.conf. Appears to work. Although, I am rethinking my approach and may terminate TLS at httpd in the future. Still it is nice for me to learn what is possible.
match in on egress proto tcp from any to (self) port 80 rdr-to 127.0.0.1 port 8080 match in on egress proto tcp from any to (self) port 443 rdr-to 127.0.0.1 port 8443 To Salvatore Cuzzilla, note I was trying to use relayd for L3 redirect, which is why no CA or key configured. To Kevin, I'm not trying to simply replace httpd with caddy. Longer term I will be customizing the server, which I prefer to do in Go. -Dave On Sun, Mar 12, 2017, at 02:12 AM, Sebastien Marie wrote: [snip] > > pass in on egress proto tcp from any to (self) port 80 rdr-to 127.0.0.1 port > 8080 > pass in on egress proto tcp from any to (self) port 443 rdr-to 127.0.0.1 port > 8443 > > see pf.conf(5) and https://www.openbsd.org/faq/pf/rdr.html > > -- > Sebastien Marie
