transproxy (macOS pf + Privoxy)

Transparent TCP proxy that captures pfctl-redirected HTTP/HTTPS traffic and forwards through Privoxy without TLS interception.

🚀 Key Innovation: Dual-Proxy Architecture

This project solves a unique challenge: how to transparently proxy iOS apps that ignore global proxy settings while not interfering with apps that honor them.

The Problem

• 📱 Proxy-Aware Apps (Safari, Chrome): Use configured proxy settings → Connect directly to Privoxy
• 🚫 Proxy-Unaware Apps (Netflix, Games): Ignore proxy settings → Try direct connections to servers

The Solution

Strategic pfctl rules that create two paths:

# Path 1: EXEMPT proxy-aware traffic (to Mac/Privoxy)
no rdr on bridge100 inet proto tcp from 192.168.2.4 to 194.165.185.154

# Path 2: INTERCEPT proxy-unaware traffic (to external servers)
rdr pass on bridge100 inet proto tcp from 192.168.2.4 to any -> 127.0.0.1 port 8001

Result: Both app types work seamlessly while all traffic gets filtered through Privoxy! 🎉

📖 Complete Technical Guide - Deep dive into network layers, TLS handshakes, and transparent proxying internals

Structure

• src/transparent_tcp_proxy.py — main proxy
• config/pf/pf-transproxy.conf.example — pf rules sample
• config/pac/proxy.pac — sample PAC
• config/mobileconfig/GlobalHTTPProxy.mobileconfig — PAC-based profile
• config/mobileconfig/ManualProxy.mobileconfig — manual proxy profile

Features

• HTTP: rewrites to absolute-form and forwards to Privoxy
• HTTPS: CONNECT via Privoxy using SNI, tunnels bytes (no MITM)
• Skips PAC requests; basic logging; CLI/env config

Setup

1. Install and start Privoxy (or any HTTP proxy) locally, note host:port (default here: 127.0.0.1:48082)

2. Run the transparent proxy:

python3 src/transparent_tcp_proxy.py \
  --listen-ip 0.0.0.0 --listen-port 8001 \
  --privoxy-ip 127.0.0.1 --privoxy-port 48082

3. pf redirect for HTTP/HTTPS to the proxy. Edit interface/subnet in the example and load:

sudo cp config/pf/pf-transproxy.conf.example /etc/pf-transproxy.conf
sudo pfctl -f /etc/pf-transproxy.conf
sudo pfctl -E

Restore defaults later:

sudo pfctl -f /etc/pf.conf
sudo pfctl -d

4. iOS configuration profiles

• PAC (GlobalHTTPProxy.mobileconfig): points to your Mac-hosted PAC file
• ManualProxy.mobileconfig: direct HTTP(S) proxy settings

Use Apple Configurator or AirDrop to install. Edit server IPs/ports before use.

Development

python3 -m py_compile src/transparent_tcp_proxy.py

Notes

• Non-HTTP/TLS traffic can’t be proxied without original destination info on macOS.
• For testing PAC, host config/pac/proxy.pac via a simple HTTP server.