The same thing hit me when upgrading to 25.07.1 this morning. I moved libc++.so.1 to /root and squid started normally. When I was experiencing the issue it looked like this in my system log: /rc.filter_configure_sync: [squid] Installed but not started. Not installing 'nat' rules. /rc.filter_configure_sync: [squid] Installed but not started. Not installing 'pfearly' rules. /rc.filter_configure_sync: [squid] Installed but not started. Not installing 'filter' rules. sshd[12272]: error: connect_to [interface_to_listen_on] port 3128: failed. Squid_Alarm[34120]: Squid has exited. Reconfiguring filter. Squid_Alarm[35230]: Attempting restart... The sshd error is from my ssh connection where I tunnel my websurfing to my home router. Since squid wasn't listening on the specified port sshd could not make the connection. All well now.

You can run via SSH or Diagnostics -> Command prompt squid -k parse and paste output here.

@firefox I don’t think so, to be honest with you I am on an older version also. Just make sure you do the patch package and install all the system patches.

@qupfer What did I bang my head over this strange 502 issue. Your solution did it! Thank you so much, even 2.5 years later!

Request for Continued Support of Squid Package Dear Netgate Team, Could we please continue to support the Squid package? The upstream project has already resolved the known security issues, and it appears the main task remaining is updating the package to accommodate the recent PHP changes affecting the status page and address the decode issue. I’m unsure how to address this on my end and would greatly appreciate any guidance. Has anyone else looked into this, or is there a fix currently in progress? Thank you for your time and support. Jonathan Lee

@andrew_cb said in haproxy 0.63_2 weird behavior, edits not working: @iSagen @TheCyborgWeasel The issue is likely the same as in https://forum.netgate.com/topic/178348/haproxy-backend-port-changes-are-not-applied/ Try adding load-server-state-from-file none to the Advanced Settings > Backend pass thru section of each backend. Great! I will do this.

@nick23369 You don't have to wait for the official fix. Adding the directive load-server-state-from-file none to each backend will override the default behavior and makes HAProxy backend changes take effect immediately. This is the easiest - do it one time and it's done. You can also stop HAProxy, delete run rm /tmp/haproxy_server_state from Diagnostic > Command Prompt, and then start HAProxy. There is no problem with HAProxy, it just takes some extra work to make negate the hardcoded config settings and make backend changes apply immediately without having to reboot pfSense.

Hi Andrew, thanks for the tip. I forgot reply here. In our case, the problem was the hardware. Since 2013 I use the same hardware an Athlon LE-1620(1 Core) with 2GB. Some months ago, we created an app with many HAProxy rules and the access is growing. We bought one fanless with Intel J6426 and 8GB and now it´s work fine.

@andrew_cb Thank you for the answer In the end it was a problem that any new backend i added just did not register, i confirm it by taking an existing one and overriding it and it worked so i want the nuclear option and just installed the entire pfsense because installing the haproxy did not help.

@viragomann Thank you, I had that a bit flipped in my mind!

@BelluX The Shared-Frontends message is because you have two different frontends configured that are listening on the same IP address and port. To resolve this error, you must choose the option Shared Frontend on the second frontend. However, if you do this, HAProxy will give an error that all shared frontends must be of the same type (you cannot mix http/https (offloading) with ssl/https (TCP mode). This is how I set up HAProxy to support mixed offloading and passthrough: Create a Backend called tcp_to_https which goes to server 127.0.0.1:4443 and Encrypt(SSL) is set to No. Create a Frontend called SSL_Termination that listens on port 4443. Enable SSL Offloading. Add all your ACLs and Actions like normal. Create a Frontend called SSL_Passthrough that listens on port 443 but do not enable SSL Offloading. Set it to ssl / https (TCP mode). Add ACLs using Server Name Indication TLS extension ends with for the hostnames that you want to pass through directly to the backends. Set the Default Backend to tcp_to_https. The way this works is HAProxy receives the request, it checks if the SNI matches the ACLs, and passes it through directly to the backends without performing SSL offloading. Otherwise, it passes the request to the default backend tcp_to_https, which connects to the frontend SSL_Termination, where the connections are processed a second time, this time performing SSL offloading.

@mojtaba-key For anyone reading this, the issue is likely the same as in https://forum.netgate.com/topic/178348/haproxy-backend-port-changes-are-not-applied/ The solution is to add load-server-state-from-file none to the Advanced Settings > Backend pass thru section of each backend.

@NickyDoes The issue is likely the same as in https://forum.netgate.com/topic/178348/haproxy-backend-port-changes-are-not-applied/ Try adding load-server-state-from-file none to the Advanced Settings > Backend pass thru section of each backend.

Retested on 24.11-RELEASE (amd64) all seems to work. So it seems right to file a bug for this issue.

@JonathanLee said in UNOFFICIAL GUIDE: Have Package Logs Record to a secondary SSD drive Snort Syslog Squid and or Squid cache system: ln -s -F /nvme/LOGS_Optane/snort /var/log/snort Also you can do this with suricata. /var/log/suricata remove this mkdir /nvme/LOGS_Optane/suricata ln -s -F /nvme/LOGS_Optane/suricata /var/log/suricata

This is a better WPAD file server.modules = ( "mod_access", "mod_staticfile", "mod_expire", "mod_setenv" ) server.document-root = "/var/www/html" server.errorlog = "/var/log/lighttpd/error.log" server.pid-file = "/run/lighttpd.pid" server.username = "www-data" server.groupname = "www-data" server.port = 80 server.bind = "192.168.1.6" server.tag = "" server.range-requests = "disable" server.max-connections = 10 connect-timeout = 2 server.max-keep-alive-idle = 2 server.max-keep-alive-requests = 1 server.max-read-idle = 2 server.max-write-idle = 2 dir-listing = "disable" $HTTP["request-method"] =~ "^(TRACE|TRACK)$" { url.access-deny = ( "" ) } # Cache WPAD and proxy PAC files for 1 day (good practice) expire.url = ( "/wpad.dat" => "access plus 1 day", "/proxy.pac" => "access plus 1 day" ) # Disable access logs to reduce SD card wear (optional) accesslog = "" $HTTP["url"] =~ "^/(wpad\.dat|proxy\.pac)$" { setenv.add-response-header = ( "X-Content-Type-Options" => "nosniff", "X-Frame-Options" => "DENY", "Content-Security-Policy" => "default-src 'none';", "Cache-Control" => "public, max-age=86400", "Referrer-Policy" => "no-referrer", "X-Download-Options" => "noopen", "X-Permitted-Cross-Domain-Policies" => "none" ) # Allow only GET and HEAD methods $HTTP["request-method"] !~ "^(GET|HEAD)$" { url.access-deny = ( "" ) } # Restrict access by IP subnets $HTTP["remoteip"] == "192.168.1.0/27" { } else $HTTP["remoteip"] == "2001:470:8052:a::/64" { } else { url.access-deny = ( "" ) } } # Deny all other URL requests $HTTP["url"] !~ "^/(wpad\.dat|proxy\.pac)$" { url.access-deny = ( "" ) } # Strict URL parsing for security and consistency server.http-parseopts = ( "header-strict" => "enable", "host-strict" => "enable", "host-normalize" => "enable", "url-normalize-unreserved"=> "enable", "url-normalize-required" => "enable", "url-ctrls-reject" => "enable", "url-path-2f-decode" => "disable", "url-path-2f-reject" => "enable", "url-path-dotseg-remove" => "disable", "url-path-dotseg-reject" => "enable", ) url.access-deny = ( "~", ".inc" ) static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) # Add WPAD MIME type for correct browser handling mimetype.assign = ( ".dat" => "application/x-ns-proxy-autoconfig", ".pac" => "application/x-ns-proxy-autoconfig" )

@brcuewayne DiagnosticsCommand Prompt Shell Output - ls -l /usr/local/sbin/dhcpleases6 ls: /usr/local/sbin/dhcpleases6: No such file or directory Execute Shell Command