@marcelloc said in pfSense keeps blocking google.com, I lost all hope:
If you run a tcpdump on your LAN while trying to google something with chrome, you will see it going on UDP port 443 instead of default TCP port.
That's the QUIC protocol right? You can block it with a firewall rule blocking udp80/443
https://wiki.squid-cache.org/KnowledgeBase/Block QUIC protocol
or disable it using a Chrome flag:
chrome://flags > QUIC protocol > Disable
I'm sure there was a good thread about it here on this forum but now for the life of me I can't find it.
good day,
I enabled the e2guardian antivirus, selected clamdscan and icapscan from General Tab and checked extension, mime, site, url from the ACL Antivirus Tab but this causes e2guardian to stop.
does anybody knows how to solve this ?
you must configure the authentication in both now so that it works, you need to create an acl of groups with AD in the squidguard by changing the parameters of the example:
ldapusersearch ldap://192.168.0.100/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=domain%2cDC=com))
@_neok said in Squid + Squidguard + active directory + SSO:
This video is a bit old but the general outlines helped me make it work.
Yes this works, i have modified this package according to my requirement and works like a charm.
That is the solution that gives me a lot of troubles... When I point https://mydomin.com/media/ => https://media.local:2020/media/ I have to configure media.local to have a service running on a different path, and that brings a lot of problems. The easyest solution would be to mask the url and rewrite https://mydomin.com/media/ to https://media.local:2020 that way I don't need to mess with the destinations servers.
That change didn't make the quarterly ports branch (missed it by a few days), so there isn't a guarantee that it will make it in the next release. Unless it requires little to no configuration modifications, it may have to wait until after the release.
i know this pfsense chat but you seem very smart in this other stuff too i had another question if i have a unraid and it rsyncs to a freenas if data on teh unraid bit rots wont it bit rot the freenas or should i be scrapping unraid all together. i just like it its easier to use then freenas but i do like some things freenas has so there is no happy medium or best solution windows i guess lol
@brlamnr said in HAProxy TCP/use client ip and carp cluster problem:
@piba said in HAProxy TCP/use client ip and carp cluster problem:
@brlamnr
Can you check result of command 'ipfw show' ?
Following after activating client-ip:
00010 0 0 fwd ::1 tcp from 10.3.128.10 443 to any in recv cxl0.79
00011 108 20412 fwd ::1 tcp from 10.3.128.11 443 to any in recv cxl0.79
65535 48732381 4651172490 allow ip from any to any
It didn't work. Same behavior. Thanks.
If the destination ip/port is the pfSense ip with proxy port, then it's a direct connect.
If the destination ip/por is an valip ip address with port 80 or 443 then it's a transparent connection if transparent mode is configured.
The basic usage for tcpdump is:
tcpdump -ni YOUR_LAN_OR_WAN_INTERFACE host YOUR_CLIENT_IP
@cloudfw said in Squid as transparent HTTP/HTTPS whitelist only proxy:
@marcelloc But why is it working with HTTP then? same thing DNS lookup, then direct http to IP traffic. Have you had this HTTPS setup working?
Because http traffic is not encrypted, squid can see the packet content. With ssl in splice all mode, squid does not intercept the connection, it just tries to check the server certificate. before establishing a tunnel between the client and the server.
@valnurat said in How do I know if it is working?:
Okay, but what metadata is cached?
I'm not using Squid, but I tend to say : all classic http (non-https) web access. Forget about SSL caching (check Google, he will tell you why).
Squid main goal isn't being a "cache", it's more a proxy thing.
That is not an official package for pfSense. If you want to ask about that, I suggest you start a new thread and put the name of the package in the title. Otherwise the chances are slim that anyone that touches that package will see this thread.
@billiam said in Socks5 Proxy:
Thanks for the pointers, with a few tweaks I've got it running as needed. Some were just because the commands shown in your config displayed warnings as deprecated when run. I also added a user to the system for the service to run as "socks" instead of root
You're welcome. I found that config somewhere when looking for examples, don't remember where I found it but might have been an old one. Didn't see any warnings though, although once it worked I didn't check the logs.
Finally I've added the line:
<shellcmd>/usr/local/etc/rc.d/sockd onerestart</shellcmd>
to the pfSense config.xml just before the </system> line which auto starts the service when the box is rebooted.
Thanks for the tip!
well not sure if he did the part on the windows server to go to regedit and delete the WPAD string on the DNS parameters without doing that it wont work if your running your DNS and DHCP on windows Server
Why not use subdomains? app1.mydomain app2.mydomain and use haproxy to send those to the correct webserver? Sounds like a way simpler approach?
As for rewriting the 'body' of a request or response, thats something that haproxy does not support (yet). Though with lua scripting there are some options to try and implement such a thing yourself, probably wont be easy though..
