Cache/Proxy

• P

  PfSense, HAProxy and Fail2ban
  • ProxyMoron  

  8
  0
  Votes
  8
  Posts
  3323
  Views

  L

  @JeGr hi! I dont have trouble with ssh service because we are prohibited access to ssh on wan on all out system frontends... including webadmin(for example i cant connect from home to pfsense webadmin or terminal services, thats is part of our security policy) for example we are worried with imap, postfix and webmail there are the only services to internet space with authentication, maybe this is not a pfsense topic... thanks for u tips, i will go to read somes manual and man pages and look for somes examples and look on fail2ban mail-list to ask how i can make my own action ban and make it to block ip on somes pfsesen box using easyrule or pfssh.php script.. thanks! sorry my englis please. regards
• R

  HAProxy logging issues
  • rajbps  

  2
  0
  Votes
  2
  Posts
  17
  Views

  P

  @rajbps Try these settings?: Remote syslog host: /var/run/log Syslog facility: local0 Syslog level: Informational Log hostname: <leave this field empty> And your looking under the menu "Status/Package Logs/haproxy" ? Even a simple restart of haproxy should show up that the frontends are getting started.
• 

  Unofficial E2guardian package for pfSense
  • marcelloc  

  1135
  2
  Votes
  1135
  Posts
  153883
  Views

  P

  @arch113 Follow these steps to enable unofficial repos and get E2Guardian to show up: Install "patch" package from package manager. System > Patches > click "Add New Patch" button. Description: e2guardian patch URL/Commit ID: Leave empty Patch Contents: Copy/Paste all codes from here Path Strip Count: 1 Base Directory: / Ignore Whitespace: Clicked Auto Apply: Clicked Save and then click "Apply" button. That's all for now. Now go to shell and add repo of e2guardian by following command. fetch -q -o /usr/local/etc/pkg/repos/Unofficial.conf https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/Unofficial.24.conf Go to Package Manager and try to search e2guardian. If you don't see any package reboot system.
• 

  HaProxy and Client Certeficate To ACL
  • Soloam  

  6
  0
  Votes
  6
  Posts
  36
  Views

  P

  @Soloam You can simply uninstall the old and then install the new and the config will remain in place. Also if for some reason you want to go back that is the way. Though some 'extra' settings would then be 'lost'. Anyway always good to have a config backup :).
• I

  How to block secure websites (like Social, sports ,music etc).
  • itsupport_debut  

  6
  0
  Votes
  6
  Posts
  61
  Views

  

  Its also possible since your post has only been 1 day. And is in the wrong section... Your asking about how to filter https with squidguard.. Not Firewall.. Blocking only specific https sites with a firewall that are hosted off CDNs yeah going to be very difficult.. But blocking via proxy is not that difficult, you don't need to do mitm if your using explicit proxy (ie client directed to the proxy). But if doing it via transparent - then yes it becomes more difficult I have moved your thread to correct area so you might get an answer on how to do it with squidguard... But then again they prob just going tell you to RTFM ;) For example check out the hangout by jimp - he goes over all the different way to filter https traffic From the hangout https://youtu.be/xm_wEezrWf4 Moving to proxy section.
• P

  Help setting up Haproxy with google domain
  • pintu1228  

  3
  0
  Votes
  3
  Posts
  27
  Views

  P

  @InterLoper thanks for that, I found a guide online for HAProxy and it mentions that I need to create a ddns (so I created home.domain.com), then it suggests to create cname for each subdomain(so for plex, I have plex (for the name field), cname (for the type), 1H (for TTL), home.domain.com (for data field)). Will this way work too? or should I follow what you suggested, to create a DDNS entry for each subdomain (plex, nextcloud, sonarr, radarr, sabnzbd, etc)? Which method do you recommend? Thanks for your help
• 

  Transparent without NAT
  • skilledinept  

  1
  0
  Votes
  1
  Posts
  17
  Views

  No one has replied

• M

  Reverse Inbound Proxy Web Auth
  • mcamino  

  1
  0
  Votes
  1
  Posts
  16
  Views

  No one has replied

• M

  Onedrive cannot connect to server behind Pfsense Proxy
  pfsense 2.4.4 pfsense forum pfsense setup • • Mr.Trieu  

  2
  0
  Votes
  2
  Posts
  25
  Views

  M

  Does anyone have a way to resole it? Please help.
• K

  HA Proxy with VIP IP?
  • killmasta93  

  1
  0
  Votes
  1
  Posts
  81
  Views

  No one has replied

• K

  issue on NAT forwarding?
  • killmasta93  

  5
  0
  Votes
  5
  Posts
  51
  Views

  K

  Thanks for the reply i think i had something on the states i rebooted and started working just have on quick question it might not be about this topic it has to do with HA proxy but on the same setup (first had to test out the NAT before proceding to HA) I have VIP 181.xx.xx.236 and my wan is 181.xx.xx238 but cant seem to get HA proxy working on the VIP i got working with the WAN see pictures Thank you
• 

  https filter with https://http:/*
  • bfu  

  11
  0
  Votes
  11
  Posts
  144
  Views

  S

  @bfu said in https filter with https://http:/*: Looking into that now actually. FWIW this is in a tightly controlled RDS environment so I'm able to specify proxy settings via Group Policy without having to worry about WPAD "fun" yet. I'll report back if I find anything. Thanks for the insight Have you tried using e2guardian? much more stable as intercept other option works fine when ssl mitm is set
• M

  Proxy, i can ping any sites hostname but can't browse
  • m-c-ila  

  9
  0
  Votes
  9
  Posts
  48
  Views

  M

  @bmeeks Thank you for your reply. I did the inter-vlan on cisco switch L3 and created static routes on pfsense ... From pfsense LAN i can ping the switch and other hosts. I am using a computer from a vlan and i still can ping google.com and i can access Pfsense webgui and get internet without proxy. That means vlans config is correct right ? I am having errors with https, and http pages it tells me it's not allowed to access these pages. Is there a rule to force traffic to pass through Proxy ? Ps: when i connect my laptop directly to pfsense everything works even proxy .
• 

  HAproxy + Acme package = 503 Error servers not available locally
  dns haproxy • • InterLoper  

  4
  0
  Votes
  4
  Posts
  203
  Views

  P

  @interloper Do you have a guide on how you setup your google domain settings for your subdomains? I am trying to figure it out but having a hard time. Here is my open topic on this forum (https://forum.netgate.com/post/830593). Thanks
• W

  Squidguard Filter: Allow only certain IPs without disabling "Do not allow IP-Addresses in URL"
  • Warudo  

  4
  0
  Votes
  4
  Posts
  179
  Views

  N

  @johnpoz said in Squidguard Filter: Allow only certain IPs without disabling "Do not allow IP-Addresses in URL": x My exact problem is I want to block all web traffic without using domain names. But there's some chat apps in China use port 80 and ip address for communication. So, if I disallow "IP addresses in URL", that chat app fails to connect to servers.
• B

  WPAD doesn't work
  • Big80  

  11
  0
  Votes
  11
  Posts
  224
  Views

  B

  @kom OK the problem comes from the DHCP. I didn't put the localdomain. Now it works. It was never mentioned in the guides I followed. Thanks for your help!!!
• P

  Sarg Could not find report index file
  • Poenskop  

  9
  0
  Votes
  9
  Posts
  2575
  Views

  A

  @poenskop Para solucionar el error Could not find report index file. Check and save sarg settings and try to force sarg schedule. Lo que hice fue cambiar el directorio de salida del reporte de sarg en el archivo sarg.conf para que quedara de la siguiente manera: Output dir (-o) = /usr/local/www/html/ después de esto en la consola crear un enlace simbólico hacia ese directorio ln -s /usr/local/www/html /usr/local/sarg-reports con esto se soluciono el problema ya pude ver el reporte y desapareció el mensaje Error: Could not find report index file. Check and save sarg settings and try to force sarg schedule.
• A

  How to use tcp_outgoing_address on different network?
  • akong77  

  1
  0
  Votes
  1
  Posts
  54
  Views

  No one has replied

• M

  HAProxy devel Multithreading
  • michaelschefczyk  

  2
  0
  Votes
  2
  Posts
  53
  Views

  P

  @michaelschefczyk Recently (26-1-2019) haproxy itself removed the warning from their docs, the package on pfSense should get a little update to remove that warning as well.. "It was mentioned when releasing 1.8 but early bugs have long been addressed" http://git.haproxy.org/?p=haproxy.git;a=commit;h=1f672a8162eda18c404c6784dd749b6e061e2e4d Afaik there are no issues anymore.. (Which in the early days used to included haproxy crashes and hangs spinning at 100% cpu usage of a core..)
• W

  ssl-min-ver directive in Haproxy shared frontends
  • wickeren  

  1
  0
  Votes
  1
  Posts
  56
  Views

  No one has replied

• V

  HAProxy, Letsencrypt and synology
  haproxy letsencrypt • • vacquah  

  1
  0
  Votes
  1
  Posts
  63
  Views

  No one has replied

• F

  Outgoing traffic: add URL parameter via squid reverse proxy?
  • fips  

  1
  0
  Votes
  1
  Posts
  53
  Views

  No one has replied

• S

  HAProxy - Offload HTTPS (from internet) into HTTP (WORKING + config EXAMPLE)
  • sokolum  

  4
  0
  Votes
  4
  Posts
  1041
  Views

  I

  Hello Sokolum, The pictures you posted are gone, care to reup? I really want to follow what you put here!
• T

  Squid HTTPS Interception not working?
  • tomstephens89  

  6
  0
  Votes
  6
  Posts
  198
  Views

  T

  @gertjan said in Squid HTTPS Interception not working?: For https port 3129 could be used I guess - example : https://www.microlinux.fr/squid-https-centos-7/ (Squid version 3.5). True, the official doc is hard to read. Well, in order to get this working, I have the SSL interception running on port 3129 and the main proxy on 3128. Pointing clients at 3129 for HTTPS results in no connectivity. However upon just telling clients to use 3128 for HTTP and HTTPS, I can see HTTPS Man in the middle working and the certificates are being issued by my CA as expected. This suggests that PfSense+Squid is doing some sort of redirection internally to 3129 for HTTPS, or the seperate port setting for HTTPS does nothing, and it just listens on 3128 full stop.
• J

  HAProxy + Intel QAT
  • justme2  

  4
  0
  Votes
  4
  Posts
  181
  Views

  J

  Excellent news! Anxious to see it in operation.
• J

  allow haproxy to listen to wan port 80 (and stop redirecting to pfsense admin page)
  • jason0  

  4
  0
  Votes
  4
  Posts
  86
  Views

  P

  @jason0 The HSTS cache can be a bit extra tricky to get rid of also.. Instructions for most browsers can be found though.
• S

  [HOWTO] Squid/Lightsquid Logs with MAC addresses - pfSense 2.3.2
  • Shelter  

  4
  0
  Votes
  4
  Posts
  1779
  Views

  G

  The idea is right but the syntax is wrong. On 2.4.4-RELEASE-p2: Proxy Server -> General settings -> "Enable Access Logging" disabled (this prevents the default syntax to be loaded) Advanced features ("Show Advanced Options") -> Custom Options (Before Auth) -> logfile_rotate 30 debug_options rotate=30 logformat squid %{%d/%m/%Y_%H:%M:%S}tl %>eui %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt access_log /var/squid/logs/access_custom.log Save and reload Squid. You'll find the log in /var/squid/logs as defined in the general options page. Obviously You can customize the options according to your needs (timestamp, logrotate days, etc...)
• L

  Windows 10 updates blocked by proxy (squid)?
  • lindsay  

  7
  0
  Votes
  7
  Posts
  282
  Views

  J

  I think problem isn't with squid, rather with Windows 10 - system proxy settings doesn't enought, I don't know why. But with winhtt set proxy it works. Respect for your work, KOM and best regards.
• P

  Haproxy and HTTP basic auth via gui
  • paulsnoop  

  9
  0
  Votes
  9
  Posts
  2983
  Views

  P

  @itbrain Added the screenshots back..
• S

  Squid + Transparent + Bridge = Broken or Fixed?
  • swmspam  

  1
  0
  Votes
  1
  Posts
  77
  Views

  No one has replied

• 

  Squid 4.x
  • Bismarck  

  7
  0
  Votes
  7
  Posts
  1422
  Views

  R

  Ok, thanks for your statement!
• W

  Squid not caching web data
  • WhiteboardMarker  

  3
  0
  Votes
  3
  Posts
  129
  Views

  W

  Thanks KOM. Verified cache is working by going to https://www.google-analytics.com/analytics.js. Seeing TCP_MEM_HIT/200 when I go the javascript file hosted by Google.
• S

  HAproxy: ACL with weaker SSL-ciphers for one IP possible?
  • sgw  

  1
  0
  Votes
  1
  Posts
  79
  Views

  No one has replied

• K

  Issue with slow authentication on squid?
  • killmasta93  

  3
  0
  Votes
  3
  Posts
  105
  Views

  K

  thanks for the reply, i was checking the logs and your right something odd with the active directory but i ended up using the local authentication created all the users
• 

  Squid/Clamav: Wrong redirect URL
  • Pippin  

  7
  0
  Votes
  7
  Posts
  3477
  Views

  K

  @rggolbraich said in Squid/Clamav: Wrong redirect URL: I know its an old post but here is my solution to the same problem. Solution: when I installed pfSense with all packages I use, I gave it a domain name. After some while, i changed the domain name to my DC, somehow SquidClamAV keeps the old data so I get pointed to unavailable address. To fix this issue I edited 2 files: (Diagnostics - Edit File) /usr/local/etc/c-icap/squidclamav.conf /usr/local/etc/c-icap/squidclamav.conf.pfsense Why them both? because every time I edited the .conf file my settings get back to what it was. after changing them both pfSense kept the configuration and problem were fixed. Thanks for this. Two years later and still a bug.
• K

  Proxy Issue wpad?
  • killmasta93  

  11
  0
  Votes
  11
  Posts
  309
  Views

  

  Glad its working for you now.
• X

  2.3 - Squid reinstallation fails
  • xoxys  

  14
  0
  Votes
  14
  Posts
  5252
  Views

  M

  @powerrc This worked for me. Thank you very much.
• K

  Quick Question about LDAP proxy
  • killmasta93  

  1
  0
  Votes
  1
  Posts
  81
  Views

  No one has replied

• R

  pfsense squid not connecting through an upstream proxy
  • rllanes2004  

  1
  0
  Votes
  1
  Posts
  81
  Views

  No one has replied

• L

  help setting the Public Key Pinning in HAProxy
  • luisenrique  

  13
  0
  Votes
  13
  Posts
  269
  Views

  

  We both learned a bit ;) Thanks for the questions, it got me playing with HA proxy and ACME.. I had not had a reason to use them until you brought up the question(s) After that I had no excuse not to use them and fired up a shared port for my openvpn that listens on 443 and then hands off to ha proxy so I can use https with my ombi plex request system via https ;) Win Win all around I would say!