Squid can be configured externally, I would love a how to guide on how to do this correctly.

@johnpoz said in Please help to configure HAProxy to serve certifficate on internal LAN too: Yeah - what part do you not understand if you always resolve nextcloud.domain.tld so that it hits your haproxy on your pfsense wan IP are you not getting? You have 2 options - use a different domain internally and always go to nextcloud.publicdomain.tld, or use the same domain internally as external and run into the problem of what IP it resolves to.. Change your local domain to say home.arpa or .internal or atleast something different than the public domain your using to point to pfsense wan IP on the public internet. You are shooting yourself in the foot trying to use the same domain externally as internally. There are ways around it, but they complicate the setup. For example you might be able to use views in unbound as one way to work around the problem. You could use only host entries for all your resources. But then again you run into a problem of using the fqdn for this service, now always pointing to your wan IP.. And that is great when you want to access the service haproxy is doing - but if you want to access that resource on some other service that haproxy doesn't handle - like say simple file sharing.. You are going to have problems. Since you clearly do not understand how any of this works - the simple solution is change the local domain you are using so it is not the same as the public domain you want to use to get to your nextcloud. This tone is outrageous directed at somebody who acknowledged right off the rip that English is not their first language. How many languages do you speak, John? And safely assuming it's only one—English of course—take it from a fellow English native that you'd do well to say more with less words. You otherwise were directing OP in the right direction in my opinion.

@xttenza said in Haproxy backend configuration: backend pass thru http-request set-header Host onesite.com option httpchk GET / http-check send hdr Host onesite.com The above worked for me as well. This is the solution.

mysteriously works again after a gitlab-upgrade. strange ...

@wifi75 your table shows port 80, not 443 for https

@BerndHu See : "Squid make sure to set “email_err_data off”".

Set this inside of custom options like Example: [image: 1760709794107-screenshot-2025-10-17-at-07.01.42.png] (ignore ssl_engine) After run Squid -k parse and you should see this within the tests if you have no errors and it moves to the next time you have the work around. 2025/10/17 07:02:07| Processing: ssl_engine devcrypto 2025/10/17 07:02:07| Processing: email_err_data off

https://redmine.pfsense.org/issues/15410 Squid also released … “The Squid HTTP Proxy team is very pleased to announce the availability of the Squid-7.2 release! This release is, we believe, stable enough for general production use. We encourage all users of any previous version of Squid to upgrade to it. It can be downloaded from GitHub, at https://github.com/squid-cache/squid/releases/tag/SQUID_7_2 Since version 7.1, squid offers many security fixes and improvements; details can be found in the release notes and in the changelog Please remember to run "squid -k parse" when testing the upgrade to a new version of Squid. It will audit your configuration files and report any identifiable issues the new release will have in your installation before you "press go". If you encounter any issues with this release please file a bug report at https://bugs.squid-cache.org/ -- Francesco Chemolli”

I "manually" fixed this issue easily, without moving any library anywhere, because that could break other executables that depend on libc++.so. Simply: scp the squid binary to your FreeBSD/Linux Desktop. if you do: patchelf --print-rpath squid You will see: /usr/local/lib:/usr/lib:/usr/local/lib This is the default RPATH of the executable. We can change this by doing: patchelf --set-rpath /lib:/usr/local/lib:/usr/lib:/usr/local/lib squid This will force squid to look into the /lib folder first. There lives a version of libc++.so.1 that is compatible with squid. After this, just copy back the squid executable to /usr/local/sbin/ . Problem solved

After many days of intense swearing (HAproxy is now referred to as piece of shit in my internal lingo), this is where we are. pfSense generates the config.xml with proper <ssl>yes</ssl> pfsense generates the haproxy.cfg with proper server "id 102 ssl verify none" But even after restarts, haproxy still does not bridge printf 'show servers state\n' | socat - UNIX-CONNECT:/tmp/haproxy.socket 101 TEST-ldap.mintsecurity.fi_ipvANY 102 login-02.ipa.mintsecurity.fi 10.98.0.25 2 0 1 1 1340 9 3 4 0 0 1 1 - 8443 - 0 0 - - 0 But the culprit is /tmp/haproxy_server_state. Delete that, restart, and then: 101 TEST-ldap.mintsecurity.fi_ipvANY 102 login-02.ipa.mintsecurity.fi 10.98.0.25 2 0 1 1 449 1 0 2 0 0 1 1 - 8443 - 1 0 - - 0 You see, the very important 0 that turned into a 1. I have NO IDEA if this issue now is persistent, if every modification will require the deletion of the state file.

@andrew_cb ChatGPT had the right idea but gave me 100 different places to put "load-server-state-from-file none". Your post was worth more than ChatGPT could ever offer!

I even tried deleting and creating a new certificate. Any suggestions?

You can also do ACL modes where subnets can be told to bypass the proxy if needed

You can run via SSH or Diagnostics -> Command prompt squid -k parse and paste output here.

@firefox I don’t think so, to be honest with you I am on an older version also. Just make sure you do the patch package and install all the system patches.

@qupfer What did I bang my head over this strange 502 issue. Your solution did it! Thank you so much, even 2.5 years later!