I have tested this with a simple unencrpted echoserver (ncat) and using telnet. HAProxy simply DOES NOT work with tcp. Where should I be loking? I have tcpdumped the hell ouf of everything, but when there is no life, there is nothing to dump.

@andrew_cb ChatGPT had the right idea but gave me 100 different places to put "load-server-state-from-file none". Your post was worth more than ChatGPT could ever offer!

I even tried deleting and creating a new certificate. Any suggestions?

You can also do ACL modes where subnets can be told to bypass the proxy if needed

The same thing hit me when upgrading to 25.07.1 this morning. I moved libc++.so.1 to /root and squid started normally. When I was experiencing the issue it looked like this in my system log: /rc.filter_configure_sync: [squid] Installed but not started. Not installing 'nat' rules. /rc.filter_configure_sync: [squid] Installed but not started. Not installing 'pfearly' rules. /rc.filter_configure_sync: [squid] Installed but not started. Not installing 'filter' rules. sshd[12272]: error: connect_to [interface_to_listen_on] port 3128: failed. Squid_Alarm[34120]: Squid has exited. Reconfiguring filter. Squid_Alarm[35230]: Attempting restart... The sshd error is from my ssh connection where I tunnel my websurfing to my home router. Since squid wasn't listening on the specified port sshd could not make the connection. All well now.

You can run via SSH or Diagnostics -> Command prompt squid -k parse and paste output here.

@firefox I don’t think so, to be honest with you I am on an older version also. Just make sure you do the patch package and install all the system patches.

@qupfer What did I bang my head over this strange 502 issue. Your solution did it! Thank you so much, even 2.5 years later!

Request for Continued Support of Squid Package Dear Netgate Team, Could we please continue to support the Squid package? The upstream project has already resolved the known security issues, and it appears the main task remaining is updating the package to accommodate the recent PHP changes affecting the status page and address the decode issue. I’m unsure how to address this on my end and would greatly appreciate any guidance. Has anyone else looked into this, or is there a fix currently in progress? Thank you for your time and support. Jonathan Lee

@andrew_cb said in haproxy 0.63_2 weird behavior, edits not working: @iSagen @TheCyborgWeasel The issue is likely the same as in https://forum.netgate.com/topic/178348/haproxy-backend-port-changes-are-not-applied/ Try adding load-server-state-from-file none to the Advanced Settings > Backend pass thru section of each backend. Great! I will do this.

Hi Andrew, thanks for the tip. I forgot reply here. In our case, the problem was the hardware. Since 2013 I use the same hardware an Athlon LE-1620(1 Core) with 2GB. Some months ago, we created an app with many HAProxy rules and the access is growing. We bought one fanless with Intel J6426 and 8GB and now it´s work fine.

@andrew_cb Thank you for the answer In the end it was a problem that any new backend i added just did not register, i confirm it by taking an existing one and overriding it and it worked so i want the nuclear option and just installed the entire pfsense because installing the haproxy did not help.

@viragomann Thank you, I had that a bit flipped in my mind!

@BelluX The Shared-Frontends message is because you have two different frontends configured that are listening on the same IP address and port. To resolve this error, you must choose the option Shared Frontend on the second frontend. However, if you do this, HAProxy will give an error that all shared frontends must be of the same type (you cannot mix http/https (offloading) with ssl/https (TCP mode). This is how I set up HAProxy to support mixed offloading and passthrough: Create a Backend called tcp_to_https which goes to server 127.0.0.1:4443 and Encrypt(SSL) is set to No. Create a Frontend called SSL_Termination that listens on port 4443. Enable SSL Offloading. Add all your ACLs and Actions like normal. Create a Frontend called SSL_Passthrough that listens on port 443 but do not enable SSL Offloading. Set it to ssl / https (TCP mode). Add ACLs using Server Name Indication TLS extension ends with for the hostnames that you want to pass through directly to the backends. Set the Default Backend to tcp_to_https. The way this works is HAProxy receives the request, it checks if the SNI matches the ACLs, and passes it through directly to the backends without performing SSL offloading. Otherwise, it passes the request to the default backend tcp_to_https, which connects to the frontend SSL_Termination, where the connections are processed a second time, this time performing SSL offloading.

@mojtaba-key For anyone reading this, the issue is likely the same as in https://forum.netgate.com/topic/178348/haproxy-backend-port-changes-are-not-applied/ The solution is to add load-server-state-from-file none to the Advanced Settings > Backend pass thru section of each backend.

@NickyDoes The issue is likely the same as in https://forum.netgate.com/topic/178348/haproxy-backend-port-changes-are-not-applied/ Try adding load-server-state-from-file none to the Advanced Settings > Backend pass thru section of each backend.

Retested on 24.11-RELEASE (amd64) all seems to work. So it seems right to file a bug for this issue.