@steve-williams said in ICAP protocol error:

Not sure if this is in the right section but since updating to 2.6 I am now getting random ICAP protocol errors and Clam service stops working. The random website working can be one works and one won't a few hours later they might flip. After a quick Google Pfsense was the top result with a glitch with Squid just wondering if anyone else has been getting issues

I am also encounter the same isssue. Even when I access my website cubes 2048, it announces that it can't be reached. I wonder whether this issue can be solved.

@hugoeyng

I know in Java It would be something like this photo. Again it needs the C programming version of it so you can read the specific error. This photo I have a array that is out of bounds when it prints that element, notice the error is caught. You can do more than print the error you can redirect it to other code also, so if something was missing in that config it could flag it if needed would need more code.

Screenshot 2023-03-24 at 1.45.11 PM.png

Screenshot 2023-03-24 at 1.49.18 PM.png

@viragomann so what utility does he use for this?

And that was the case both with and without Squid enabled?

Hmm, unclear what could cause that then. We might need to see your config directly to know more.

You should add your variation to the open bug for this:
https://redmine.pfsense.org/issues/13984

Steve

Hi @Baker0052 keen to share your haproxy conf. I have the same problem and cannot figure it out.

@jimp Is this issue resolved?

@ryan0413 Did you try re-installing the package?

That would likely need to be a feature request.

@bavcon22
There is no access from the internet to your router possible if it's behind CG-NAT. So no idea how HAproxy should help here.

@aniodon I don't use HA. So, no, it's not enabled.

@jonathanlee The redmine hasnt been actioned. The Git pull request hasnt been approved from what i can tell.
TBH, considering staff is extremely limited i doubt this will ever get resolved. I would instead see if you could pin this thread at the top.

@nopanic Hello all
I have to come back cause the traffic goes only from LAN to OPT. From WAN site I dont get a connection.
Courious: When I do tcp tranparent entries and wnat back to nat-forwarding I have to reboot the machine, so forwarding work again. I have to delete the entries and reboot. Disabling is not enough.

Can someone help?
Tia
Stefan

@jonathanlee said in Squidguard Websitegeometry dash lite:

Hello fellow Netgate community can you please help?
I just noticed that Squidguard.org website seems to be not working,
has anyone else noticed this?

You can check if the website is down for everyone or just for you by using a website monitoring tool like Down For Everyone Or Just Me (https://www.isitdownrightnow.com/). Alternatively, you can try accessing the website from a different device or network to see if the issue is specific to your connection.

@gamehoundsdev NVM im a idiot, I forgot to disable a 443 mapping on nat ..

@j-koopmann You don't need to, it's already there:
Screen_Shot_2023-03-03_at_13_45_05_PM-2.png

You do need to add the FreeBSD repos though, and you're likely going to lose the GUI and there's no saying what going to happen during config changes if you don't remove pfSense's version of HAProxy first because it gets it's config from /cf/conf/config.xml which is updated every time you make a change, the reverse is true as well, if you edit that file the changes are reflected immediately on pfSense, it's pretty cool to test live…if you have snapshots or an editor with undo capabilities.

In /usr/local/etc/pkg/repos/, edit FreeBSD.confand pfSense.conf, change no to yes and that's it. You'll know what I'm talking about when you open the files.

If you decide to do it:
edit /usr/local/etc/pkg/repos/FreeBSD.conf, press ⎋⏎⏎ when you're done. Repeat with the other file.

or:
vi /usr/local/etc/pkg/repos/FreeBSD.conf, press i to switch to insert mode don't try deleting forward or beyond the end/beginning of the line, it's very easy to switch out of insert mode (which should be shown the whole time in the bottom of the window/screen) at which moment the keys on the keyboard can do the most random/destructive things. Press ⎋ to get back into viewing mode and ZZ to save and quit. Repeat with the other file.

Really long sidenote - Do you really want to support QUIC though? Right now you can't control it effectively because it's encrypted and it can be used as a conduit for DoH which is a very effective way of bypassing pfBlockerNG, Unbound and your ruleset protections. Support is not there yet on major forward proxies, it requires more resources on both servers and clients, being based on UDP, it has the same issues UDP has, the advantages I don't even remember what they were but they are minimal compared to http/2 over its predecessor. It sets a pathway for a dark future where you'll just have to MITM everything, manufacturers already refuse to let users/admin install custom certs and I'm sure they'll show even more onerous warnings and make it really difficult if they're forced, making people angry which in turn will blame IT. In the case of home users, "IT" is the guys/girl that knows stuff and gets berated over a Roku not being able to connect over all the ports and protocols it arbitrarily wants.

@ahole4sure no, it is not required if you're using SSL Offloading option on Haproxy frontend. In this case it is better to use http for backend (or issue some internal ssl cert on pfsense for your synology)

@forgekeeper Dang it was worth a try. Sorry it did not fix your issue

@jonathan-young
You can do something like this to insert the /test directory:

In the backend add an ACL:
name: notest
path starts with
"Not" checked
value: /test/

action:
http-request set-path
fmt: /test/%[path]
acl: notest

I stumbled on this old thread looking for similar information, so I'll provide my simple solution for future searchers.

I have similar setup to OP and configured my frontends in the PFSense GUI by referencing the code in the Nextcloud Docs.

Frontend ACL:
ACL.png

Frontend Actions:
Actions.png

@safe Good luck!

I have solved my problem. The issue was that the backend server was only capable of HTTP/1.0. I must have missed this when checking the output. The curl outputs above is against the the HAproxy, and not the backend, and will return the protocol set in frontend, no matter what the backend use. So if anyone else has the same issue, make sure that your backend is using HTTP/1.1 or later.

Anyway I don't know why HAproxy is not able to gzip the output from an HTTP/1.0 backend. Nginx has no problems with this. The solution is to have the Nginx proxy in between the application and HAproxy.

Thanks.

@lavenetz Only one MiaB, so, Standard, I think.

@ben-ihelputech I created a topic a week ago and anyone could say something that help. I am still waiting.

@annwenn installed 23.01 version software.

@jonathanlee

As of 2-24-23 this has been resolved with . . .

"Empty script bytecode-334.cdiff, need to download entire database"

Clamd successfully notified about the update.
bytecode.cvd updated (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Database test passed.
Testing database: '/var/db/clamav//tmp.a3a9145360/clamav-e149ec24c4c3dccbcffc8540df3d4b2a.tmp-bytecode.cvd' ...
Empty script bytecode-334.cdiff, need to download entire database
bytecode database available for update (local version: 333, remote version: 334)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
daily.cld database is up-to-date (version: 26821, sigs: 2021707, f-level: 90, builder: raynman)
ClamAV update process started at Thu Feb 23 16:57:00 2023

Screenshot 2023-02-24 at 5.54.34 AM.png

@dochy Nice Config,

Screenshot 2023-02-22 at 10.13.55 PM.png

This is mine, I set specific devices to splice as source,

I have a regex list saved in /usr/local/pkg/url.nobump

after I peak at step1
splice the source addresses like the game system and tablets
after I splice the URLs I have marked as trusted like banks,

and I bump everything else.

Screenshot 2023-02-22 at 10.16.42 PM.png
This is my custom file I have items that won't work correctly with bump like antivirus, some updates, itunes etc.

The main sites I want bumped are sites I do not normally go to, random sites this way it still stops viruses with HTTPS being checked.

Screenshot 2023-02-22 at 10.18.19 PM.png

I hope that helps as it seems like you have some 409 errors look up the server errors "The HTTP 409 status code (Conflict) indicates that the request could not be processed because of conflict in the request"
These sites I would look into splicing if you need them, teams is one I splice its so slow without it.

@bluegrass-168 use https://github.com/mmd123/squid-cache-dynamic_refresh-list for refresh_pattern (note you can always submit pull requests to improve the list).

"Actually, I want to cache every thing as I can."
In order to cache https you need to use SSL Man In the Middle Filtering

However you do not want to mitm everything as it breaks way too many things. So use
Custom Options (SSL/MITM)

than add something like this

acl step1 at_step SslBump1 acl monitoredSites ssl::server_name "/home/bumpsites.txt" ssl_bump bump monitoredSites ssl_bump peek step1 ssl_bump splice all

and at the file location /home/bumpsites.tx add your list of sites you want to decrypt to cache.
Here is a list that i made (NOTE: i have not tested all domains, so if some have issues remove them, eg things like ubisoft.com)
bumpsites.txt

What i did was i went to winget https://github.com/microsoft/winget-pkgs and got a list of the download domains.

This should also cache steam and epic games.

Good luck

Awesome! Thank you!

@jlee_eye

d05bcb5c-2383-47af-a0b5-534b06632500-image.png

Have you tried to play around with the custom options and get one that works well yet? This was the one that consumes less memory and works better for me.