Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    1. Home
    2. pfSense Packages
    3. Cache/Proxy
    Log in to post
    • Newest to Oldest
    • Oldest to Newest
    • Most Posts
    • Most Votes
    • Most Views
    • T

      How to make squid transparent proxy to proxy non-80,443 traffic?
      • T3st

      1
      0
      Votes
      1
      Posts
      7
      Views

      No one has replied

    • JonathanLee

      Instant Website Redaction Technology Not working
      • JonathanLee

      1
      0
      Votes
      1
      Posts
      11
      Views

      No one has replied

    • S

      ICAP protocol error
      • Steve Williams

      8
      0
      Votes
      8
      Posts
      362
      Views

      N

      @steve-williams said in ICAP protocol error:

      Not sure if this is in the right section but since updating to 2.6 I am now getting random ICAP protocol errors and Clam service stops working. The random website working can be one works and one won't a few hours later they might flip. After a quick Google Pfsense was the top result with a glitch with Squid just wondering if anyone else has been getting issues

      I am also encounter the same isssue. Even when I access my website cubes 2048, it announces that it can't be reached. I wonder whether this issue can be solved.

    • K

      connection is not private when using Chrome
      squid squid-proxy • • karimhaydar31

      1
      0
      Votes
      1
      Posts
      35
      Views

      No one has replied

    • M

      HAProxy with different Frontend and Backend URLs
      haproxy • • mr-elamin2

      1
      0
      Votes
      1
      Posts
      43
      Views

      No one has replied

    • hugoeyng

      The firewall encountered an error after upgrading to 23.01
      • hugoeyng

      44
      1
      Votes
      44
      Posts
      1554
      Views

      JonathanLee

      @hugoeyng

      I know in Java It would be something like this photo. Again it needs the C programming version of it so you can read the specific error. This photo I have a array that is out of bounds when it prints that element, notice the error is caught. You can do more than print the error you can redirect it to other code also, so if something was missing in that config it could flag it if needed would need more code.

      Screenshot 2023-03-24 at 1.45.11 PM.png

      Screenshot 2023-03-24 at 1.49.18 PM.png

    • M

      pfsnese NAT, how to find out through what the "NAT + PROXY" function does
      • msibyte

      3
      0
      Votes
      3
      Posts
      58
      Views

      M

      @viragomann so what utility does he use for this?

    • A

      Vpn client on pfsense and squid proxy.
      • Antibiotic

      1
      0
      Votes
      1
      Posts
      36
      Views

      No one has replied

    • J

      Rewrite host address of backend server
      • jonathan.young

      1
      0
      Votes
      1
      Posts
      68
      Views

      No one has replied

    • JonathanLee

      23.01 Squid issue
      • JonathanLee

      30
      0
      Votes
      30
      Posts
      1047
      Views

      stephenw10

      And that was the case both with and without Squid enabled?

      Hmm, unclear what could cause that then. We might need to see your config directly to know more.

      You should add your variation to the open bug for this:
      https://redmine.pfsense.org/issues/13984

      Steve

    • F

      Matrix Synapse behind HAProxy on pfSense
      haproxy matrix synapse firewall rules • • frostys

      3
      0
      Votes
      3
      Posts
      848
      Views

      T

      Hi @Baker0052 keen to share your haproxy conf. I have the same problem and cannot figure it out.

    • M

      Not understanding the HA Proxy flow for one backend server
      • michmoor

      1
      0
      Votes
      1
      Posts
      90
      Views

      No one has replied

    • M

      CVE-2023-0056 & CVE-2023-25725 (critical) - haproxy upgrade to 2.2.29 ?
      • Myster_fr

      11
      0
      Votes
      11
      Posts
      862
      Views

      L

      @jimp Is this issue resolved?

    • R

      Problem with HAproxy after upgrade to 23.01
      • ryan0413

      2
      0
      Votes
      2
      Posts
      245
      Views

      NollipfSense

      @ryan0413 Did you try re-installing the package?

    • D

      HAProxy: adding map file via GUI?
      haproxy • • divemaster90

      3
      0
      Votes
      3
      Posts
      275
      Views

      M

      That would likely need to be a feature request.

    • JonathanLee

      Squid Antivirus Status listing main.cvd version 2021??
      clamav squidproxy antivirus sg-2100 • • JonathanLee

      1
      0
      Votes
      1
      Posts
      124
      Views

      No one has replied

    • JonathanLee

      Squid Advanced Filtering and consumer Google accounts/Google Accounts Domains??
      google squid-proxy access control cloud • • JonathanLee

      1
      0
      Votes
      1
      Posts
      117
      Views

      No one has replied

    • B

      Reverse proxy to bypass CG-NAT to gain access to OpenVPN
      • bavcon22

      2
      0
      Votes
      2
      Posts
      159
      Views

      V

      @bavcon22
      There is no access from the internet to your router possible if it's behind CG-NAT. So no idea how HAproxy should help here.

    • Y

      23.01 - SquidGuard
      • yaw

      9
      2
      Votes
      9
      Posts
      645
      Views

      Y

      @aniodon I don't use HA. So, no, it's not enabled.

    • T

      Youtube content getting filtered on Squid
      • themaharshpatel

      22
      1
      Votes
      22
      Posts
      920
      Views

      M

      @jonathanlee The redmine hasnt been actioned. The Git pull request hasnt been approved from what i can tell.
      TBH, considering staff is extremely limited i doubt this will ever get resolved. I would instead see if you could pin this thread at the top.

    • N

      ha proxy ssh add backend IP stops ssh connect
      • nopanic

      14
      0
      Votes
      14
      Posts
      736
      Views

      N

      @nopanic Hello all
      I have to come back cause the traffic goes only from LAN to OPT. From WAN site I dont get a connection.
      Courious: When I do tcp tranparent entries and wnat back to nat-forwarding I have to reboot the machine, so forwarding work again. I have to delete the entries and reboot. Disabling is not enough.

      Can someone help?
      Tia
      Stefan

    • JonathanLee

      Squidguard Website
      • JonathanLee

      10
      0
      Votes
      10
      Posts
      608
      Views

      B

      @jonathanlee said in Squidguard Websitegeometry dash lite:

      Hello fellow Netgate community can you please help?
      I just noticed that Squidguard.org website seems to be not working,
      has anyone else noticed this?

      You can check if the website is down for everyone or just for you by using a website monitoring tool like Down For Everyone Or Just Me (https://www.isitdownrightnow.com/). Alternatively, you can try accessing the website from a different device or network to see if the issue is specific to your connection.

    • G

      HaProxy Internal server error main site
      haproxy reverse proxy pfsense+ domain ssl • • GameHoundsDev

      2
      0
      Votes
      2
      Posts
      234
      Views

      G

      @gamehoundsdev NVM im a idiot, I forgot to disable a 443 mapping on nat ..

    • J

      HAProxy QUIC support
      • j.koopmann

      2
      0
      Votes
      2
      Posts
      381
      Views

      senseivita

      @j-koopmann You don't need to, it's already there:
      Screen_Shot_2023-03-03_at_13_45_05_PM-2.png

      You do need to add the FreeBSD repos though, and you're likely going to lose the GUI and there's no saying what going to happen during config changes if you don't remove pfSense's version of HAProxy first because it gets it's config from /cf/conf/config.xml which is updated every time you make a change, the reverse is true as well, if you edit that file the changes are reflected immediately on pfSense, it's pretty cool to test live…if you have snapshots or an editor with undo capabilities.

      In /usr/local/etc/pkg/repos/, edit FreeBSD.confand pfSense.conf, change no to yes and that's it. You'll know what I'm talking about when you open the files.

      If you decide to do it:
      edit /usr/local/etc/pkg/repos/FreeBSD.conf, press ⎋⏎⏎ when you're done. Repeat with the other file.

      or:
      vi /usr/local/etc/pkg/repos/FreeBSD.conf, press i to switch to insert mode don't try deleting forward or beyond the end/beginning of the line, it's very easy to switch out of insert mode (which should be shown the whole time in the bottom of the window/screen) at which moment the keys on the keyboard can do the most random/destructive things. Press ⎋ to get back into viewing mode and ZZ to save and quit. Repeat with the other file.

      Really long sidenote - Do you really want to support QUIC though? Right now you can't control it effectively because it's encrypted and it can be used as a conduit for DoH which is a very effective way of bypassing pfBlockerNG, Unbound and your ruleset protections. Support is not there yet on major forward proxies, it requires more resources on both servers and clients, being based on UDP, it has the same issues UDP has, the advantages I don't even remember what they were but they are minimal compared to http/2 over its predecessor. It sets a pathway for a dark future where you'll just have to MITM everything, manufacturers already refuse to let users/admin install custom certs and I'm sure they'll show even more onerous warnings and make it really difficult if they're forced, making people angry which in turn will blame IT. In the case of home users, "IT" is the guys/girl that knows stuff and gets berated over a Roku not being able to connect over all the ports and protocols it arbitrarily wants.

    • A

      Using SSL offloading to access Services
      ssl haproxy nas • • ahole4sure

      2
      0
      Votes
      2
      Posts
      409
      Views

      R

      @ahole4sure no, it is not required if you're using SSL Offloading option on Haproxy frontend. In this case it is better to use http for backend (or issue some internal ssl cert on pfsense for your synology)

    • forgekeeper

      Squidguard Menu MISSING after 23.01 update
      • forgekeeper

      7
      0
      Votes
      7
      Posts
      352
      Views

      JonathanLee

      @forgekeeper Dang it was worth a try. Sorry it did not fix your issue

    • J

      How to make HAProxy path use backend (including links/scripts)?
      haproxy • • jonathan.young

      4
      0
      Votes
      4
      Posts
      293
      Views

      V

      @jonathan-young
      You can do something like this to insert the /test directory:

      In the backend add an ACL:
      name: notest
      path starts with
      "Not" checked
      value: /test/

      action:
      http-request set-path
      fmt: /test/%[path]
      acl: notest

    • B

      HAProxy Nextcloud WebDAV URL Discovery
      • bradi

      5
      0
      Votes
      5
      Posts
      675
      Views

      M

      I stumbled on this old thread looking for similar information, so I'll provide my simple solution for future searchers.

      I have similar setup to OP and configured my frontends in the PFSense GUI by referencing the code in the Nextcloud Docs.

      Frontend ACL:
      ACL.png

      Frontend Actions:
      Actions.png

    • A

      ClamAV CVE-2023-20032 and CVE-2023-20052 - Update for Squid?
      • APGBurns

      1
      0
      Votes
      1
      Posts
      219
      Views

      No one has replied

    • S

      HAProxy warning after 23.01 upgrade: ca-file: 0 CA were loaded from '@system-ca'
      • safe

      17
      0
      Votes
      17
      Posts
      496
      Views

      NightlyShark

      @safe Good luck!

    • S

      HAProxy backend port changes are not applied
      • safe

      1
      0
      Votes
      1
      Posts
      199
      Views

      No one has replied

    • S

      gzip compression in HAProxy
      • sommer_75

      3
      0
      Votes
      3
      Posts
      789
      Views

      S

      I have solved my problem. The issue was that the backend server was only capable of HTTP/1.0. I must have missed this when checking the output. The curl outputs above is against the the HAproxy, and not the backend, and will return the protocol set in frontend, no matter what the backend use. So if anyone else has the same issue, make sure that your backend is using HTTP/1.1 or later.

      Anyway I don't know why HAproxy is not able to gzip the output from an HTTP/1.0 backend. Nginx has no problems with this. The solution is to have the Nginx proxy in between the application and HAproxy.

      Thanks.

    • L

      HAProxy on pfSense anomaly
      • LAVenetz

      15
      0
      Votes
      15
      Posts
      741
      Views

      NightlyShark

      @lavenetz Only one MiaB, so, Standard, I think.

    • B

      Squid Guard PHP error after upgrade to 23.01
      • ben-ihelputech

      2
      1
      Votes
      2
      Posts
      388
      Views

      hugoeyng

      @ben-ihelputech I created a topic a week ago and anyone could say something that help. I am still waiting.

    • JonathanLee

      23.01 and very noticeable proxy speed increase
      • JonathanLee

      3
      1
      Votes
      3
      Posts
      362
      Views

      JonathanLee

      @annwenn installed 23.01 version software.

    • JonathanLee

      Squid ClamAV showing bytecode errors for version 334
      • JonathanLee

      2
      0
      Votes
      2
      Posts
      490
      Views

      JonathanLee

      @jonathanlee

      As of 2-24-23 this has been resolved with . . .

      "Empty script bytecode-334.cdiff, need to download entire database"

      Clamd successfully notified about the update.
      bytecode.cvd updated (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
      Database test passed.
      Testing database: '/var/db/clamav//tmp.a3a9145360/clamav-e149ec24c4c3dccbcffc8540df3d4b2a.tmp-bytecode.cvd' ...
      Empty script bytecode-334.cdiff, need to download entire database
      bytecode database available for update (local version: 333, remote version: 334)
      main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
      daily.cld database is up-to-date (version: 26821, sigs: 2021707, f-level: 90, builder: raynman)
      ClamAV update process started at Thu Feb 23 16:57:00 2023

      Screenshot 2023-02-24 at 5.54.34 AM.png

    • D

      Squid MITM Problem
      • dochy

      2
      0
      Votes
      2
      Posts
      433
      Views

      JonathanLee

      @dochy Nice Config,

      Screenshot 2023-02-22 at 10.13.55 PM.png

      This is mine, I set specific devices to splice as source,

      I have a regex list saved in /usr/local/pkg/url.nobump

      after I peak at step1
      splice the source addresses like the game system and tablets
      after I splice the URLs I have marked as trusted like banks,

      and I bump everything else.

      Screenshot 2023-02-22 at 10.16.42 PM.png
      This is my custom file I have items that won't work correctly with bump like antivirus, some updates, itunes etc.

      The main sites I want bumped are sites I do not normally go to, random sites this way it still stops viruses with HTTPS being checked.

      Screenshot 2023-02-22 at 10.18.19 PM.png

      I hope that helps as it seems like you have some 409 errors look up the server errors "The HTTP 409 status code (Conflict) indicates that the request could not be processed because of conflict in the request"
      These sites I would look into splicing if you need them, teams is one I splice its so slow without it.

    • bluegrass-168

      The local Disk cache only use 10M, is that normal and my cache working well?
      • bluegrass-168

      4
      0
      Votes
      4
      Posts
      486
      Views

      A

      @bluegrass-168 use https://github.com/mmd123/squid-cache-dynamic_refresh-list for refresh_pattern (note you can always submit pull requests to improve the list).

      "Actually, I want to cache every thing as I can."
      In order to cache https you need to use SSL Man In the Middle Filtering

      However you do not want to mitm everything as it breaks way too many things. So use
      Custom Options (SSL/MITM)

      than add something like this

      acl step1 at_step SslBump1 acl monitoredSites ssl::server_name "/home/bumpsites.txt" ssl_bump bump monitoredSites ssl_bump peek step1 ssl_bump splice all

      and at the file location /home/bumpsites.tx add your list of sites you want to decrypt to cache.
      Here is a list that i made (NOTE: i have not tested all domains, so if some have issues remove them, eg things like ubisoft.com)
      bumpsites.txt

      What i did was i went to winget https://github.com/microsoft/winget-pkgs and got a list of the download domains.

      This should also cache steam and epic games.

      Good luck

    • W

      I'd like to combine different ACLs and order them in HAProxy
      • wgold

      3
      0
      Votes
      3
      Posts
      371
      Views

      W

      Awesome! Thank you!

    • J

      Our clamd service stops working
      clamd • • jlee_eye

      5
      0
      Votes
      5
      Posts
      565
      Views

      JonathanLee

      @jlee_eye

      d05bcb5c-2383-47af-a0b5-534b06632500-image.png

      Have you tried to play around with the custom options and get one that works well yet? This was the one that consumes less memory and works better for me.