https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

Thanks. Today the issue returned and being suspicious I check on another computer bypassing my whole pfSense setup (directly on corporate LAN) and the same issue exists. I'm confident it is an issue with the upstream proxy.

I'm going to mark this thread as solved, but I'm sure I'll be back in a day or 2 with a new issue as I try and bring this thing up. Thanks for the help, seems like a strong community.  :)

Your LAN has a lot more bandwidth than your WAN usually.  I'm not a QoS expert but I think shaping on LAN is only useful if you have multiple LANs and you're trying to control the traffic between them.

Services - Squid - General - Logging Settings - Log Store Directory

Just copy them out and back.

U are speaking about

squid + SG

?

How your are doing the auth?

Thank you for the link…
Interesting behavior, I might be able to test this by editing config manually and see for myself :)

Still, not telling UI user that his order of actions won't work is bad :(

Using SNI does not need decryption of the traffic, so it should be possible to not configure any certificate on the 1443 frontend, and keep the is_ssh payload check and have it working like that.

Or perhaps this helps?: https://marc.info/?l=haproxy&m=132375969032305&w=2

v1

######cache Pfsense
refresh_pattern -i .(gif|png|ico|jpg|jpeg|jp2|webp)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(jpx|j2k|j2c|fpx|bmp|tif|tiff|bif)$ 100000 90% 20000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(pcd|pict|rif|exif|hdr|bpg|img|jif|jfif)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(woff|woff2|eps|ttf|otf|svg|svgi|svgz|ps|ps1|acsm|eot)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
#cache content
refresh_pattern -i .(swf|js|ejs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(wav|css|class|dat|zsci|ver|advcs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
#cache videos
refresh_pattern -i .(mpa|m2a|mpe|avi|mov|mpg|mpeg|mpg3|mpg4|mpg5)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(m1s|mp2v|m2v|m2s|m2ts|mp2t|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|war)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(asx|mp2|mp3|mp4|mp5|wmv|flv|mts|f4v|f4|pls|midi|mid)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(htm|html)$ 9440 90% 200000 reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(xml|flow|asp|aspx)$ 0 90% 200000 refresh-ims
refresh_pattern -i .(json)$ 0 90% 200000 refresh-ims
refresh_pattern -i (/cgi-bin/|?) 0 90% 200000
#cache binaries
refresh_pattern -i .(app|bin|deb|rpm|drpm|exe|zip|zipx|tar|tgz|tbz2|tlz|iso|arj|cfs|dar|jar)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(bz|bz2|ipa|ram|rar|uxx|gz|msi|dll|lz|lzma|7z|s7z|Z|z|zz|sz)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(exe|msi)$ 0 90% 200000 refresh-ims
refresh_pattern -i .(cab|psf|vidt|apk|wtex|hz|ova|ovf)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
#cache microsoft and adobe and other documents
refresh_pattern -i .(ppt|pptx|doc|docx|docm|docb|dot|pdf|pub|ps)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(xls|xlsx|xlt|xlm|xlsm|xltm|xlw|csv|txt)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims

#cache antivirus sites
refresh_pattern -i ^http://liveupdate.symantecliveupdate.com.(zip)$ 0 0% 0
refresh_pattern -i ^http://avast.com.(vpu|vpaa)$ 0 0% 0
refresh_pattern -i ^http://premium.avira-update.com.(gz)$ 0 0% 0
refresh_pattern -i ^http://guru.avg.com.(bin)$ 0 0% 0
refresh_pattern -i ^http://avira.com.(idx|gz)$ 0 0% 0
refresh_pattern -i ^http://kaspersky.com.(avc)$ 0 0% 0

#cache OS update
refresh_pattern -i microsoft.com/..(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims
refresh_pattern -i windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims
refresh_pattern -i windows.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims
refresh_pattern -i apple.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80% 43200 reload-into-ims refresh-ims

Youtube Video

refresh_pattern -i (get_video?|videoplayback?|videodownload?|.mp4|.webm|.flv|((audio|video)/(webm|mp4))) 241920 100% 241920 override-expire ignore-reload ignore-private ignore-no-store ignore-must-revalidate reload-into-ims ignore-auth store-stale
refresh_pattern -i ^https?://..googlevideo.com/videoplayback.    10080 99% 43200 override-lastmod override-expire ignore-reload reload-into-ims ignore-private reload-into-ims ignore-auth store-stale
refresh_pattern -i ^https?://..googlevideo.com/videoplayback.$    241920 100% 241920 override-expire ignore-reload ignore-private ignore-no-store ignore-must-revalidate reload-into-ims ignore-auth store-stale

Image Youtube

refresh_pattern -i (yimg|twimg).com.*        1440 100% 129600 override-expire ignore-reload reload-into-ims
refresh_pattern -i (ytimg|ggpht).com.*        1440 80% 129600 override-expire override-lastmod ignore-auth ignore-reload reload-into-ims

#images facebook
refresh_pattern -i fbcdn.net/..((jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)|(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)(?|.$)) 241920 99% 241920 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-auth
refresh_pattern -i pixel.facebook.com..(jpg|png|gif|ico|css|js) 241920 80% 241920 override-expire ignore-reload reload-into-ims ignore-auth
refresh_pattern -i .akamaihd.net..(jpg|png|gif|ico|css|js) 241920 80% 241920 override-expire ignore-reload reload-into-ims ignore-auth
refresh_pattern -i ((facebook.com)|(85.131.151.39)).(jpg|png|gif) 241920 99% 241920 ignore-reload override-expire ignore-no-store store-stale
refresh_pattern -i fbcdn.net/..((jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)|(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)(?|.$)) 241920 99% 241920 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-auth
refresh_pattern static.(xx|ak).fbcdn.net.(jpg|gif|png) 241920 99% 241920 ignore-reload override-expire ignore-no-store
refresh_pattern ^https?://profile.ak.fbcdn.net*.(jpg|gif|png) 241920 99% 241920 ignore-reload override-expire ignore-no-store

Video Facebook

refresh_pattern -i .video.ak.fbcdn.net.*.(mp4|flv|mp3|amf)                    10080 80% 43200 override-expire ignore-reload reload-into-ims ignore-private ignore-no-store ignore-must-revalidate
refresh_pattern (audio|video)/(webm|mp4) 129600 99% 129600 ignore-reload override-expire override-lastmod ignore-must-revalidate  ignore-private ignore-no-store ignore-auth store-stale
refresh_pattern -i ^http://.squid.internal.  241920 100% 241920 override-lastmod override-expire ignore-reload ignore-must-revalidate ignore-private ignore-no-store ignore-auth store-stale

v2 currently using it with some editing for my preference from https://forum.pfsense.org/index.php?topic=111518.0

#new refresh patterns 3
acl Windows_Update dstdomain windowsupdate.microsoft.com
acl Windows_Update dstdomain .update.microsoft.com
acl Windows_Update dstdomain download.windowsupdate.com
acl Windows_Update dstdomain www.download.windowsupdate.com
acl Windows_Update dstdomain au.download.windowsupdate.com
acl Windows_Update dstdomain bg.v4.pr.dl.ws.microsoft.com

#new refresh patterns 2
refresh_pattern -i (.|-)(ini|def|sig|upt|mid|midi|mpg|mpeg|ram|cav|acc|alz|apk|at3|bke|arc|ass|ba|big|bik|bkf|bld|c4|cals|clipflair|cpt|daa|dmg|ddz|dpe|egg|egt|ecab|ess|esd|gho|ghs|gz|ipg|jar|lbr|lqr|lha|lz|lzo|lzma|lzx|mbw|mc.meta|mpq|nth|osz|pak|par|par2|paf|pyk|pk3|pk4|rag|sen|sitx|skb|tb|tib|uha|uue|viv|vsa|z|zoo|nrg|adf|adz|dms|dsk|d64|sdi|mds|mdx|cdi|cue|cif|c2d|daa|b6t)(?.*)?$ 43200 100% 432000 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth
#end new refresh patterns 2

#new refresh patterns
refresh_pattern -i (.|-)(mp3|m4a|aa?c3?|wm?av?|og(x|v|a|g)|ape|mka|au|aiff|zip|flac|m4(b|r)|m1v|m2(v|p)|mo(d|v)|arj|appx|lha|lzh|on2)(?.)?$ 43200 100% 432000 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth
refresh_pattern -i (.|-)(exe|bin|(n|t)ar|acv|(r|j)ar|t?gz|(g|b)z(ip)?2?|7?z(ip)?|wm[v|a]|patch|diff|mar|vpu|inc|r(a|p)m|kom|iso|sys|[ap]sf|ms[i|u|f]|dat|msi|cab|psf|dvr-ms|ace|asx|qt|xt|esd)(?.)?$ 43200 100% 432000 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth
refresh_pattern -i (.|-)(ico(.)?|pn[pg]|css|(g|t)iff?|jpe?g(2|3|4)?|psd|c(d|b)r|cad|bmp|img)(?.)?$ 43200 100% 432000 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth
refresh_pattern -i (.|-)(webm|(x-)?swf|mp(eg)?(3|4)|mpe?g(av)?|(x-)?f(l|4)v|divx?|rmvb?|mov|trp|ts|avi|m38u|wmv|wmp|m4v|mkv|asf|dv|vob|3gp?2?)(?.)?$ 43200 100% 432000 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth
refresh_pattern -i (.|-)(docx?|xlsx?|pptx?|rtf|xml|pdf|tiff?|txt)(?.)?$ 43200 100% 432000 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth
#Website
refresh_pattern -i (.|-)(xml|js|jsp|txt|css)(?.*)?$ 360 40% 1440 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth
refresh_pattern -i .index.(html|htm)$ 0 40% 1440
refresh_pattern . 30 25% 1440
#end new refresh patterns

refresh_pattern -i .(3gp|7z|ace|asx|avi|bin|cab|dat|deb|rpm|divx|dvr-ms)      129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i .(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i .(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)        129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i .(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p))                  129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i .(og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav)                  129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern -i .(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t))              129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload

refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern ^ftp:    10080 95% 43200 override-lastmod reload-into-ims

refresh_pattern -i .(doc|pdf)$          100080 90% 43200 override-expire ignore-no-cache ignore-no-store ignore-private reload-into-ims
refresh_pattern -i .(html|htm)$          1440  40% 40320 ignore-no-cache ignore-no-store ignore-private override-expire reload-into-ims
refresh_pattern (Release|Packages(.gz)*)$    0  20%  2880
refresh_pattern .                          180  95% 43200 override-lastmod reload-into-ims

1 year = 525600 mins, 1 month = 43800 mins

refresh_pattern -i (/cgi-bin/|?)        0      0%      0
refresh_pattern .(ico|video-stats)$ 129600 100% 129600 override-expire ignore-reload ignore-no-cache ignore-no-store ignore-private ignore-auth override-lastmod ignore-must-revalidate

refresh_pattern imeem..flv$                          0    0%        0 override-lastmod override-expire
refresh_pattern .rapidshare./[0-9]/./[^/]* 161280    90%    161280 ignore-reload

refresh_pattern (get_video?|videoplayback?|videodownload?|.flv?) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims
refresh_pattern (get_video?|videoplayback?id|videoplayback.id|videodownload?|.flv?) 129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims
refresh_pattern ^.(utm.gif|ads?|rmxads.com|ad.z5x.net|bh.contextweb.com|bstats.adbrite.com|a1.interclick.com|ad.trafficmp.com|ads.cubics.com|ad.xtendmedia.com|.googlesyndication.com|advertising.com|yieldmanager|game-advertising.com|pixel.quantserve.com|adperium.com|doubleclick.net|adserving.cpxinteractive.com|syndication.com|media.fastclick.net).* 129600 20% 129600 ignore-no-cache ignore-no-store ignore-private override-expire ignore-reload ignore-auth ignore-must-revalidate

refresh_pattern ^.safebrowsing.google                                  129600 100% 129600 override-expire ignore-reload ignore-no-cache ignore-private ignore-auth ignore-must-revalidate
refresh_pattern ^http://((cbk|mt|khm|mlt)[0-9]?).google.co(m|.uk)    129600 100% 129600 override-expire ignore-reload ignore-private
refresh_pattern ytimg.com..jpg                                        129600 100% 129600 override-expire ignore-reload
refresh_pattern images.friendster.com..(png|gif)                    129600 100% 129600 override-expire ignore-reload
refresh_pattern garena.com                                              129600 100% 129600 override-expire reload-into-ims
refresh_pattern photobucket..(jp(e?g|e|2)|tiff?|bmp|gif|png)          129600 100% 129600 override-expire ignore-reload
refresh_pattern vid.akm.dailymotion.com..on2?                      129600 100% 129600 ignore-no-cache override-expire override-lastmod
refresh_pattern mediafire.com/images..(jp(e?g|e|2)|tiff?|bmp|gif|png) 129600 100% 129600 reload-into-ims override-expire ignore-private
refresh_pattern ^http://images|pics|thumbs[0-9].                      129600 100% 129600 reload-into-ims ignore-no-cache ignore-no-store ignore-reload override-expire
refresh_pattern ^http://www.onemanga.com./                          129600 100% 129600 reload-into-ims ignore-no-cache ignore-no-store ignore-reload override-expire

ANTI VIRUS

refresh_pattern guru.avg.com/..(bin)                              43200 100% 43200  ignore-no-cache ignore-no-store ignore-reload reload-into-ims
refresh_pattern (avgate|avira).(idx|gz)$                          43200 100% 43200  ignore-no-cache ignore-no-store ignore-reload reload-into-ims
refresh_pattern kaspersky..avc$                                  43200 100% 43200  ignore-no-cache ignore-no-store ignore-reload reload-into-ims
refresh_pattern kaspersky                                          43200 100% 43200  ignore-no-cache ignore-no-store ignore-reload reload-into-ims
refresh_pattern update.nai.com/..(gem|zip|mcs)                    43200 100% 43200  ignore-no-cache ignore-no-store ignore-reload reload-into-ims
refresh_pattern ^http://liveupdate.symantecliveupdate.com.(zip) 43200 100% 43200  ignore-no-cache ignore-no-store ignore-reload reload-into-ims
refresh_pattern -i symantecliveupdate.com/..(zip|exe)            43200 100% 43200 reload-into-ims
refresh_pattern -i avast.com/..(vpu|vpaa) 4320 100% 43200 reload-into-ims
refresh_pattern -i avira-update.com/..* 720 100% 10800 reload-into-ims

#windows update NEW UPDATE 0.04
refresh_pattern windowsupdate.com/..(cab|exe|dll|msi|psf) 10080 100% 43200 reload-into-ims
refresh_pattern update.microsoft.com/..(cab|exe)                  43200 100% 129600 ignore-no-cache ignore-no-store ignore-reload reload-into-ims
refresh_pattern download.microsoft.com/..(cab|exe|dll|msi|psf) 10080 100% 43200 reload-into-ims
refresh_pattern -i microsoft.com/..(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/..(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windows.com/..(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern ([^.]+.)?(download|(windows)?update).(microsoft.)?com/..(cab|exe|msi|msp|psf) 4320 100% 43200 reload-into-ims
refresh_pattern update.microsoft.com/..(cab|exe|dll|msi|psf) 10080 100% 43200 reload-into-ims
refresh_pattern windowsupdate.com/..(cab|exe|dll|msi|psf) 10080 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/..(cab|exe|dll|msi|psf) 10080 100% 43200 reload-into-ims
refresh_pattern www.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200 reload-into-ims

refresh_pattern au.download.windowsupdate.com/..(cab|exe|dll|msi|psf) 4320 100% 43200 reload-into-ims
refresh_pattern bg.v4.pr.dl.ws.microsoft.com/..(cab|exe|dll|msi|psf) 4320 100% 43200 reload-into-ims
refresh_pattern -i .windowsupdate.com/..(cab|exe)                    259200 100% 259200 ignore-no-store ignore-reload reload-into-ims
refresh_pattern -i .update.microsoft.com/..(cab|exe|dll|msi|psf)                  259200 100% 259200 ignore-no-store ignore-reload reload-into-ims
refresh_pattern au.download.windowsupdate.com/..(cab|exe|dll|msi|psf) 4320 100% 43200 reload-into-ims
refresh_pattern bg.v4.pr.dl.ws.microsoft.com/..(cab|exe|dll|msi|psf) 4320 100% 43200 reload-into-ims

#apple update
refresh_pattern -i (download|adcdownload).apple.com/.*.(pkg|dmg) 4320 100% 43200 reload-into-ims
refresh_pattern -i appldnld.apple.com 129600 100% 129600 ignore-reload ignore-no-store override-expire override-lastmod ignore-must-revalidate
refresh_pattern -i phobos.apple.com 129600 100% 129600 ignore-reload ignore-no-store override-expire override-lastmod ignore-must-revalidate
refresh_pattern -i iosapps.itunes.apple.com 129600 100% 129600 ignore-reload ignore-no-store override-expire override-lastmod ignore-must-revalidate

#images facebook
refresh_pattern ((facebook.com)|(85.131.151.39))..(jpg|png|gif) 129600 100% 129600 ignore-reload override-expire ignore-no-cache ignore-no-store
refresh_pattern -i .fbcdn.net..(jpg|gif|png|swf|mp3)          129600 100% 129600 ignore-reload override-expire ignore-no-cache ignore-no-store
refresh_pattern static.ak.fbcdn.net*.(jpg|gif|png)            129600 100% 129600 ignore-reload override-expire ignore-no-cache ignore-no-store
refresh_pattern ^http://profile.ak.fbcdn.net*.(jpg|gif|png)  129600 100% 129600 ignore-reload override-expire ignore-no-cache ignore-no-store

#banner IIX
refresh_pattern ^http://openx..(jp(e?g|e|2)|gif|pn[pg]|swf|ico|css|tiff?) 129600 100% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store
refresh_pattern ^http://ads(1|2|3).kompas.com./                          43200  100% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store
refresh_pattern ^http://img.ads.kompas.com./                              43200  100% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store
refresh_pattern .kompasimages.com..(jpg|gif|png|swf)                        43200  100% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store
refresh_pattern ^http://openx.kompas.com./                                43200  100% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store
refresh_pattern kaskus.\us..(jp(e?g|e|2)|gif|png|swf)                      43200  100% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store
refresh_pattern ^http://img.kaskus.us.*.(jpg|gif|png|swf)                  43200  100% 129600 reload-into-ims ignore-reload override-expire ignore-no-cache ignore-no-store

#IIX DOWNLOAD
refresh_pattern ^http://.www[0-9][0-9].indowebster.com/(.*)(mp3|rar|zip|flv|wmv|3gp|mp(4|3)|exe|msi|zip) 43200 100% 129600 reload-into-ims  ignore-reload override-expire ignore-no-cache ignore-no-store  ignore-auth

refresh_pattern -i ^http://(khm?)([^/]*?).google.(de|com)    129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload

refresh_pattern -i ^http://ecn.t\d.tiles.virtualearth.net/tiles/\w*.jpeg    129600 100% 129600 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload

Forget about it… I solved it on the server side with VHost.

Thank You

Hi,

I know this is a old topic but there was no answer and that is a very frustrating bug that I've also faced… I have 17 PFSENSE firewalls on the field (mostly same version 2.3.2-RELEASE (amd64) ) and this bug appears randomly on some of them.

Saving the "Squid" config will break the certificate file "serverkey.pem" by adding "^M" at the end of each line and squid will refuse to launch...

Recreating the certificate in "certificate manager" does not fix the issue. (Tried copying certdata from notepad++ and other means...)

Here is how I temporarily fixed my issue:
1-I modify the "serverkey.pem" file with vi to remove all "^M" and validate that SQUID can start
2-I run the following command to make the file immutable (cannot be changed) (in SHELL):
chflags schg serverkey.pem
3-When I click "SAVE" in "SQUID CONFIGS", now PFSENSE can't modify the file anymore and can't break SQUID and prevent it from starting...

This is OK for me as my certificate will only expire in 10years... Also, I've also documented where I had to put that workaround... However, a definitive fix would be awesome... Maybe there is something I am missing...

Kind regards,

@doktornotor:

Eh, 0 is not a valid value. Use https://github.com/pfsense/FreeBSD-ports/pull/438 if you really cannot live with superdangerous 1MB cache in RAM.  ::)

Looking at the commits, does it means we will be able to use "all" inside the "Do Not Cache" textarea in "Local Cache" tab?

@JamesVA:

I do, but it's not enabled.

The DNSBL portion also?

I run squid also with MITM Non-Transparent and Certificates with proxy configured in Edge browser and if I disable pfBlocker and
the DNSBL portion I can run the HTML5 speed test's.

On the Cert's tab in Squid I run Intermediate instead of Modern and also Do not verify remote Certificate's due
to a problem's with my wife's work-site.

@yahav02:

And how did you solve the session?
Do users from different devices log into different servers?
Is there a different policy?

I still have the same issue with light squid on a fresh install of 2.4.2-RELEASE (amd64). Lite squid will not run and I can find any info in the logs. Can anyone help me solve this issue.

@yahav02:

SB can help???

Date-Time Message
10.12.2017 20:31:34 127.0.0.1 127.0.0.1 REQMOD squid_clamav 204
10.12.2017 20:31:34 127.0.0.1 127.0.0.1 RESPMOD squid_clamav 204
10.12.2017 20:31:33 127.0.0.1 127.0.0.1 REQMOD squid_clamav 204
10.12.2017 20:31:33 127.0.0.1 127.0.0.1 RESPMOD squid_clamav 204
10.12.2017 20:31:33 127.0.0.1 127.0.0.1 REQMOD squid_clamav 204
10.12.2017 20:31:32 127.0.0.1 127.0.0.1 RESPMOD squid_clamav 204
10.12.2017 20:31:32 127.0.0.1 127.0.0.1 REQMOD squid_clamav 204
10.12.2017 20:31:31 127.0.0.1 127.0.0.1 RESPMOD squid_clamav 204
10.12.2017 20:31:31 127.0.0.1 127.0.0.1 REQMOD squid_clamav 204

Those are normal.
If I remember correctly that is the Request's from the client being sent to the C-ICAP and ClamAV.

The Response is after it has been scanned by ClamAV and if a virus is found you will see a generate
response page in the C-ICAP Server Table.

might try to restart the openvpn service.?. other than that it 'should work' at least for the regular traffic.. (i never tried together with squid for the vpn..)

Edit:
ah it works.? great :)

Hi Ronald,
Nah keeping it in the topic is fine. pm's take more work if someone else has the same question they might find the answer here, or participate in the discussion :). pm's cant have that effect.. and there is no sensitive information discussed currently..

Regarding squid ciphers there is an "Compatibility mode" option for modern/intermediate .. or maybe this still works i dunno: https://forum.pfsense.org/index.php?topic=63262.msg524828#msg524828

As for caching, ive got no real experience with it.. my gut feeling is that squid is primarily meant as a forward-proxy, and should probably stick to that.. and varnish is mentioned several times on haproxy's site "Basically, HAProxy and Varnish completes very well" https://www.haproxy.com/blog/haproxy-and-varnish-comparison/
Perhaps indeed nginx might work, or apache.. both seem more purposed at the task for handling incomming client requests for 1 website..

As for acl abilities, haproxy can do some acl's / stickiness / ssl offloading and or sni.. and does those very well imho.

Regards,
PiBa-NL

@sirtow:

Hi all, I'm on 2.4.2-RELEASE trying to setup transparent ssl proxy.  With all default squid configuration,  i noticed that ssl certificates generated  have an ip instead of hostname for cn.  Is there a way to fix this?

Thank you

Sound's like you did'nt create the certificate right.

In the pfSense Cert. Manager make sure you select the Create an internal Certificate Authority dropdown box.