@justme2 Gotcha, well this is a good start at least. I'm considering the same platform for a proper 10 gigabit system (WAN side with NAT) as my Netgate 6100 isn't keeping up with my new WAN provider. QAT is fairly important for me though as well.

@zari90 [image: 1711553627967-9f4edffa-17ca-46b5-a78c-d09c12e60e91-image.png] got it working thanks guys appreciate the replies and the help switch from http to basic and it went green, switched it back to http and it went red then switched to ssl because it has a cert attached with my domain and it worked again

@michaelschefczyk No issues here. However, I don't use haproxy-devel.

Can you please share a screenshot?

@KOM thanks for the reply, I love this program, again not many people play around with storeID so I think I have replied to some older posts on it. The caching part of squid is amazing. It’s the $5 or static parts of the text files for the program that lack information on what they do. There is really no explanation on why the database files use that.

it would be REALLY SLICK if someone were to develop a web gui for it, kinda like ntopng where you install clamav and then navigate to a web address:port-number and have a dedicated page for all things clamav.. I doubt there's even a way to request that, along with the considerable resources it would take to develop it.

@JonathanLee said in StoreID and Squid "helper program": Does anyone work with Store ID? Unfortunately no, I didn't.. splice all with cache disabled for me. Squid/Squidguard was just to filter SNI header..

@braunerroei said in Haproxy Reverse proxy to old machine with old cipher: multitech fax finder FF130 You can just connect a modern computer with your VoIP account from the ISP via App, get a cheap call center (grandstream or something), or even put a pcie pstn modem on a PC, they will all handle fax...Even fax and imaging of Windows can handle that. That thing will never again play with other devices. I read the manual. It's pre-WindowsXP...

@jaoms2024 said in URL Blacklist squidGuard: http://dsi.ut-capitole.fr/blacklists/download/blacklists_for_pfsense.tar.gz I just updated and it works still Begin blacklist update Start download. Download archive http://dsi.ut-capitole.fr/blacklists/download/blacklists_for_pfsense.tar.gz Download complete Unpack archive Scan blacklist categories. Found 64 items. Start rebuild DB. Copy DB to workdir. Reconfigure Squid proxy. Blacklist update complete.

@JonathanLee ow, good to hear that

@hhbarnes Is it better to use HAPROXY with DMZ ?

by the way when i change the setting to port 80 i get "502 Bad Gateway The server returned an invalid or incomplete response." and the site does work on port 80 without the HaProxy.

after some resetting i've created the following config that works: # Automaticaly generated, dont edit manually. # Generated on: 2024-03-11 21:50 global maxconn 1000 stats socket /tmp/haproxy.socket level admin expose-fd listeners uid 80 gid 80 nbthread 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats refresh 3 stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend shared-https-merged bind WAN_IP:443 name WAN_IP:443 ssl crt-list /var/etc/haproxy/shared-https.crt_list mode http log global option socket-stats option http-keep-alive timeout client 30000 acl <subdomain-2> var(txn.txnhost) -m str -i <subdomain-2>.<domain-name>.<com> acl aclcrt_shared-https var(txn.txnhost) -m reg -i ^([^\.]*)\.<domain-name>\.<com>(:([0-9]){1,5})?$ acl aclcrt_shared-https var(txn.txnhost) -m reg -i ^<domain-name>\.<com>(:([0-9]){1,5})?$ acl <subdomain> var(txn.txnhost) -m str -i <subdomain>.<domain-name>.<com> acl <subdomain-3> var(txn.txnhost) -m str -i <subdomain-3>.<domain-name>.<com> acl <subdomain-4> var(txn.txnhost) -m str -i <subdomain-4>.<domain-name>.<com> http-request set-var(txn.txnhost) hdr(host) use_backend <subdomain-2>-<domain-name>_ipvANY if <subdomain-2> use_backend <subdomain>-<domain-name>_ipvANY if <subdomain> use_backend <subdomain-3>-<domain-name>_ipvANY if <subdomain-3> use_backend <subdomain-4>-<domain-name>_ipvANY if <subdomain-4> frontend http-redirect bind WAN_IP:80 name WAN_IP:80 mode http log global option http-keep-alive timeout client 30000 http-request redirect scheme https backend <subdomain-2>-<domain-name>_ipvANY mode http id 100 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server <subdomain-2> 192.168.1.11:444 id 101 backend <subdomain>-<domain-name>_ipvANY mode http id 102 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server <subdomain> 192.168.1.1:10443 id 101 ssl verify none backend <subdomain-3>-<domain-name>_ipvANY mode http id 103 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server <subdomain-3> 192.168.1.7:443 id 101 ssl verify none backend <subdomain-4>-<domain-name>_ipvANY mode http id 104 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server <subdomain-4> 192.168.1.5:443 id 101 Letting this one here in case someone needs it. As a sidenote to whole experience i find pfsense much more instable than it was few years ago when i used it first time . If i'd knew this ... And netgate presence is kinda zero, documentation is also in a very poor state. Anyway its working now ...

can be closed

@keval-shah This is from another thread: Haproxy just makes a plain tcp connection to port 25 and sends a few commands.. to push out a receiver subject and body.. the mailserver must be configured to not require authentication from haproxy's ip for this to work.

@Gertjan said in HAProxy: Servers with existing SSL certificates: what is logic Security. If someone were to take down a server with a DoS vulnerability, for example, they could spoof a service in that server's place and the wildcard cert would accommodate that. The SAN cert guarantees that I'm talking to who I want to be talking to. Another scenario would be if a server was compromised and the wildcard key was extracted, that would allow all the traffic across the network to be decrypted. However, I suppose if you use HA as the only TLS end point and don't re-use that wildcard certs on the servers themselves, that scenario doesn't really exist (though I imagine that some people probably do that). Then, the traffic from HAProxy to the server is unencrypted. I want end-to-end encryption.