Hi everyone

I've similiar problems when activating transparent proxy setting in squid3 on pfsense 2.3.2 amd64. The forwarding of port 80 to the squid interface wont work. If i manually add them in the Browsersetting its working. So squid is running.
I've tried adding a Portforwarding Rule but with the same result. Connection got terminated.

The only difference is I don't even use a bridge  :o

@doktornotor, thank you so much, looks like issue resolved after changing to immediate mode.

You can use wpad or https ssl for the solution

https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

https://forum.pfsense.org/index.php?topic=123874.0

@doktornotor:

Try with 2.3.3 snapshots perhaps..

thank you for the recommendation. Unfortunately, i am still pulling my hair out on this.

It seems like another issue is at work here, since i am experiencing delays, to a lesser degree, on a clear connect as well (no bumping). With no HTTPS, the browser shows "Waiting for proxy tunnel". This only seems to happen on my test pfsense (which is chained to my main PFSENSE/firewall).

I will look at testing this in another way and report back if a solution is found

And how should I use it?  (within pfsense)

Yeah, so use LDAP -> problem solved. If you invent your own authentication methods non-existent in the pfSense package, you'll need to pick up the pieces yourself.

Ah that explains it indeed, i should probably check and prevent that combination. Or try and 'fix' the ipfw rule by resolving the backserver ips.. Still tricky if it changes though which haproxy itself could do with the dnsresolvers setting.

If you want the logs elsewhere, do it the other way round – like, SCP/SFTP the logs from pfSense to your NAS via cron.

yes what's ur opinion in this issue

In general, yes, you would be a whole lot better off dropping the nanobsd altogether.  And no, I don't think it's a mirror down.

suggests the ramdisk is full or whatever other fluke related to nanobsd is happening.

Yeah, obvious hint here would be getting rid of the redundant router behind pfSense that's producing double NAT, requires static routes configured on pfSense and generally is a royal PITA.

Thanks

I seen alot of the same thing and wondered even if my proxy was working.  so in pfsense 2.0 I think I started looking for something to tell me how many hits and misses.. I found something and made it work in pfsense 2.0 and up to the latest version as of today. I am trying to make a package for it.

Here is what i did so far for it.

https://forum.pfsense.org/index.php?topic=87982.0

As noted above, noone touched LDAP for ages in the pfSense package. If someone screwed things upstream, it needs to be fixed upstream.

http://bugs.squid-cache.org/index.cgi

Also, there shouldn't be any need to use a GC unless you cannot specify the search domain/OU.

What you can do is host the certificate somewhere within your network, either on the pfsense web server or any other internal web server you have. Then you can edit the captive portal page to have a download button for the certificate, and ask users to install it.

However, I don't know how much I recommend using Squid for HTTPS filtering. I'm not having very good luck with it myself, it seems to give all sorts of random problems such as slow browsing, or causing HTTPS websites to not work, certificate errors and all sorts. It seems to really be bodged together, on top of that… It doesn't really have SSL inspection. You're kinda limited to categorical blocking via domains.

@ledj:

How do I install latest changes https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-haproxy in pfsense 2.3.2 ?

You don't. Use 2.3.3 snapshots.

@ledj:

And will haproxy (not dev) soon be based on upstream 1.7 stable branch ?

Uhm, no? That'd be 1.8 when it's stable. And -dev would become whatever is the development branch upstream at that point.