https://forum.netgate.com/topic/186331/new-squid-6-7-and-clamav-1-3-0

@planetinse 23.09.1 I have taken away all other logic and just trying to offload TLS, (no fiddle with sni_fc_ssl or likewise) - and instead of expected 101 and Upgrade response header, I get 200, the tunnel is created and it works, but browser reuses earlier tunnel if i switch url that should use another backend. (it gets confused by the 200 response is my theory) 2.4 doing the same thing with the in 2.4 i get Expected 101 and Upgrade response header. Direct If i access backend directly it gives me the expected 101 and Connection upgrade.

@mbl_s_1 geniunly confused........ so just to confirm, there never was a problem with pfsense or HA proxy? If thats the case then yeah..i guess...close..the forum post?

@planetinse confirmed the later add tcp-request inspect-delay in TCP mode only.

anyone?

@danwize @viragomann I've got it working now. I changed to just use one front end and added my acl for cloud back. I removed my attempts to set the header and changed my could back end to point to 10.10.0.2:443 after I had changed it to 10.10.0.2:10223 for testing. After I did that, and after saving and applying the changes several times, cloud.mydomain.com was still resolving to 10223. I even tested in igognito windows and restarted the ha proxy service from the pfsense ui and it kept resolving to 10223. I finally got it routing to 443 after editing the front end settings for cloud to use a different backend, saved those changes, and then changed it back to my cloud.mydomain.com backed and saved again. Possibly my problem from the beginning was the fact that the settings didn't take initially.

https://forum.netgate.com/topic/183088/error-libssl-so-30-not-found-when-installing-package/3

@benjamesfleming said in [SOLVED] haproxy-auth-request luasocket support?: https://pkg.freebsd.org/freebsd:11:x86:64/latest/All/lua53-luasocket-3.0.r1_5,1.txz Reply Hello, I am having the same issue on PFSense Plus 23.09.1-RELEASE and HAProxy-devel 2.9.d2. This package no longer seems to be available for download and I cannot seem to find equivalent for FreeBSD 14. I tried browsing to the FreeBSD package URL's and get an NGINX forbidden when I attempt to browse to find what the latest package URL's are. Any guidance on how download the latest version of lua53-luasocket? Thanks

@viragomann Thanks for your reply. The firewall is just open for testing right now, Later it will be limited to the ports that the Vaultwarden Docker container uses (3012 for Websocket, 7010 for internal 443 and 7011 for internal 80). The domain frontend only has actions fot http requests to allow or deny. I basically followed the Dani Garcia setup linked above since it's my first time with HAProxy. The Dani Garcia setup seem s to be working for others so I'm wondering where I did wrong, maybe I misunderstood the ports to be used or put the wrong IP in the wrong place...or else, I just can't figure it out...most likely because I don't know HAProxy at all. The Vaultwarden frontend ACL1 and 3 are almost identical except the "Not option" which is yes in ACL1 and no in ACL3 The goal is to have my locally hosted Vaultwarden accessible at vault.mydomain.nz from WAN. (browser plugins, phone apps etc.)

@garyd I did eventually get Snort's Open App ID with full text rules running. My text rules I call the sorcerers code file, anyway it was able to show the applications that were running without any use over the network and pinpoint it to my Android smartphone. I got a new phone it stopped. Again, I knew it was there my goal was to find a way to stop it globally something I could report. Yes Snort's appID was the closest as you can detect the app use. Again, it does not list containers used. I was researching this over summer break and found you can use pf to detect the OS in use in the tcp stack if you want to check this out. All for the goal of a more secure system. But it requires a OS container database much like a blacklist for this to function again this is similar to AppID with the text files. [image: 1706150040159-screenshot-2024-01-24-at-18.33.20.png] [image: 1706150674808-screenshot-2024-01-24-at-18.41.02.jpg] [image: 1706150181448-screenshot-2024-01-24-at-18.34.17.png] [image: 1706150359796-screenshot-2024-01-24-at-18.34.26.png] [image: 1706150391100-screenshot-2024-01-24-at-18.34.38.png] [image: 1706150417267-screenshot-2024-01-24-at-18.34.46.png] [image: 1706150417451-screenshot-2024-01-24-at-18.34.55.png] [image: 1706150417540-screenshot-2024-01-24-at-18.35.05.png] So any containers can be detected this way. What I want to do is set up a signature of what I use and start to block the bad ones. Least privilege approval. I am sure some are real and needed but some are unknown also. I had a big one in my NAS that was found the other day also. Got that issue fixed.

@dutsnekcirf Basically there is no need to run a website within a subdirectory behind a reverse proxy. This makes things more complicated. However, HAproxy is able to insert a string at the beginning of the path. You can use "http-request set-path" to do this. You can set it in the frontend or backend. The preferred method depends on your setup. Add an action, select "http-request set-path" and enter "/web/%[path]" below. This assumes that the website has further subdirectories. However, with this, the additional path is inserted into all requests.If your website send URLs to call to the client, which already inlcludes the "/web/", you have to bind this action to an ACL to ensure it is not applied in this case.

@gilbe92 said in problem with update behind proxy: @viragomann I don't use proxy service inside pfsense like squid. The proxy I use is ccproxy.exe un other host Yes, I was talking about this kind of proxy of course.

@kn4thx So I assume, you have a single public IP and multiple domain names, which you want to redirect to different backends. This requires that HAproxy can distinguish the requested domain name. There are two options to do this. Either read out the host header or via SNI. HAproxy supports to modes: http and tcp. The host header is only included in http requests. SNI is only included in TLS/SSL protocol and has to be supported by the client. So if your protocol is not http, SNI is the only one option, hence TLS is required and you have also ensure, that your client support it.

@uplink So as you can see, there are some subfolders in the path. So need to insert "/photo" just at the beginning of the path. You can do this by appending the path variable. Just replace the value with "/photo/%[path]".

@jimp do you have any suggestion for antivirus ?

@jc1976 for your question ... It works exactly like the proxy in a Palo Alto Firewall, same way certificates and all that is all I can say. Nothing out of the ordinary. Standard stuff.

That’s amazing I wish my 2100 had 8GB that’s all it needs for clamav

@digitalmg The problem solved, I was defined an Outgoing NAT Rule for This Firewall(Self) with AON I limited this rule to my specific usage and Squid now switch between outgoing interface like a charm !