@mcury I also had to disable some ethernet rules that all the sudden showed a lot of activity [image: 1702745498391-screenshot-2023-12-16-at-8.38.44-am-resized.png]

Iam willing to pay someone for helping out with this....

@VioletDragon I hope it´s bigger and you can read it pfsense_2

@keeely miss 200 is ok. It means that that has not been cached yet and now is. It's a miss. It's working as expected. I love Squid I have used it for years. Not many users attempt to configure it as it's a bit more advanced. Great Job. Not everything will show hit. Try a news website a couple times eventually it will show some hits for images scripts etc. Because I like this package so much I will no longer update PfSense because they state squid will be removed soon. You have to also make access control lists for port 3128.

@planetinse Funny thing is even when they are "gone" - the ACL's using these - briefly show up when loading the frontend, so this must be a bug one way or the other.

@frostys said in How to add 500 SSL certs to HAProxy Additional certificates?: Google didnt come up with any results so far Google is a machine, so it needs to be friendly, and has no means to introduce humor. AFAIK, nothing what you're looking for exists in the official documentation. So the good news is the bad news: The world is divided in two. Those who do things manually. Those who write a script Because were all equal and everything is balanced : doing it manually or writing (and testing, debugging etc), it will take the same time. If you need to do this often: go learn a 'language'. IMHO : it can be done.

Trying to find a solution to this as well. It doesn't seem OpenVPN has an option to forward headers which basically makes it impossible to use openvpn as the primary on port 443 if you need to see client IP addresses on haproxy.. As an alternative, I wondered if it might make sense to set haproxy listening on 443 and OpenVPN as a backend on a different port. Has anyone tried this yet? Does this cause double encryption (slow down the connection too much)? Here is an example of one guy who claims to have got it working: https://discourse.haproxy.org/t/haproxy-with-openvpn-over-tcp-443-on-pfsense/4731/2 EDIT It looks like he create a TCP frontend on 443 with a default backend going to OpenVPN:TCP:1194 and an acl that checks for SSL and sends SSL traffic to an HTTPS Backend set to localhost:9443. Then he configured localhost:9443 as a Frontend that handles the forwarded Web Traffic. That looks like it should work, but It's a bit too complicated for me to test on my live server right now and I don't have a lab setup. Happy to help anyone else who might have a lab environment setup for testing.

Have you all attempted to use the following custom patches Redmine#13984 This fixed a lot for me with Squid and Squidguard

Have you all attempted to use the following custom patches Redmine#13984 This fixed a lot for me with Squid and Squidguard

Maybe Squid and Snort can stay as holiday packages

My ticket was finally rejected because Squid will be removed in the next major version: https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software

Thank you very much. Works fine.

I use PfSense Plus so I can't test it

Ensure that the upstream Squid proxies (xxx.xxx.243.53 and xxx.xxx.243.54) are reachable and responsive. You can test this using tools like telnet or nc from the Netgate firewall. Double-check your Squid configuration settings to make sure there are no typos or misconfigurations. Pay close attention to the upstream proxy settings. Ensure that the version of Squid you are using (5.4.1) is compatible with your current environment and the other proxies. And remember, you can buy proxies quickly, but it's important to find a company you trust. Check the release notes for any known issues or updates related to your configuration. If the issue started after upgrading Squid, you might consider downgrading to a previous version that was stable in your environment. You can check the Squid release history and choose a version that was working well for you. Verify that there are no firewall rules blocking the Squid proxy from establishing connections to the upstream proxies. This includes both the Netgate firewall rules and any external firewalls.

@CZvacko @michmoor : Thank you for your answers. I have just seen the deprecation notice: https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software. (And this is sad because out-of-the-box Squid support was 50% of the reason why I bought the Netgate 6100).

@viragomann Thank you! I've got it working. I had 2 problems: From what I have read, duckdns shares the txt file for let's encrypt on all your subdomains, that is the reason why the second SSL certificate Issue never completed. I have created another subdomain (in one custom domain), created the certificate and selecting it in Additional Certificates everything worked. Thanks again

@vlurk I tried to do this but the result was the same and I started to have more problems on my network with other devices, so I decided to leave squid in transparent mode for http and uninstall squidguard, and in squid I did not activate ssl; For https filtering I do it with pfblockerNG which updates with thousands of blacklists and the update is done with the period of time I want. Therefore, if you are not going to perform an exhaustive analysis of the certificate, I recommend this scenario.