Just for reference, I have identified the issue and submitted a pull request with the correction.  The Squid port was configured to correctly break out the real IP config onto two lines.  However, the section that handled reverse proxy IPs did not.  This became an issue with a single line would exceed the Squid limit of 1024 characters.

I failed to remove the settings in squid.conf, so the were set to cache to /var/squid/cache.  The reinstall picked up the old squid.conf settings and is now working well.

My install was corrupted somehow, just not sure how.

@irontec:

acl LAN1 src 192.168.100.1/24 acl LAN2 src 192.168.200.1/24 tcp_outgoing_address 192.168.0.246 LAN1 tcp_outgoing_address 10.10.0.246 LAN2

After doing that, all the traffic from LAN1 and LAN2 goes through squid+squidGuard (where we can filter all we want) and after that, squid send the traffic through the WAN watching its ACLs.

Altough this configuration works  (i don't know how to achieve this via firewall rules, as policy based routing is not working with squid), the question is: in case of fail of one of the two gateways (in your case 192.168.0.246 or 0.10.0.246) squid will use the faulty link; how to solve this?
I thought at a script that removes the "tcp_outgoing_address" directive when the gateway goes down, but i would avoid to use it in production enviroment…

Edoardo

cleaned up OP

Using the DNS resolver (not fowarder)

please now refer to https://forum.pfsense.org/index.php?topic=112335.0

[2.3.1-RELEASE][root@pfSense.localdomain]/root: squid -v
Squid Cache: Version 3.5.19
Service Name: squid
configure options:  '–with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--with-openssl=/usr' 'LIBOPENSSL_CFLAGS=-I/usr/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--with-mit-krb5=/usr/local' 'CFLAGS=-I/usr/local/include -O2 -pipe  -I/usr/local/include -I/usr/local/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS=-L/usr/local/lib  -pthread -L/usr/local/lib -L/usr/local/lib  -Wl,-rpath,/usr/local/lib:/usr/lib -fstack-protector' 'LIBS=-lkrb5 -lgssapi_krb5 ' 'KRB5CONFIG=/usr/local/bin/krb5-config' '--enable-auth-basic=LDAP SASL DB SMB_LM MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=LDAP_group file_userip time_quota unix_group kerberos_ldap_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=aufs diskd ufs' '--enable-disk-io=DiskThreads DiskDaemon AIO Blocking IpcIo Mmapped' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.3' 'build_alias=amd64-portbld-freebsd10.3' 'CC=cc' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing ' 'CPP=cpp' --enable-ltdl-convenience

I've exactly the same problem. Unrestricted IP and whitelist don't work at all.
Try everything and restart. Nothing.

Useless at this stade…

Hi and thanks for your reply.
I managed  to see the lightsquid page.
I do not see nothing logged for the user web activity.
In tail -f /var/squid/logs/access.log  i get theese kind of messages
1463470841.514      0 127.0.0.1 TCP_MISS/200 759 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain

With the older release i could see the user web activity logs.

Thanks…

Found it: see topic https://forum.pfsense.org/index.php?topic=111859.new;topicseen#new

I'll put my reply on that topic.

The issues I've had only relate to multiple WAN IPs.  Everything has worked without major issue on the reverse proxy.  If you are still having issues, please post your config and I'll see if anything jumps out as troublesome.

Just realized that the Service was not started. When I try to start it I got the following

May 15 10:12:07 squid ERROR: Invalid ACL: acl password proxy_auth REQUIRED May 15 10:12:07 Squid_Alarm 56347 Attempting restart... May 15 10:12:07 Squid_Alarm 55879 Squid has exited. Reconfiguring filter. May 15 10:12:04 xinetd 21386 Reconfigured: new=0 old=1 dropped=0 (services) May 15 10:12:04 xinetd 21386 readjusting service 6969-udp May 15 10:12:04 xinetd 21386 Swapping defaults May 15 10:12:04 xinetd 21386 Starting reconfiguration May 15 10:12:03 check_reload_status Reloading filter May 15 10:12:02 php-fpm 55695 /pkg_edit.php: [squid] Starting a proxy monitor script May 15 10:11:52 php-fpm 55695 /pkg_edit.php: The command '/usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was '2016/05/15 10:11:52| Can't use proxy auth because no authentication schemes are fully configured. FATAL: ERROR: Invalid ACL: acl password proxy_auth REQUIRED Squid Cache (Version 3.5.16): Terminated abnormally. CPU Usage: 0.019 seconds = 0.013 user + 0.006 sys Maximum Resident Size: 48096 KB Page faults with physical i/o: 0' May 15 10:11:52 squid ERROR: Invalid ACL: acl password proxy_auth REQUIRED May 15 10:11:51 php-fpm 55695 /pkg_edit.php: [squid] Starting service...

Edit:
Seems to be a bug ?

I did fix this by setting the Authentication to Local and then back to none

One last question, is the default Gateway the only way to configure which Gateway the proxy uses ? No Gateway Groups or so ?

More clearance: it was the 'play´  button on the website (hardcore-radio.png) that was blocked by clamav and showed as blocked by squidguard!?

Hi Michael,

Yes those are listening on my 'webserver' / testbox.. When writing the guide i was using only 2 machines (1 pfSense & 1 webserver), where i indeed had the webserver listening on multiple ports with a different index.html served on each one just to check if the haproxy side of things was working properly. When using different webservers you could use port 80 or 443 on all of them and make the difference by their ip's. Or you could actually host multiple webapplications on different ports from 1 machine, while serving all of them on the 'outside' on the standard 80 / 443 ports. But a webserver could likely also accomplish that with configuring some virtualhosts..

Anyway i hope this helps understand the screenshots a little better.. Sorry for the confusion.

Latest 'doc' is currently available here (im still using those non standard ports there though ;) ): https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki

Regards,
PiBa-NL

My cache file system is null and any memory cache should have been flushed when I rebooted right? This is a nanobsd-installation (running from a CF card).

I did however command a "flush" just to make sure.

I agree totally with you… But the issue only happens when the squid is enable... Probably it is misconfigurating... How can I start tracing the problem?

Screenshot_20160513-053306.png
Screenshot_20160513-053306.png_thumb
Screenshot_20160513-053630.png
Screenshot_20160513-053630.png_thumb
Screenshot_20160513-053333.png
Screenshot_20160513-053333.png_thumb