@frostys said in How to add 500 SSL certs to HAProxy Additional certificates?: Google didnt come up with any results so far Google is a machine, so it needs to be friendly, and has no means to introduce humor. AFAIK, nothing what you're looking for exists in the official documentation. So the good news is the bad news: The world is divided in two. Those who do things manually. Those who write a script Because were all equal and everything is balanced : doing it manually or writing (and testing, debugging etc), it will take the same time. If you need to do this often: go learn a 'language'. IMHO : it can be done.

Trying to find a solution to this as well. It doesn't seem OpenVPN has an option to forward headers which basically makes it impossible to use openvpn as the primary on port 443 if you need to see client IP addresses on haproxy.. As an alternative, I wondered if it might make sense to set haproxy listening on 443 and OpenVPN as a backend on a different port. Has anyone tried this yet? Does this cause double encryption (slow down the connection too much)? Here is an example of one guy who claims to have got it working: https://discourse.haproxy.org/t/haproxy-with-openvpn-over-tcp-443-on-pfsense/4731/2 EDIT It looks like he create a TCP frontend on 443 with a default backend going to OpenVPN:TCP:1194 and an acl that checks for SSL and sends SSL traffic to an HTTPS Backend set to localhost:9443. Then he configured localhost:9443 as a Frontend that handles the forwarded Web Traffic. That looks like it should work, but It's a bit too complicated for me to test on my live server right now and I don't have a lab setup. Happy to help anyone else who might have a lab environment setup for testing.

Have you all attempted to use the following custom patches Redmine#13984 This fixed a lot for me with Squid and Squidguard

Have you all attempted to use the following custom patches Redmine#13984 This fixed a lot for me with Squid and Squidguard

Maybe Squid and Snort can stay as holiday packages

My ticket was finally rejected because Squid will be removed in the next major version: https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software

Thank you very much. Works fine.

I use PfSense Plus so I can't test it

Ensure that the upstream Squid proxies (xxx.xxx.243.53 and xxx.xxx.243.54) are reachable and responsive. You can test this using tools like telnet or nc from the Netgate firewall. Double-check your Squid configuration settings to make sure there are no typos or misconfigurations. Pay close attention to the upstream proxy settings. Ensure that the version of Squid you are using (5.4.1) is compatible with your current environment and the other proxies. And remember, you can buy proxies quickly, but it's important to find a company you trust. Check the release notes for any known issues or updates related to your configuration. If the issue started after upgrading Squid, you might consider downgrading to a previous version that was stable in your environment. You can check the Squid release history and choose a version that was working well for you. Verify that there are no firewall rules blocking the Squid proxy from establishing connections to the upstream proxies. This includes both the Netgate firewall rules and any external firewalls.

@CZvacko @michmoor : Thank you for your answers. I have just seen the deprecation notice: https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software. (And this is sad because out-of-the-box Squid support was 50% of the reason why I bought the Netgate 6100).

@viragomann Thank you! I've got it working. I had 2 problems: From what I have read, duckdns shares the txt file for let's encrypt on all your subdomains, that is the reason why the second SSL certificate Issue never completed. I have created another subdomain (in one custom domain), created the certificate and selecting it in Additional Certificates everything worked. Thanks again

@vlurk I tried to do this but the result was the same and I started to have more problems on my network with other devices, so I decided to leave squid in transparent mode for http and uninstall squidguard, and in squid I did not activate ssl; For https filtering I do it with pfblockerNG which updates with thousands of blacklists and the update is done with the period of time I want. Therefore, if you are not going to perform an exhaustive analysis of the certificate, I recommend this scenario.

@hyanviana SSL/MITM Mode use Splice All

@Gertjan yes i just saw that.. Well i'll look for an alternative then

@johnpoz side note I finally found my invasive container it's on my 2019 Motorola g-power the thing is registering all sorts of Snort open AppID items I am not using, everything else on my network is matched to app use. It even saw Opera browser I don't even use that, alongside Snapchat, LinkedIn on and on even a bunch of Stripe payment service, and endless Skype. It was the smartphone.

Looks like Squid's website just released version 6.5 on Nov 4th 2023 That was 10 days ago. . . [image: 1700008333116-screenshot-2023-11-14-at-4.29.12-pm.png] I am confused as it was said it was not updated in 2 years. . . [image: 1700008519822-screenshot-2023-11-14-at-4.34.47-pm.png] Was updated again Nov 6 2023 Also many security issues have been resolved per the GitHub. [image: 1700008406129-screenshot-2023-11-14-at-4.31.04-pm-resized.png] I am thinking install it on a raspberry pi 5 8gb and NAT to it from the firewall

This seems to be working now/resolved. I bounced the whole firewall and my (pihole) dns servers and came back to it 30 minutes later and now it is working. I don't understand what bouncing the pihole servers, or the full firewall ( given I previously bounced the dns resolver / haproxy services) might have done but with the haproxy backend happy, everything is now working. hopefully this helps the next guy :)