It seems, per HAProxy documention, that the user needs to exist and it must be able to login without password. This is against all our policies so I changed the mysql-check back to a basic ping check. This fixes the Health check, but not the biggest problem: No connection is possible trough HAProxy.

@mcury Thanks for the information

@PF4PFS Enter a path to a log (/var/run/log) file at "Remote syslog host" in the HAproxy general settings. As mentioned above, I would remove all actions and only state a default backend for investigation, to see if the site works basicall through HAproxy.

@j-sejo1 This used to work: acl LAN1 src 10.0.4.0/24 acl LAN2 src 192.168.0.0/21 tcp_outgoing_address (IP WAN1) LAN1 tcp_outgoing_address (IP WAN2) LAN2 http://www.squid-cache.org/Doc/config/tcp_outgoing_address/

@sub2010 I use the same config. domain.tld and matrix.domain.tld. I'm not sure about your srv record, I dont use one. For my certificate I use 1 certificate. In acme you can specify multiple domains for one certificate. Mine includes. *.domain.tld and domain.tld Get a cert like that, put it on your haproxy frontend and also put it on your matrix host and point your homeserver.yaml to it and restart matrix. The error is still saying your cert is expired, so I am assuming the cert you have on your matrix host that your homeserver.yaml is pointing to is expired.

It goes on and on for every client. Does Squid proxy require an ACL from the firewall IP and squids port to all the clients using the proxy?

@vlurk Thank you for this guide. I have the same issue but with Viber. How can I use your settings for viber desktop App

@periko Yes, now it's working correct. Thank you once more.

@dkzsys try this client_persistent_connections on client_persistent_connections off "Squid uses persistent connections (when allowed). You can use this option to disable persistent connections with clients." http://www.squid-cache.org/Doc/config/client_persistent_connections/

@colinstu Edit: Huh, after also checking on "Add ACL for certificate Subject Alternative Names." for the alt cert, it now works!

@johnpoz Yeah I did the 'offloading only' approach for quite a while and it works great - actually it's how I do it for most other services I host publicly. But in this case the backend server is Vaultwarden, an open source implementation of Bitwarden (password manager). I am currently in the progress of strengthen my security posture and I came to the conclusion to treat every network that has a live connection to the internet under 'assume breach' and evaluate the risk based on that. Under this assumption it is really really important that no one ever sees decrypted traffic to that server (e.g. master vault password of a user etc.) under any circumstance (except of course if vaultwarden itself is compromised). So for this specific scenario Internet > HAProxy > Vaultwarden the potential higher backend load is more than acceptable when compared to the security gain.

@planetinse removed package - then install package - did the trick

@jimp You think a resource can be assigned to review the redmine? This will be a quality of life improvement with the use of the application. https://redmine.pfsense.org/issues/14390