@colinstu Edit: Huh, after also checking on "Add ACL for certificate Subject Alternative Names." for the alt cert, it now works!

@johnpoz Yeah I did the 'offloading only' approach for quite a while and it works great - actually it's how I do it for most other services I host publicly.

But in this case the backend server is Vaultwarden, an open source implementation of Bitwarden (password manager).
I am currently in the progress of strengthen my security posture and I came to the conclusion to treat every network that has a live connection to the internet under 'assume breach' and evaluate the risk based on that. Under this assumption it is really really important that no one ever sees decrypted traffic to that server (e.g. master vault password of a user etc.) under any circumstance (except of course if vaultwarden itself is compromised).

So for this specific scenario Internet > HAProxy > Vaultwarden the potential higher backend load is more than acceptable when compared to the security gain.

@planetinse

removed package - then install package - did the trick

@jimp
You think a resource can be assigned to review the redmine? This will be a quality of life improvement with the use of the application.
https://redmine.pfsense.org/issues/14390

I followed your instructions but it still didn't work. Can anyone tell me what to do?

@periko

This was my favorite how to website

https://forum.it-monkey.net/index.php?topic=23.0

http://www.squid-cache.org/Doc/config/host_verify_strict/

This could be the solution to fixing this...

host_verify_strict on
host_verify_strict off

@Berick
That's not really much.
Maybe you can find more details, when running the browser debugging mode.

I got a similar problem solved by adding this response header:

http-response header set > name: content-security-policy, fmt: upgrade-insecure-requests

You can try, but not sure if this helps.

@CaliPilot

Hi Chris,

I seem to be having issue even after configuring the firewall alias. I have created a post and would very much appreciate some input from you. https://forum.netgate.com/topic/182891/squid-proxy-bypass-proxy-for-these-destination-ips-not-working-transparent-http-proxy-mode-https-ssl-interception

Thank you.

@mcury I'll give it a try and let you know, thanks 😉

@jaredp select all sections from "Remote Certs Checks" and "Certificate Adapt" and tested.
Now, what problems u have? a specific domain...? tell us...

@maturola said in HAProxy: Use UNLESS condition instead of default IF:

Well, Honestly I'm not sure where the "Green/Red" would be but the back end status looks the same as all other services that are working. (screenshot of onlyoffice and "password" which is bitwarden

You"ve disabled health check. So there is no information on the backend status.

@ntranx I test whitelist in squid, squidguard and squidclamav.conf but the problem is the same

@juananpc said in HAProxy doesn't resolve on LAN interface:

instead of selecting "any" (IPv4) in the frontend,

What exactly are you trying to proxy? Why would you pick the lan address?? I have to things I run through ha proxy. One frontent directly listens on my wan IP. Other listens on my loopback since I share this port with openvpn 443, and when its not openvpn traffic, openvpn using share port option sends this to the loopback on a port 9443 and haproxy sends that on to the backend.

If I want to access either of these from my lan, I access my wan IP on the ports being used 443 or 44301 and the proxy sends me to the backend.