solved it. the cause was the primary frontend was disabled. All is working now! Thanks! Stefan

@viktor_g Hi Viktor, I have been using HA for quite sometime, but have been puzzled how to configure Squid because I am also using pfBlocker. pfBlocker does not display HA addresses. After reading your post I am assuming that the LAN of pfBlocker will find its way to the right HA interface. There is always something new to learn, one of my employees said today, and I seem always to be a newbie in some area. However exposing my ignorance has taught me a great deal. From your post, could you please explain in case of IPv4, it's easier to use port forward to 127.0.0.1:3128: Bind Squid to Loopback (127.0.0.1) interface. Create a port forward from <CARP IP>:3128 to 127.0.0.1:3128. Have your users hit <CARP IP>:3128. I would like to know the why and the how. I think I know what is going on here and even how to do it, but I have not spent much time doing Squid for a while and want to be sure. Why is it a good idea to do this? Where do I bind Squid to Loopback? maybe obvious but guessing gets me into trouble. I have several HA LANs. There is only one mapping here. Can I map multiple addresses to 127.0.0.1? Having my users "hit" the CARP address happens automatically I think. Thanks for your patience and help. Roy

I'm resurrecting this old thread because I am experiencing the same issue (HAProxy will not automatically start on reboot) and, like the OP, I can't seem to find any diagnostics and/or logs that might explain why. I'm running CE 2.7 and HAProxy 0.61_11. After reboot, I can start and stop HAProxy normally. If anyone has a suggestion on where to look and/or how to gather some problem determination info, I'd appreciate it.

I thought it would save bandwidth via caching common repeated items? I use pfBlockerNG for ads and such, and not squidguard.

Okay, there was two issues, one was tcp mode and the second one was under SSL offloading checked: Add ACL for certificate CommonName. (host header matches the "CN" of the certificate) so for somebody how will want to have the same: Create frontend with SSL Offloading checked type http/https offloading selected default backend selected Use "forwardfor" option checked and all other settings unchecked backend part server with encrypt ssl checked health check method none and in advanced settings backend pass thru http-request set-header Host onesite.com option httpchk GET / http-check send hdr Host onesite.com

Ok i found a post that said to switch from latest to previous stable version 23.01, and now it installed. Now i just need to search for a guide on configuring squid...

I've also problem with home assistant behind ha proxy. If I ste a direct nat roule to port 8123 works all good, but if I try to use the ha link I receive a 503 error page. this is my ha config, any idea? p.s. all other backends are working correctly # Automaticaly generated, dont edit manually. # Generated on: 2023-07-31 19:46 global maxconn 1000 stats socket /tmp/haproxy.socket level admin expose-fd listeners uid 80 gid 80 nbproc 1 nbthread 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 server-state-file /tmp/haproxy_server_state frontend http bind 192.168.1.220:80 name 192.168.1.220:80 mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 http-request redirect scheme https frontend https_443 bind 192.168.1.220:443 name 192.168.1.220:443 ssl crt-list /var/etc/haproxy/https_443.crt_list mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 acl ha var(txn.txnhost) -m beg -i ha.mysite.org acl NAS var(txn.txnhost) -m beg -I nas.mysite.org acl www var(txn.txnhost) -m beg -I www.mysite.org acl proxmox var(txn.txnhost) -m beg -I proxmox.mysite.org acl firewall var(txn.txnhost) -m beg -I firewall.mysite.org http-request set-var(txn.txnhost) hdr(host) use_backend ha_ipvANY if ha use_backend NAS_ipvANY if NAS use_backend serverweb_ipvANY if www use_backend proxmox_ipvANY if proxmox use_backend firewall_ipvANY if firewall backend ha_ipvANY mode http id 102 log global timeout connect 30000 timeout server 30000 retries 3 timeout tunnel 60000s server ha 192.168.1.138:8123 id 103 ssl verify none backend NAS_ipvANY mode http id 100 log global timeout connect 30000 timeout server 30000 retries 3 server nas8 192.168.1.112:8080 id 101 backend serverweb_ipvANY mode http id 104 log global timeout connect 30000 timeout server 30000 retries 3 server www 192.168.1.239:80 id 105 backend proxmox_ipvANY mode http id 106 log global timeout connect 30000 timeout server 30000 retries 3 server proxmox 192.168.1.236:8006 id 107 ssl verify none backend firewall_ipvANY mode http id 108 log global timeout connect 30000 timeout server 30000 retries 3 server firewall 192.168.1.1:80 id 105 Thanks

@inghaj said in Logging HTTPS Web Sites: Is there still a way to do this, or are browsers too security conscious now ? When you instruct your browser to talk to "microsoft.com" it has ways to detect if there is a MITM, aka your squid. Your browser and "microsoft.com" agreed that they don't want a MITM, to protect the end user. And because it defies the usage of TLS (https). This time it's you, next time it's the neighbor, or the government, or any 3 letter agency, and so on. Meet HTTP Strict Transport Security Btw : If you find a way around this, you'll be very famous. I'm not sure if you become 'rich' but one thing is sure : your 'quality of live' will strongly degrade, as there will be many coming after you as you are the one that broke world's economy (a Internet can't be used anymore for trusted transactions). @planedrop said in Logging HTTPS Web Sites: I will say that Chrome semi-recently started using it's own certificate store instead of the local one It probably has a build in list with sites 'not to mess with' == known HSTS sites.

@proggggger After disabling roundrobin the amount of /409 errors did decrease significantly. I will monitor for a bit more and if its resolved then im going to submit a redmine for a documentation update. This is a long standing problem.