Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    1. Home
    2. pfSense Packages
    3. Cache/Proxy
    Log in to post
    • Newest to Oldest
    • Oldest to Newest
    • Most Posts
    • Most Votes
    • Most Views
    • W

      I'd like to combine different ACLs and order them in HAProxy
      • wgold

      3
      0
      Votes
      3
      Posts
      389
      Views

      W

      Awesome! Thank you!

    • J

      Our clamd service stops working
      clamd • • jlee_eye

      5
      0
      Votes
      5
      Posts
      583
      Views

      JonathanLee

      @jlee_eye

      d05bcb5c-2383-47af-a0b5-534b06632500-image.png

      Have you tried to play around with the custom options and get one that works well yet? This was the one that consumes less memory and works better for me.

    • K

      Squid Proxy Error
      • kenj05

      2
      0
      Votes
      2
      Posts
      449
      Views

      bluegrass-168

      @kenj05

      What browser are you using?

      I follow this Video for my 2.6.0 pfsense and it works.

      https://www.youtube.com/watch?v=DTD5lYPjLns&list=LL&index=1

      So is the SSL inspection function.

    • B

      How do I disable HAProxy from the shell?
      • Boatsman

      2
      0
      Votes
      2
      Posts
      586
      Views

      V

      @boatsman
      No idea. But why don't you simply restore a config backup?
      It's 15 in the console menu.

    • T

      Transparent Squid via Splice = Intermittent SSL Connectivity Failures
      • The_Boss

      3
      0
      Votes
      3
      Posts
      504
      Views

      T

      @michmoor said in Transparent Squid via Splice = Intermittent SSL Connectivity Failures:

      @the_boss you will need to whitelist the domain. It’s possible there is certificate pinning going on.

      I see, thanks. It is my understanding that Peek/Splice has no issue with pinning, and only Bump does, no?

      The quantity of things getting blocked randomly would make any whitelisting insurmountable. Others seem to report no challenges with Splice.

    • S

      Remove HAProxy and Configuration
      • S3v3nD34dly51ns

      2
      0
      Votes
      2
      Posts
      521
      Views

      V

      @s3v3nd34dly51ns
      When you forward the traffic, it cannot reach HAproxy anymore, no matter if it is installed and running or not.
      Port forwarding happens at the first level on the incoming packets.
      So HAproxy or even its settings might not be responsible for your issue at all.

      If you're in doubt, you can sniff the traffic on the inside interface.
      So there will be another reason for that. Best to investigate with packet capture to see, what's going on.

    • D

      AFTER PFSENSE UPDATE TO 22.05 SQUID WILL NOT RESTART
      • dgall

      7
      0
      Votes
      7
      Posts
      844
      Views

      A

      @myster_fr thank you, just ran into this issue and i confirm, it works.

    • JonathanLee

      Testing some good Regex expressions for use with Squid Proxy and custom spliced URL lists.
      • JonathanLee

      5
      1
      Votes
      5
      Posts
      498
      Views

      JonathanLee

      @jonathanlee

      Screenshot 2023-02-10 at 6.32.55 PM.png

      I adapted this for testing and set it to stare all because of this statement on their website, "The following configuration obtains SNI by parsing TLS Client Hello (due to a matching peek rule at step1) and then either splices bank connections OR stares at the TLS Server Hello (due to a matching stare rule) and bumps non-bank connections (due to the default bump-after-stare rule)."

      It has a default bump after stare rule, so bump step 3 is not needed
      I am thinking. This also seemed to speed up everything.

      Ref:
      https://wiki.squid-cache.org/Features/SslPeekAndSplice

    • P

      Connection problems to upstream proxies after squid package upgrade
      • patrick75

      3
      0
      Votes
      3
      Posts
      532
      Views

      P

      @patrick75 said in Connection problems to upstream proxies after squid package upgrade:

      I am running a Netgate 1541, which is configured as transparent firewall and transparent firewall

      Should have been:
      I am running a Netgate 1541, which is configured as transparent firewall and transparent proxy

    • P

      Outdated options in squid.conf
      • patrick75

      1
      0
      Votes
      1
      Posts
      237
      Views

      No one has replied

    • B

      HAProxy not rendering SSL traffic properly
      • bretua

      8
      0
      Votes
      8
      Posts
      481
      Views

      B

      @viragomann I tried looking into absolute path but then why did it work when it was published with TMG? Nothing changed in the backeend.

    • JonathanLee

      Squid Proxy seeing Urbanairship.com??
      • JonathanLee

      1
      0
      Votes
      1
      Posts
      229
      Views

      No one has replied

    • J

      Our clamd service stops working
      clamd • • jlee_eye

      1
      0
      Votes
      1
      Posts
      204
      Views

      No one has replied

    • A

      Synology Surveillance Station cannot be accessed when behind HAProxy
      • adelaide_guy

      4
      0
      Votes
      4
      Posts
      724
      Views

      A

      @cyrus104

      I was able to make this work by adding following custom ACL:

      2M3tjblqot.png

    • Y

      Unable to access Outlook behind Squid Proxy
      • yakoub_23

      3
      0
      Votes
      3
      Posts
      395
      Views

      Y

      @michmoor Thank you for your reply

      The Squid logs doesn't show any activity concerning the Outlook application only web traffic through the browser. when i try to reach our webmail it fails with tcp:denied. i added 993 465 and 2096 (webmail port) to the list of safe ports. Now the webmail works but not Outlook.

      As i have stated the end users needs to be routed through the 172.26.2.1 router because of our provider but the network doesn't have internet connection. The sole purpose of installing pfSense was to implement the proxy so the end users can use the internet(with exceptions added to the proxy), it's not really acting as a router.

    • S

      Automatic updates for squidguard blacklist
      • SourceFinder

      6
      1
      Votes
      6
      Posts
      3351
      Views

      JonathanLee

      @dbmandrake
      799ecc95-da12-4329-8986-86e3b8bbb51d-image.png

      61216ded-5a50-4492-b951-3825dfab0c9d-image.png

      Thanks for the info, it's working great. 9:29 AM test ran automatically.

    • C

      Work laptop disabling local network
      • cybersamurai

      7
      0
      Votes
      7
      Posts
      394
      Views

      chpalmer

      It could be likely that your work laptop creates a VPN to your business network and thus would be invisible to other devices on your home network.. That is true of mine.

      That could be why other devices cannot ping it..

    • D

      Squidguard category filtering silently fails with large blacklist - a workaround
      • DBMandrake

      23
      3
      Votes
      23
      Posts
      701
      Views

      JonathanLee

      @dbmandrake thanks for the information on the auto update.

    • M

      Squid Proxy - Whitelist domains - Any lists out there?
      • michmoor

      21
      1
      Votes
      21
      Posts
      931
      Views

      JonathanLee

      @dbmandrake It did not work for me unless I included the ip address of the firewall and the loopbacks in an alias, the other way it would just fail for me.

    • J

      Squid And Squidguard port allow
      • Jdwind

      1
      0
      Votes
      1
      Posts
      168
      Views

      No one has replied

    • A

      How to block http inbound connection by http header
      • alexferro32

      3
      1
      Votes
      3
      Posts
      274
      Views

      johnpoz

      @michmoor exactly... To be honest, that is DO - in what scenario would they ever need to be inbound to you?

      Block all of their ASNs

      NetRange: 165.22.0.0 - 165.22.255.255 CIDR: 165.22.0.0/16 NetName: DIGITALOCEAN-165-22-0-0

      pfblocker makes it easy to look up ASNs and put them into a alias and then block that completely from your services you don't want them to be able to talk to.. DO while is a big cloud provider - why would you have need of inbound traffic from them? They are not known for being to particular on how they allow their services to be used.

    • R

      Squid access.log not incrementing each day
      • RobinWright

      1
      0
      Votes
      1
      Posts
      147
      Views

      No one has replied

    • JonathanLee

      Netgate 2100-MAX and the recommended Hard Disk Cache System settings?
      • JonathanLee

      1
      0
      Votes
      1
      Posts
      174
      Views

      No one has replied

    • J

      HAProxy Source IP Alias Problem [Solved]
      • jafath

      12
      0
      Votes
      12
      Posts
      3271
      Views

      C

      I was beating my head against this the past few days, finally figured out using an alias with FQDNs was not actually working. The script above was a good starting point, but I have a new version that is more robust. Hopefully helpful to someone else! One more improvement I will make eventually is to support multiple aliases. I wanted to use the socket wrapper script, but it generated additional cruft on the first output line so I just used the socket directly. I also did not know why the original used /31 as a mask so I removed that.

      #! /bin/sh #Edit this value to match pfSense alias name ALIASNAME="Foreman_Clients" SOCKET=/tmp/haproxy.socket #Pull current ACL from haproxy (normalize and sort by IP) echo "show acl /var/etc/haproxy/ipalias_${ALIASNAME}.lst" | nc -U $SOCKET | sed '/^$/d' | awk '{print $2}' | sort -V > "/tmp/${ALIASNAME}-cur" #Dump alias values to a temp file (normalize and sort by IP) pfctl -t ${ALIASNAME} -T show | sort -V > "/tmp/${ALIASNAME}-new" #Check new alias values against current (ignore whitespace) diff -w "/tmp/${ALIASNAME}-new" "/tmp/${ALIASNAME}-cur" >/dev/null 2>&1 && exit 0 #Clear current acl echo "clear acl /var/etc/haproxy/ipalias_${ALIASNAME}.lst" | nc -U $SOCKET #Populate haproxy ACL with alias values while read -r line; do echo "add acl /var/etc/haproxy/ipalias_${ALIASNAME}.lst ${line}" | nc -U $SOCKET done < "/tmp/${ALIASNAME}-new" #Remember current alias contents for next run mv "/tmp/${ALIASNAME}-new" "/tmp/${ALIASNAME}-cur" exit 0
    • P

      Websockets configuration in HAProxy
      • Peque

      12
      0
      Votes
      12
      Posts
      5054
      Views

      M

      Thank you for this! Got my application to work. Much appreciated.

    • Cool_Corona

      Squis works but after a while half of the webpages are gone??
      • Cool_Corona

      1
      0
      Votes
      1
      Posts
      157
      Views

      No one has replied

    • D

      Reloading SquidGuard increases number of processes with no limit ?
      • DBMandrake

      1
      0
      Votes
      1
      Posts
      131
      Views

      No one has replied

    • Cloudless Smart Home

      HAProxy Acme
      • Cloudless Smart Home

      1
      0
      Votes
      1
      Posts
      135
      Views

      No one has replied

    • Help Group

      PROXY conflicto
      • Help Group

      1
      0
      Votes
      1
      Posts
      122
      Views

      No one has replied

    • JonathanLee

      Roblox URL List
      • JonathanLee

      1
      0
      Votes
      1
      Posts
      174
      Views

      No one has replied

    • JonathanLee

      FATAL: check failed: !request->pinnedConnection() PKG UPDATE??
      • JonathanLee

      1
      0
      Votes
      1
      Posts
      139
      Views

      No one has replied

    • M

      HAProxy for User Control Panel (UCP) on freepbx
      haproxy freepbx • • MattiaIppilito

      4
      0
      Votes
      4
      Posts
      424
      Views

      M

      I added just that one line into the “Global Advanced pass thru” field in the HAproxy Settings tab…applied the configuration changes and it worked immediately. Thanks. How did you do? Many thanks. How can I mark your reply as “solved the problem”!

    • C

      HAProxy: Use UNLESS condition instead of default IF
      • cwegh

      3
      0
      Votes
      3
      Posts
      234
      Views

      C

      @viragomann That was it, thanks! Searched a lot put could find any documentation on this.

    • R

      Squid + Squidguard DEBUG showing
      • Renobr

      2
      0
      Votes
      2
      Posts
      243
      Views

      R

      Ok, I figure it out. someone can please, close this topic?

    • D

      squid error tcp miss 502
      • dalla

      1
      0
      Votes
      1
      Posts
      152
      Views

      No one has replied

    • A

      problemas con el squid
      • Andres Cabeza

      11
      0
      Votes
      11
      Posts
      457
      Views

      D

      Hola andres,

      Tengo configurado pfsense 2.6 con squid y squidguard. presento el mismo problema para acceder a la pagina web del cne: http://www.cne.gob.ve/web/index.php

      Aplique varias configuraciones en el squid :
      X-Forwarded Header Mode : probe la opcion de truncate, borrar.

      Deshabliite este parametro: Disable VIA Header
      If not set, Squid will include a Via header in requests and replies as required by RFC2616.

      Verifique la resolución de los dns

      Agregue la url completa en el squidguard,
      Agregue la url dentro del whitelist del squid

      y aun persiste la falla.

      Queria saber si habias encontrado una solución.

      Gracias

    • K

      can't access websites using ip address instead of url
      • karimhaydar31

      4
      0
      Votes
      4
      Posts
      253
      Views

      Derelict

      @karimhaydar31 You can't access TLS resources by IP address if the IP address is not in the certificate they present. This is TLS doing what TLS is supposed to do. Not sure what you are trying to accomplish and why.

    • JonathanLee

      Squidguard blacklist shalla
      • JonathanLee

      5
      0
      Votes
      5
      Posts
      270
      Views

      JonathanLee

      @ageekhere Thanks for the reply, I wanted to also show that if really needed you could access and load shalla's old blacklist in an emergency if you needed one.

    • G

      WARNING: Consider increasing the number of redirector processes in your config file.
      • gtrovato

      8
      0
      Votes
      8
      Posts
      1848
      Views

      JonathanLee

      @gtrovato I just noticed the correct location to adjust them is different. If you are using squidguard is Package/Proxy filter SquidGuard: General settings/General settings under service options.
      Screenshot 2023-01-11 at 9.58.52 PM.png
      (Image: Rewrite Process Children)

      If you try to set this with just Squid advanced options it gets rewritten each time Squidguard is reconfigured or with every reboot. Just configure this advanced setting inside of squidguard and the advanced settings in Squid Proxy will reflect the change better this way.

      After the new configurations holds
      Screenshot 2023-01-11 at 10.04.49 PM.png

    • A

      Database redundancy in HAproxy with pfsense
      • asheeshc2

      3
      0
      Votes
      3
      Posts
      234
      Views

      A

      Resolved, there was an issue in connection limit