Hi Andrew, thanks for the tip. I forgot reply here. In our case, the problem was the hardware. Since 2013 I use the same hardware an Athlon LE-1620(1 Core) with 2GB. Some months ago, we created an app with many HAProxy rules and the access is growing. We bought one fanless with Intel J6426 and 8GB and now it´s work fine.

@andrew_cb Thank you for the answer In the end it was a problem that any new backend i added just did not register, i confirm it by taking an existing one and overriding it and it worked so i want the nuclear option and just installed the entire pfsense because installing the haproxy did not help.

@viragomann Thank you, I had that a bit flipped in my mind!

@BelluX The Shared-Frontends message is because you have two different frontends configured that are listening on the same IP address and port. To resolve this error, you must choose the option Shared Frontend on the second frontend. However, if you do this, HAProxy will give an error that all shared frontends must be of the same type (you cannot mix http/https (offloading) with ssl/https (TCP mode). This is how I set up HAProxy to support mixed offloading and passthrough: Create a Backend called tcp_to_https which goes to server 127.0.0.1:4443 and Encrypt(SSL) is set to No. Create a Frontend called SSL_Termination that listens on port 4443. Enable SSL Offloading. Add all your ACLs and Actions like normal. Create a Frontend called SSL_Passthrough that listens on port 443 but do not enable SSL Offloading. Set it to ssl / https (TCP mode). Add ACLs using Server Name Indication TLS extension ends with for the hostnames that you want to pass through directly to the backends. Set the Default Backend to tcp_to_https. The way this works is HAProxy receives the request, it checks if the SNI matches the ACLs, and passes it through directly to the backends without performing SSL offloading. Otherwise, it passes the request to the default backend tcp_to_https, which connects to the frontend SSL_Termination, where the connections are processed a second time, this time performing SSL offloading.

@mojtaba-key For anyone reading this, the issue is likely the same as in https://forum.netgate.com/topic/178348/haproxy-backend-port-changes-are-not-applied/ The solution is to add load-server-state-from-file none to the Advanced Settings > Backend pass thru section of each backend.

@NickyDoes The issue is likely the same as in https://forum.netgate.com/topic/178348/haproxy-backend-port-changes-are-not-applied/ Try adding load-server-state-from-file none to the Advanced Settings > Backend pass thru section of each backend.

Retested on 24.11-RELEASE (amd64) all seems to work. So it seems right to file a bug for this issue.

@JonathanLee said in UNOFFICIAL GUIDE: Have Package Logs Record to a secondary SSD drive Snort Syslog Squid and or Squid cache system: ln -s -F /nvme/LOGS_Optane/snort /var/log/snort Also you can do this with suricata. /var/log/suricata remove this mkdir /nvme/LOGS_Optane/suricata ln -s -F /nvme/LOGS_Optane/suricata /var/log/suricata

This is a better WPAD file server.modules = ( "mod_access", "mod_staticfile", "mod_expire", "mod_setenv" ) server.document-root = "/var/www/html" server.errorlog = "/var/log/lighttpd/error.log" server.pid-file = "/run/lighttpd.pid" server.username = "www-data" server.groupname = "www-data" server.port = 80 server.bind = "192.168.1.6" server.tag = "" server.range-requests = "disable" server.max-connections = 10 connect-timeout = 2 server.max-keep-alive-idle = 2 server.max-keep-alive-requests = 1 server.max-read-idle = 2 server.max-write-idle = 2 dir-listing = "disable" $HTTP["request-method"] =~ "^(TRACE|TRACK)$" { url.access-deny = ( "" ) } # Cache WPAD and proxy PAC files for 1 day (good practice) expire.url = ( "/wpad.dat" => "access plus 1 day", "/proxy.pac" => "access plus 1 day" ) # Disable access logs to reduce SD card wear (optional) accesslog = "" $HTTP["url"] =~ "^/(wpad\.dat|proxy\.pac)$" { setenv.add-response-header = ( "X-Content-Type-Options" => "nosniff", "X-Frame-Options" => "DENY", "Content-Security-Policy" => "default-src 'none';", "Cache-Control" => "public, max-age=86400", "Referrer-Policy" => "no-referrer", "X-Download-Options" => "noopen", "X-Permitted-Cross-Domain-Policies" => "none" ) # Allow only GET and HEAD methods $HTTP["request-method"] !~ "^(GET|HEAD)$" { url.access-deny = ( "" ) } # Restrict access by IP subnets $HTTP["remoteip"] == "192.168.1.0/27" { } else $HTTP["remoteip"] == "2001:470:8052:a::/64" { } else { url.access-deny = ( "" ) } } # Deny all other URL requests $HTTP["url"] !~ "^/(wpad\.dat|proxy\.pac)$" { url.access-deny = ( "" ) } # Strict URL parsing for security and consistency server.http-parseopts = ( "header-strict" => "enable", "host-strict" => "enable", "host-normalize" => "enable", "url-normalize-unreserved"=> "enable", "url-normalize-required" => "enable", "url-ctrls-reject" => "enable", "url-path-2f-decode" => "disable", "url-path-2f-reject" => "enable", "url-path-dotseg-remove" => "disable", "url-path-dotseg-reject" => "enable", ) url.access-deny = ( "~", ".inc" ) static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) # Add WPAD MIME type for correct browser handling mimetype.assign = ( ".dat" => "application/x-ns-proxy-autoconfig", ".pac" => "application/x-ns-proxy-autoconfig" )

@brcuewayne DiagnosticsCommand Prompt Shell Output - ls -l /usr/local/sbin/dhcpleases6 ls: /usr/local/sbin/dhcpleases6: No such file or directory Execute Shell Command

@viragomann Damn i completely forgot that i could use the current LAN CARP i have..!! Yeah that works for me !! Thank you very much !!!

@pradeep-sl Check if the backend is shown up as online on the FS stats page.

@aGeekhere said in Unofficial Squid Custom Refresh Patterns: https://github.com/mmd123/squid-cache-dynamic_refresh-list I added them thanks.