Cache/Proxy

• C

  HaProxy SSL offloading with multiple certificates
  • cjbujold  

  2
  0
  Votes
  2
  Posts
  29
  Views

  

  @cjbujold said in HaProxy SSL offloading with multiple certificates: have HaProxy setup for SSL Offloading and with one SSl certificate it works great. The problem is I have multiple domains each with it's own certificate. You need use shared frontend if you have one public IP for multiply SSL certificates. This will require from client support of SNI but this not an issue in 2020. Your default frontend can be without backend and all shared backends use host ACLs rules (or other ACLs) to forward your requests to correct backends. That is all.
• A

  Improve Custom refresh pattern
  • aGeekhere  

  75
  0
  Votes
  75
  Posts
  20711
  Views

  

  I had posted a thread, talking about having made a community github collaborative effort, and asked for help contributing to it, only to have @aGeekhere reply to me linking this, so, I guess that's now a thing by my own sheer coincidental effort haha. if anyone wants to offer to help with this github collaborative effort, COMPLETELY UNOFFICIAL TO SQUID, please let me know so I can add you as a contributor, because by sheer coincidence, my goal was the same as what this thread sought to achieve, I AM NOT AT ALL related/whatever to squid, I just want the same goal that everyone else in this thread is after....ironic, but I'm loving the amusement this is giving me haha. https://github.com/mmd123/squid-cache-dynamic_refresh-list
• 

  dynamic_refresh pattern collaborative effort request
  • High_Voltage  

  5
  0
  Votes
  5
  Posts
  49
  Views

  

  @aGeekhere I'll look into this right now actually, took me a bit longer than I'd like it to have, for me to get to this. I'll add them in and see how it goes, thank you! EDIT: oh my lord that's funny, that article you'd linked is one of the sources I actually did use when compiling that list that I posted in the github that I'd had in my original post haha. changes committed to the github, thank you again.
• A

  Squid disable multiple sessions
  • atn78  

  4
  0
  Votes
  4
  Posts
  67
  Views

  A

  thanks @viktor_g
• 

  Squid HA support
  • viktor_g  

  2
  1
  Votes
  2
  Posts
  42
  Views

  

  Reverse proxy too:
• A

  how to let https traffic through http proxy ?
  • aincvy  

  3
  0
  Votes
  3
  Posts
  39
  Views

  A

  @srlek Hi, srlek Thank you for your reply. dunno why you need clash Because I am in China, the gov blocks a lot of websites. but for proxying https you need squid-guard on pfsense I have installed squid-guard package, and I set target rules=all, and it doesn't work. Maybe I need more knowledge about routing.
• B

  Squid 0.4.44_26 cannot select external CA's
  • badincite  

  6
  0
  Votes
  6
  Posts
  106
  Views

  B

  @viktor_g Thanks will do!
• M

  How to get Telegram and Squid Proxy to work.
  • madapter  

  4
  0
  Votes
  4
  Posts
  90
  Views

  M

  Thanks, it looks like it was working just the account got locked out, had to reset it.
• H

  Bypass squid proxy for gitlab.com on container
  • hisrarul  

  1
  0
  Votes
  1
  Posts
  151
  Views

  No one has replied

• K

  Site work in browser , but telnet, traceroute not
  • koko_adams  

  1
  0
  Votes
  1
  Posts
  18
  Views

  No one has replied

• H

  Squid and SquidGuard on Pfsense for Large deployment
  • herbi  

  6
  0
  Votes
  6
  Posts
  183
  Views

  C

  @viktor_g Thanks, installed, function seems to be ok (but upgrading process was problematic this time).
• R

  squidGuard reinstall stuck on config restore
  • revengineer  

  2
  1
  Votes
  2
  Posts
  83
  Views

  S

  happen also to me during update to 2.4.5-RELEASE-p1, squidguard stuck at reboot on deinstall
• 

  What are the reqs to SNI Microsoft's web servers with HAProxy?
  • skilledinept  

  9
  0
  Votes
  9
  Posts
  114
  Views

  P

  @skilledinept What does the haproxy status page LastChk column say when you enable "SSL checks" on the server, and configure healthcheck method to 'http' ? Wrong method? Try GET perhaps? Or wrong host, try adding a Host header? Or forbidden? Try allowing the 401 status as valid.
• A

  Problem accessing the site (SSL Certificate expired on: May 30 10:48:38 2020 GMT)
  • auto2015  

  8
  0
  Votes
  8
  Posts
  133
  Views

  A

  @aGeekhere said in Problem accessing the site (SSL Certificate expired on: May 30 10:48:38 2020 GMT): SPLICE ALL Thank you, The option "SPLICE ALL" solve the problem
• W

  ACL groups with AD groups do not work?
  • will92  

  3
  0
  Votes
  3
  Posts
  38
  Views

  W

  I set up squid authentication with LDAP, and I'm trying to create a group ACL, I'm passing the settings just as pfsense says ldapusersearch ldap://192.168.0.100/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=domain%2cDC=com)) but this group acl does not block the blacklist sites, when I create a group acl and place a single user it works which is a beauty
• Y

  HAProxy support for server-template backends (Consul, etc)
  • yammering  

  3
  0
  Votes
  3
  Posts
  69
  Views

  Y

  That worked great. I didn't realize you could put the resolvers under global and still have it work.
• 

  haproxy and wildcard lets encrypt only for internal servers
  • noplan  

  13
  0
  Votes
  13
  Posts
  127
  Views

  C

  @noplan Thanks for the reply. Naw... I've tried that. It doesn't work for my setup. Pfsense returns two IPs for that hostname...but the 1st IP is the real server IP...the 2nd IP is the 'override' ... besides I can't ssh into the server if the override IP is the only one that resolves for that hostname... Just starting to accept the fact that this solution won't work for my setup.
• X

  HAProxy SSL Offloading is not encrypting
  • xuti  

  5
  0
  Votes
  5
  Posts
  39
  Views

  X

  I've noticed that all images are pointing to http, so I got a mixed content error. Changing it fixed the error. Thanks
• S

  Pfsense Squid proxy NONE/409
  • sviasnetworkmanager  

  10
  0
  Votes
  10
  Posts
  131
  Views

  S

  @aGeekhere thank you. I will check that.
• T

  Squidguard empty Target Rules (Enable BL Checked)
  • ThiagoTw  

  6
  0
  Votes
  6
  Posts
  1618
  Views

  K

  @papartsharingan Thanks man u save me with this info..
• S

  Squid not listening on port 80
  • stanthewizard  

  33
  0
  Votes
  33
  Posts
  24977
  Views

  O

  Still having the same issue on 2.4.5-RELEASE (amd64) :( I checked config for illegal characters and it all looks good! However, as soon as I add another "Web Server" half of all requests from all domains are being forwarded to that new web server.
• P

  Squid Update to 0.4.44_24
  • pgleed  

  6
  0
  Votes
  6
  Posts
  318
  Views

  S

  @pgleed ok thank you very much i will try to restart squid and check if it works. I also don't want to do the pending update of squid
• B

  Squid Reverse Proxy and ACME certificates
  • border  

  1
  0
  Votes
  1
  Posts
  47
  Views

  No one has replied

• E

  Unifi Controller "400 Bad Request" behind HAProxy
  • ecramond  

  1
  0
  Votes
  1
  Posts
  50
  Views

  No one has replied

• S

  SG-1100 Squid ICAP Error.
  • sudburymatt  

  1
  0
  Votes
  1
  Posts
  27
  Views

  No one has replied

• 

  HAproxy 2.0 Prometheus Monitoring How-to
  • dragoangel  

  2
  1
  Votes
  2
  Posts
  95
  Views

  

  For those people who has HAproxy not on pfSense: frontend http-promex bind <%IP%>:9001 name <%IP%>:9001 ssl crt-list /var/etc/haproxy/http-promex.crt_list process 1 mode http log global option dontlog-normal option http-keep-alive maxconn 10 timeout client 30000 option http-use-htx http-request use-service prometheus-exporter if { path /metrics } stats enable stats uri /stats stats refresh 10s acl aclcrt_http-promex var(txn.txnhost) -m reg -i ^pfsensen01\.concosto\.com(:([0-9]){1,5})?$ http-request set-var(txn.txnhost) hdr(host) frontend https-f01 bind <%IP%>:443 name <%IP%>:443 ssl crt-list /var/etc/haproxy/https-f01.crt_list alpn h2,http/1.1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 mode http log global option httplog option http-server-close option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 acl grafana.concosto.com var(txn.txnhost) -m str -i grafana.concosto.com http-request set-var(txn.txnpath) path http-request set-var(txn.txnhost) hdr(host) capture request header X-Forwarded-For len 128 capture request header Host len 32 capture request header User-Agent len 128 use_backend grafana.concosto.com if grafana.concosto.com backend grafana.concosto.com mode http id 160 log global timeout connect 5000 timeout server 30000 retries 3 http-request set-header Host grafana.concosto.com server grafana.concosto.com <%IP%>:3000 id <%ID%> ssl check inter 1000 ca-file /var/etc/haproxy/internal-ca.pem verifyhost grafana.concosto.com resolvers globalresolvers sni str(grafana.concosto.com) check-sni grafana.concosto.com Note: find change <%IP%> and grafana.concosto.com in config to your one
• R

  LightSquid
  • rob1  

  2
  0
  Votes
  2
  Posts
  74
  Views

  R

  It is fixed now. The solution was to change the setting under the report template from text to base and save it.
• K

  SQUID NOT WORK
  • klausneil  

  1
  0
  Votes
  1
  Posts
  98
  Views

  No one has replied

• M

  This topic is deleted!
  • monukumar1234  

  1
  0
  Votes
  1
  Posts
  13
  Views

  No one has replied

• 

  Unofficial E2guardian package for pfSense
  • marcelloc  

  1190
  3
  Votes
  1190
  Posts
  170913
  Views

  P

  @yogeesh said in Unofficial E2guardian package for pfSense: @marcelloc Hi, I am getting below error when I am opening the social media websites in my network. Once I switch to my home network I can easily access social media website PFA of an error message . If you have MITM enabled, you need to install the CA certificate on the client machine. As E2 Guardian essentially breaks the HTTPS encryption.
• D

  [Work in progress] Squid failover AND load balancing for pfSense
  • deajan  

  14
  0
  Votes
  14
  Posts
  4538
  Views

  

  Feature request: https://redmine.pfsense.org/issues/10541
• E

  Using HAproxy for reverse proxy with / in the backend
  • Evertvh  

  6
  0
  Votes
  6
  Posts
  164
  Views

  P

  @Evertvh said in Using HAproxy for reverse proxy with / in the backend: if i do go and say https://mail.remote-entry.tld/roundcube I get a Server does not exist return. because technically it the correct path for round cube is https://remote-entry.tld/roundcube 'Who' is saying the server doesn't exist.? I presume you have got the proper DNS records in place to point to haproxy? Your first post you wrote "but when i try to reach mail.mydomain.com/roundcube it just takes me to the 192.168.0.20" sounds like you actually did get a response.? (no idea if that was with http or https though.. as you seem to forget to actually specify these details which might actually matter..) @Evertvh said in Using HAproxy for reverse proxy with / in the backend: if i did get https://mail.remote-entry.tld/roundcube working it would defeat the purpose of what i am trying to achieve. What are you trying to achieve? what is the desired url to visit in a browser? what have you configured? (show the current config?) what is the current effect what have you checked and what do you expect might need to change? is a request from the browser send to the 'correct' webserver currently already? but its virtual-servers configuration just doesn't recognize the proper website to reply for? if so perhaps a simple set-header command with the actual domain would suffice? Anyhow i'm struggling parsing your reply and thoughts mixed together with a seemingly large lack of understanding..
• N

  Reverse proxy step by step request
  • nonyhaha  

  2
  1
  Votes
  2
  Posts
  1996
  Views

  

  @nonyhaha have you got how to resolve your problem? I am trying to publish some sites too! I found this tutorial https://www.danielcolomb.com/2019/09/15/using-squid-reverse-proxy-to-manage-multiple-domain-names-on-pfsense/ but I have not to figure out how to make it works.
• S

  Problem with dante socks server doing DNS lookups
  • sparkman123  

  1
  0
  Votes
  1
  Posts
  41
  Views

  No one has replied

• 

  How to backup squid+squidguard settings?
  • periko  

  1
  0
  Votes
  1
  Posts
  41
  Views

  No one has replied

• B

  Haproxy custom add configs
  • bihzs  

  2
  0
  Votes
  2
  Posts
  334
  Views

  P

  @bihzs Configure your frontend type for SSL, and configure a acl that checks the ServerNameIndication
• B

  HAproxy Add OpenVPN Server to Existing Setup
  • Brailyn  

  6
  0
  Votes
  6
  Posts
  160
  Views

  P

  @Brailyn The frontend3-offloading uses type HTTP, this cannot pass openvpn traffic which doesn't use http.. You can still have a 'offloading' frontend of-course. But the backend that sends traffic there would not be the default backend for the frontend2-SNI. There would be a acl check for on or more SNI-name's like myFirstOffloadedSite.domain.tld mySecondOffloadedSite.domain.tld and then a action use-backend:frontend3-offloading when that acl matches. Then that frontend3 can handle the certificates and further splitting of host headers so first site and second site get actually handled by first- backend and second-backend. As for how the backend is named and what it does, that indeed is probably a little strange, but you can change the names of-course.. I was just telling with minimal changes how to achieve the initial goal while seeing that you where not actually using the that default backend at the time.
• D

  NordVpn /Squid and safeguarding
  • DrSuki  

  10
  0
  Votes
  10
  Posts
  911
  Views

  

  I'm glad, if you found my help helpful send me like this:
• C

  Reverse Proxy using server certificates (NOT PFSense certs)
  squid ssl reverse proxy man-in-the-midd • • coatmaker618  

  2
  0
  Votes
  2
  Posts
  59
  Views

  C

  Solved in https://forum.netgate.com/topic/153028/haproxy-deleting-acl-on-modify-bug-or-am-i-missing-something/14
• S

  ClamAV antivirus dont work?!
  • starnix  

  4
  0
  Votes
  4
  Posts
  152
  Views

  

  How you have it setup that is correct. With SSL filtering disabled Squid will only proxy http traffic. Steve