Awesome! Thank you!

@jlee_eye

d05bcb5c-2383-47af-a0b5-534b06632500-image.png

Have you tried to play around with the custom options and get one that works well yet? This was the one that consumes less memory and works better for me.

@kenj05

What browser are you using?

I follow this Video for my 2.6.0 pfsense and it works.

https://www.youtube.com/watch?v=DTD5lYPjLns&list=LL&index=1

So is the SSL inspection function.

@boatsman
No idea. But why don't you simply restore a config backup?
It's 15 in the console menu.

@michmoor said in Transparent Squid via Splice = Intermittent SSL Connectivity Failures:

@the_boss you will need to whitelist the domain. It’s possible there is certificate pinning going on.

I see, thanks. It is my understanding that Peek/Splice has no issue with pinning, and only Bump does, no?

The quantity of things getting blocked randomly would make any whitelisting insurmountable. Others seem to report no challenges with Splice.

@s3v3nd34dly51ns
When you forward the traffic, it cannot reach HAproxy anymore, no matter if it is installed and running or not.
Port forwarding happens at the first level on the incoming packets.
So HAproxy or even its settings might not be responsible for your issue at all.

If you're in doubt, you can sniff the traffic on the inside interface.
So there will be another reason for that. Best to investigate with packet capture to see, what's going on.

@myster_fr thank you, just ran into this issue and i confirm, it works.

@jonathanlee

Screenshot 2023-02-10 at 6.32.55 PM.png

I adapted this for testing and set it to stare all because of this statement on their website, "The following configuration obtains SNI by parsing TLS Client Hello (due to a matching peek rule at step1) and then either splices bank connections OR stares at the TLS Server Hello (due to a matching stare rule) and bumps non-bank connections (due to the default bump-after-stare rule)."

It has a default bump after stare rule, so bump step 3 is not needed
I am thinking. This also seemed to speed up everything.

Ref:
https://wiki.squid-cache.org/Features/SslPeekAndSplice

@patrick75 said in Connection problems to upstream proxies after squid package upgrade:

I am running a Netgate 1541, which is configured as transparent firewall and transparent firewall

Should have been:
I am running a Netgate 1541, which is configured as transparent firewall and transparent proxy

@viragomann I tried looking into absolute path but then why did it work when it was published with TMG? Nothing changed in the backeend.

@cyrus104

I was able to make this work by adding following custom ACL:

2M3tjblqot.png

@michmoor Thank you for your reply

The Squid logs doesn't show any activity concerning the Outlook application only web traffic through the browser. when i try to reach our webmail it fails with tcp:denied. i added 993 465 and 2096 (webmail port) to the list of safe ports. Now the webmail works but not Outlook.

As i have stated the end users needs to be routed through the 172.26.2.1 router because of our provider but the network doesn't have internet connection. The sole purpose of installing pfSense was to implement the proxy so the end users can use the internet(with exceptions added to the proxy), it's not really acting as a router.

@dbmandrake
799ecc95-da12-4329-8986-86e3b8bbb51d-image.png

61216ded-5a50-4492-b951-3825dfab0c9d-image.png

Thanks for the info, it's working great. 9:29 AM test ran automatically.

It could be likely that your work laptop creates a VPN to your business network and thus would be invisible to other devices on your home network.. That is true of mine.

That could be why other devices cannot ping it..

@dbmandrake thanks for the information on the auto update.

@dbmandrake It did not work for me unless I included the ip address of the firewall and the loopbacks in an alias, the other way it would just fail for me.

@michmoor exactly... To be honest, that is DO - in what scenario would they ever need to be inbound to you?

Block all of their ASNs

NetRange: 165.22.0.0 - 165.22.255.255 CIDR: 165.22.0.0/16 NetName: DIGITALOCEAN-165-22-0-0

pfblocker makes it easy to look up ASNs and put them into a alias and then block that completely from your services you don't want them to be able to talk to.. DO while is a big cloud provider - why would you have need of inbound traffic from them? They are not known for being to particular on how they allow their services to be used.

I was beating my head against this the past few days, finally figured out using an alias with FQDNs was not actually working. The script above was a good starting point, but I have a new version that is more robust. Hopefully helpful to someone else! One more improvement I will make eventually is to support multiple aliases. I wanted to use the socket wrapper script, but it generated additional cruft on the first output line so I just used the socket directly. I also did not know why the original used /31 as a mask so I removed that.

#! /bin/sh #Edit this value to match pfSense alias name ALIASNAME="Foreman_Clients" SOCKET=/tmp/haproxy.socket #Pull current ACL from haproxy (normalize and sort by IP) echo "show acl /var/etc/haproxy/ipalias_${ALIASNAME}.lst" | nc -U $SOCKET | sed '/^$/d' | awk '{print $2}' | sort -V > "/tmp/${ALIASNAME}-cur" #Dump alias values to a temp file (normalize and sort by IP) pfctl -t ${ALIASNAME} -T show | sort -V > "/tmp/${ALIASNAME}-new" #Check new alias values against current (ignore whitespace) diff -w "/tmp/${ALIASNAME}-new" "/tmp/${ALIASNAME}-cur" >/dev/null 2>&1 && exit 0 #Clear current acl echo "clear acl /var/etc/haproxy/ipalias_${ALIASNAME}.lst" | nc -U $SOCKET #Populate haproxy ACL with alias values while read -r line; do echo "add acl /var/etc/haproxy/ipalias_${ALIASNAME}.lst ${line}" | nc -U $SOCKET done < "/tmp/${ALIASNAME}-new" #Remember current alias contents for next run mv "/tmp/${ALIASNAME}-new" "/tmp/${ALIASNAME}-cur" exit 0

Thank you for this! Got my application to work. Much appreciated.

I added just that one line into the “Global Advanced pass thru” field in the HAproxy Settings tab…applied the configuration changes and it worked immediately. Thanks. How did you do? Many thanks. How can I mark your reply as “solved the problem”!

@viragomann That was it, thanks! Searched a lot put could find any documentation on this.

Ok, I figure it out. someone can please, close this topic?

Hola andres,

Tengo configurado pfsense 2.6 con squid y squidguard. presento el mismo problema para acceder a la pagina web del cne: http://www.cne.gob.ve/web/index.php

Aplique varias configuraciones en el squid :
X-Forwarded Header Mode : probe la opcion de truncate, borrar.

Deshabliite este parametro: Disable VIA Header
If not set, Squid will include a Via header in requests and replies as required by RFC2616.

Verifique la resolución de los dns

Agregue la url completa en el squidguard,
Agregue la url dentro del whitelist del squid

y aun persiste la falla.

Queria saber si habias encontrado una solución.

Gracias

@karimhaydar31 You can't access TLS resources by IP address if the IP address is not in the certificate they present. This is TLS doing what TLS is supposed to do. Not sure what you are trying to accomplish and why.

@ageekhere Thanks for the reply, I wanted to also show that if really needed you could access and load shalla's old blacklist in an emergency if you needed one.

@gtrovato I just noticed the correct location to adjust them is different. If you are using squidguard is Package/Proxy filter SquidGuard: General settings/General settings under service options.
Screenshot 2023-01-11 at 9.58.52 PM.png
(Image: Rewrite Process Children)

If you try to set this with just Squid advanced options it gets rewritten each time Squidguard is reconfigured or with every reboot. Just configure this advanced setting inside of squidguard and the advanced settings in Squid Proxy will reflect the change better this way.

After the new configurations holds
Screenshot 2023-01-11 at 10.04.49 PM.png

Resolved, there was an issue in connection limit