@johnpoz said in website name resolution:

@viragomann that is not going to add the host header info to what gets asked of the client.

Aha, I assumed that this HAproxy would implement it as host header. Didn't ever use a host name in the backend.

@Cabrinisamuele can you provide a screen shot of how you added them into Squidguard, and Squid ACL area?

Are you are attempting to block or approve domains/urls in Squid? Are you using SSL intercept or transparent mode? Do you have cache enabled? Browser in timeout means the URL is blocked. Did you mean the problem is when you attempt approved traffic it times out? Finally, why are you using both? Example: I use Squidguard to manage my blocks sites that I want no access to for Squid behalf. What is your end goal? Is it to block those URLs? Squidguard itself changes the Squid conf file and add the blocks or approve lists, so with Squidguard already running those domains are already included in Squids config in the background.

@Dobby_ So
openssl-1.1.1q,1 TLSv1.3 capable SSL and crypto library
ldd /usr/local/sbin/squid| grep ssl
libssl.so.111 => /usr/lib/libssl.so.111 (0x800b6c000)

It seems that squid used openssl 1.1.1 ,the openssl will use QAT, then the squid can use QAT ?

@ciscoqid thank you very much, your script solved my problem...

@SkippyTheMagnificent
First of all the backend state has to be online to get it work. If this isn't the case, the health checks might fail.

You have enabled HTTP health check + SSL checks + "/" as URL to check.
This means, HAproxy might try to access "https://10.0.1.160:443/" for checking the backends state. So the backend has to provide a valid SSL certificate for the CN "10.0.1.160". I'm in doubt...

I'd switch the health check method to basic instead.

@michmoor so that option allows the possiblity for a client to provide their own header that might include an IP address that isn't the real source IP. This allows for the possiblity for a backend to be connected by a client that is pretending to be a different IP then it really is.

The line I added above tells the proxy to strip any IP address provided by the client and forwards only the real IP.

@michmoor I use this blacklist:

http://dsi.ut-capitole.fr/blacklists/download/blacklists_for_pfsense_reducted.tar.gz

I have a 2100-MAX so I use this list t's not as big as the main version. Works great if you go to their website you can also report items for their lists.

My apologies I gave bad advice.

Documentation is opposite what I suggested. https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide-prepare.html#packages

Yes I am using haproxy-devel v0.62_13

@johnpoz said in import certificate on android deivces:

I am missing the advanced search feature..

oh man...its been killing me lately not having this. There are at least 4 threads i wished i bookmarked

@JonathanLee Thanks Jonathan!

That is a message from the FreeBSD ports system about the state of that dependency port in the FreeBSD ports system. It isn't relevant to how the package operates on pfSense for the time being.

Yes, if Squidguard broke because some dependency was no longer viable we would look to correct that.