@viragomann I must have not made what I wrote Crystal clear. Pfsense + haproxy is working, haproxy has my true wan ip but when it tries to send it to CF it gets the proxied ip back. Or the error is Connection time out, 522. When trying to reach a service.

Have I found a bug in the Web GUI maybe? I have 6 certificate's only 5 appear under Frontend SSL Offloading, Additional certificates.

@maverick_slo that’s a good sign !

@viragomann Thats correct.

@periko Hi Periko, the pfsense version is 2.6.0. In addition to the internal DNS (to resolve internal sites) located in System->General Setup I also use alternative DNS for the Proxy Server in Proxy Server->General Settings To solve the problem in Proxy Server->General Settings I use the pair of public dns 8.8.8.8;8.8.4.4 and in case of error I use 1.1.1.1;1.0.0.1 After making this change, the clients using the proxy start working smoothly and the problem is solved. Greetings Michele

@jonathanlee dns_v4_first the maintainer has to update the GUI and remove that option, nothing to worry. The 2nd line is telling u that squid is already running. If u don't handle the console, reboot pfsense, if yes, them kill all the squid process and restart the services. Regards!!!

thanks for your infos heper, swithcing on/off proxy to use the vpn is so easy ;) switching ip is more "hardcore" ... i don't want to end up in my limited guest vlan2 ;) Anyways, i just give up for the moment and set the defaut routing to the vpn and exclude to it all outbound traffic of LAN, squid use the "auto" interface in this case ... i just put a failover to wan if the vpn fail ... i have spend days to try to understand what's going on !!!! The only difference between theses 2 setup is the default gateway of the pfsense .... i just don't get it ! i have check everything ... nat outbound to vpn / routing table , switching on/off netgates auto rules etc ... for me it's clearly a problem of routing ... but why squid start to retrieve the begining of the webpage and just hang ? it's not cache related i have disable it for testing .... if the webpage is small it success to download it ! but if it's longer it hang at the middle !!! i want to know why ! WHY !!! WHYYYYYYYYYYY !!!!!!!!!! it's more a problem of understanding ;) have nice days ;)

@michmoor yeah i am just playing around with trying to cache https content and filter https site content using e2guardian. This is not a production environment and more of a learning exercise. I am finding that MITM bump breaks a lot of things.

@slu Thank you for responding, You were right I had a capital letter that was messing me up. So I fixed it. Everything is good thank you very much for pointing it out.

@deeztek Sorry for the delay, it took a little longer to get time to sit and screen shot these. I didn't snap an image, but the SSL_Offload_FrontEnd and piWeb-80 backends have the "Use Client-IP to connect to backend servers." option selected in the advanced section. Let me know if you need any other sections or anything else. Hope this helps! I also set up the OpenVPN to port share with my SSH server, so I have my WAN router doing the SSL offloading, passing decrypted traffic to my web server, the OpenVPN sharing the same 443 port, and SSH getting passed from the router to the OpenVPN server and then off to the SSH server also on port 443. Works great and haven't had any issues serving the multiple domains from my web server. Front Ends: [image: 1671679571815-frontends.jpg] Back Ends: [image: 1671679583394-backends.jpg] OpenVPN-TCP Back End: [image: 1671679617587-backend1.jpg] SSL_Offload_FrontEnd Back End: [image: 1671679635001-backend2.jpg] piWeb-80 Back End: [image: 1671679672388-backend3.jpg]