So I deleted all the HAProxy settings, uninstalled the package, rebootet my pfsense box, installed the HAProxy 1.8.30 package (haproxy package 0.61_3) and reconfigured all backends and frontends again ... now none of the backends were working.

I repeated the process with the very same result. For a backend to work I had to enable the health check which shouldn't be necessary I guess.

So I repeated the whole process a third time and for some reason it works now as expected. All backends work without any issues so far. I hope this is still the case when I add further backends in the future 🤔

@nfld_republic haproxy-package uses version 1.8 and is not affected. Only version 2.0 and above.
haproxy-devel-package is using 2.2.14 and thus affected. Fixed version is 2.2.17.

@alexander90 no

Hello,

I already make a inverse proxy with SQUID without any issues, the post is quite old, if need help please reply to this message and I will put the solution here.

Regards,
Aluisco

EDIT:
This part "(./..(rar|mp3|exe|vpu))" doesn't work, rest of settings, i.e. radio|teamviewer works fine, sites are blocked.

For anyone interested in the WAF tester I used the following docker container.

docker run -v ${PWD}/reports:/go/src/gotestwaf/reports --network="host" wallarm/gotestwaf --url={url of application under test} --verbose --skipWAFBlockCheck

we decided to go with:

xyz-web -- for all internal web interfaces

e outra coisa eu tenho duas interface lan 192.168.1.1 e wifi 172.168.0.1 na lá esta ok mais como devo fazer pra usar na wifi tbem pq são faixas de ip diferente

hello
today I ran into this problem, and in the last version available today (I think it was 1.16.18_20)
when checking the system log I could see that the error is due to the file being treated as a ".tar" file without compression.
When I downloaded the file on another host, unzipped it, and used the url with the .tar file, it managed to extract and process the list of categories correctly.

Here is the log that showed what the package was trying to do:

Sep 10 14:01:33 firewall php[10138]: squidGuard_blacklist_update.sh: The command '/usr/bin/tar zxvf /tmp/squidguard_blacklist.tar -C /tmp/squidGuard/unpack' returned exit code '1', the output was 'tar: Failed to set default locale tar: Error opening archive: Unrecognized archive format'

Sep 10 14:01:43 firewall php[10138]: squidGuard_blacklist_update.sh: The command '/bin/cp -f -p /tmp/squidGuard/arcdb/blacklist.files /usr/local/etc/squidGuard' returned exit code '1', the output was 'cp: /tmp/squidGuard/arcdb/blacklist.files: No such file or directory'

greetings

5491a6f4-4c82-4788-b155-a39e2d260f55-bild.png

So this is what I need to get a away from since there is obviosly a max number of rows pfSense accepts. I have reached that maximum.....

Right so if Squidguard is blocking that traffic it will try to display an error page but that is hosted in the firewall behind that self signed cert over https.

As a test only try setting the firewall webgui to http.

If that works you need to change the Squidguard settings to either not display an error page or redirect to an externally host page over http.

Steve

@rupesh issue resolved.Found this great post @ (https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

Note

**My Squid is not on Transparent mode because I need to authenticate users.

@derelict thanks a lot for providing insights on your setup! I'd be interested in setting up something similar and have a couple of question I was hoping you could help answer.

I made an RFC1918 VIP on localhost.

Unfortunately it's this very first point I already don't understand 😁 If my understanding of the documentation is correct then an IP Alias (VIP) is simply an additional IP address one can assign to an interface, right? If so, what is the purpose of assigning it to localhost? So that it is reachable from each of the local interfaces/networks?

HAproxy binds to that.

Why not binding it to the WAN interface/address?

I port forward WAN to that.

I guess that's necessary because the HAProxy is bound to the VIP and not the WAN address?

I have split DNS inside pointing to the inside VIP address.

What does this mean exactly? Do you have a domain override for your domain(s)? If so, what's the purpose of that? To avoid NAT reflection that you mentioned in your post above?

Outside DNS, of course, points to WAN through various Dynamic DNS trickery. I CNAME all the domains to one record that is updated via Dynamic DNS (on hurricane).

I use a wildcard certificate and have only a * CNAME and an A DNS record pointing to my WAN address (dynv6.com as dynamic DNS provider). I have the DNS-01 challenge running and the certificate is currently retrieved via a dedicted certbot instance and used on a dedicated nginx instance. However, I'd like to switch to the pfsense HAProxy/ACME setup.

It all works great. The nextcloud app on my phone does not care if it is inside or outside. It just works.

The ACME package handles all the certs. inside or outside get the same ones. Connections to the backends are unencrypted. And, like you, I grew weary of maintaining certificates on all the backends and haven't thought about it for months.

If I'm not mistaken, I could keep the traffic encrypted even in the backend with my dedicated nginx reverse proxy, right? So HAProxy would do the SSL/TLS offloading and communicate via https with my dedicated nginx reverse proxy (which in turn is proxying to the various docker containers/services I have). The HAProxy would be used also for other various hosts on the network (via host overrides), including the pfsense host itself, in order to get rid of the self-signed certificate warnings. As all the other hosts have https enabled by default, the complete traffic should be encrypted and a valid certificate should be proviced by the HAProxy. Or am I missing something here? 🤔

The only thing that might need further consideration is limiting access to the internal hosts, i.e. they should not be reachable from outside. I guess that's what the HAProxy access lists are for?

@kasalencar

below this line

$sge_prefix=(preg_match("/\?/",$cl['u'])?"&":"?");

@kom I'm totally open to rethinking it 😊. I was reading about what Squid does with caching and figured it would be really useful. But hey if it's not then it's not. One less thing for me to worry about. I'll look into webcrawlers and site downloaders. My connection speed is rarely an issue, but you know our connection to a site is only as fast as the site is. Even then, maybe I will just dump the entire idea. Thx for the reply!

@Michele-trotta I'm not using transparent mode, but to make WhatsApp work, I had to whitelist whatsapp.net and whatsapp.com.

@periko I do this:

Add ACL to the squidguard.conf (Diagnostics / Edit File / /usr/local/etc/squidGuard/squidGuard.conf)

src admins {
ip 192.168.2.0-192.168.2.255
ip 172.16.12.0/255.255.255.0
ip 10.5.3.1/28
}

From squid GUI I definied this IP ranges in Unrestricted IPs.

This work for me. Thanks !!!

Can confirm this is a DNS issue. Fixed by enabling "DNS Query Forwarding" under Services > DNS Resolver.

@kom
I've configured squid as transparent/ssl proxy server with one bypass for windows updates.
SSL/MITM mode: Splice Whitelist, Bump Otherwise. (see attacment)

Squid-Config_210816.jpg

It was working ok when first installed, then for no apparent reason that I can trace, it just stopped filtering,
Should I proceed to clear squid proxy server cache?
Do you require any other config/specifics to help diagnose?

Well you could give it a shot, and see if you have any issues reported by clients..

Yeah I went through the whole security thing awhile back, there is a thread around here about it somewhere - wanted to get A+, and discovered that if you only allow for tls 1.3, that ssllabs will only give you a A vs A+ ;)

edit: here is that thread
https://forum.netgate.com/topic/162125/get-a-on-ssl-labs-test

@viktor_g

Thank you for the promp reply,
Presently I'm just running Squid - Proxy Service.
Unfortuneately, I've removed Squidguard temporarily to avoid issues with Net Users.
I normally do diagnostics/net management on Fridays, so I will reinstall/try again and send log at that time, or sooner if possible.