@llinty If your forwarding on your hypervisor - that is where you would have to put in the nat reflection its that simple..

Not sure how you expect the haproxy to proxy traffic it is never seeing.. Put in a host override in pfsense so you client resolves the fqdn to whatever pfsense actual wan IP is where the haproxy is listening.

Hi gertjan,

now the site is reachable with pfsense without errors and most likely the administrator has changed the certificates correctly.

Thanks for the explanation!

Michele

@jimp Perfect, thanks for the explaination :)

@braunerroei Then your frontend config looks like this?

196c1e01-1e74-49f5-87c8-4d22eb7bf590-image.png

That's the SSL Offloading I was talking about. If you don't check that box, then pfSense won't negotiate SSL. I was worried that you might be processing unencrypted.

In any event, I resolved my 503 problems. I'm not using the default port 443 for this new connection. Therefore, the value of the "Host Matches" ACL entry needed to be my.host.com:6407. I had used my.host.com with no port.

I had assumed that HAProxy would tack the port number on to the value because the port number is specified in the external address table. I see now it can't do that. The External Address table may contain multiple entries. It follows that the ACL match routine has no way to know your intentions unless you specify the port number in the ACL.

Thanks for the help. Your answers got me questioning my own configuration which turned out to be in error.

@idarlund

The websocket was only configured for Synology and no websocket configuration for home assistant

Here's what worked for me. I did have to add the lua script to files, however, see my screen shot for the CORS settings. Once I read the lua documentation I was able to add what I needed to get my CORS data to work properly.

Screenshot 2022-11-01 at 23-13-27 TheWall.jrfam.net - Services HAProxy Frontend Edit.png
Not that I did remove my domain for privacy. It's .mydomain.com. I used the . to include all subdomains.

@creationguy
Any further ideas?

Answering my own question...

I had forgotten that the URL was originally configured in Squid Guard -> General Settings -> Blacklist options at the bottom of the page. Saving the new value here makes it permanent.

I'm not really sure why there is the option to enter a different URL in the Blacklist update page - that seems like a confusing UI design decision.

My problem with this is the need of a whitelist. I curruntly don't know how to have something like "whitelist all except blacklist and pages scaned with a virus" I don't use squidguard but PFBLockerng-devel witch is in my opinion better.
It should be a regex like ^.* minus blacklist but I don't see anything on how to do this properly.

I have a thread about this: https://forum.netgate.com/topic/175557/squid-clamav-mitm-custom-setting?_=1667128733894

I think you may need to use the development version. MQTT support appears to have been added in HAProxy 2.4.

Steve

@creationguy said in HAProxy & ACME - Site not loading:

HAProxy / Frontend
Screenshot 2022-10-27 at 00-14-45 TheWall.jrfam.lan - Services HAProxy Frontend Edit.png
I selected Proxmox address as the site is on a VM in Proxmox server (10.20.20.3) on the VLAN, that server (10.20.20.4) is Ubuntu Server with Portainer running a docker for an intranet dashboard. 9455 is the port that the docker container uses for the intranet. This particular docker container does not ship with HTTPS.

An Update:
The front end configuration was the problem, the port needs to be 443. Also, just to note, on the backend, if the site does NOT have SSL, then you need to uncheck Encrypt(SSL) on the BACKEND.

HAProxy / Backend
intranet.mydomain.com
Screenshot 2022-10-27 at 00-13-35 TheWall.jrfam.lan - Services HAProxy Backend Edit.png

Everything is now working. Unfortunately, if I go to https://crt.sh/ and check my domain, I have a BUNCH of SSL certs. Oh well.

Question:
How does this tool auto-update my public IP with Cloudflare so that my @ record is always up to date?

Dear Periko

Yes I enabled DNS Resolver option as Services tab - DNS-resolver-General options. In Network interfaces - LAN Selected while in outgoing Network Interfaces, I selected WAN interface.
version of pfsense is 2.6.0-release (amd64).

No ideas or suggestions?

@sensewolf

anybody got this working?

@gertjan thanks i will do that

@mrit
Okay, figured it out myself (and with the help of the WayBackMachine). Turns out, subdomains are only included for a domain if the domain is the only entry in the domain list.

So makes it very hard for me, to also add subdomains (as wildcard) to my allowlist. Maybe it works using regular expressions...

Source: https://web.archive.org/web/20210727190453/http://www.squidguard.org/Doc/aboutblocking.html

@periko Good morning, My whitelist I put https://secweb.procergs.com.br
https://assinador.ac.rs.gov.br
https://www.ac.rs.gov.br
http://crl.globalsign.net
https://www.alphassl.com
http://ocsp.globalsign.com

These were the addresses I put.

Thanks for the reply viragomann, I have removed the ACLs from the backend and added to the frontend. No change in error from Nextcloud. I have tried having them configured in both the frontend and backend and received an error "Your web server is not yet properly set up to allow file synchronisation, because the WebDAV interface seems to be broken."

As this seems a trivial use of HAProxy I am surprised it seems so hard to resolve (searching for this problem does not seem to provide a solution other than "thanks that fixed it"), I suspect this may also have something to do with using HA Proxy on pfSense as using nginx Proxy Manager I have no problems.

I would prefer not to have to spin up another container just to be a reverse proxy as this is baked into pfSense and it appears to me that it should work with the correct ACLs.... I just don't understand why it is not. Hence this post of the pfSense forum.

If anyone has this working (nudge nudge Netgate) a helping hand would be appreciated for this plus user.

@jonathanlee not sure

@swinster there is a bug which is already reported, we are still waiting the fix.

Hey guys, on OPNsense there another one:
http://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml
I don't know if the format can be used as is or if it needs to be converted. It also parses categories so I assume it has all the fields needed to work and should be n't be too hard toeverything in there to work and shouldn't be that hard in a Bash script, or from what I hear trivial in Python. I don't know Python myself so…yeah.

I already checked, it looks like the categories are nothing but lists in folders:
Remote Desktop Picture October 8, 2022 at 1.05.46 PM GMT-6.png

Knowing that you can easily use one of the many lists there are, e.g;
Screen Shot 2022-10-08 at 1.24.57 PM.png
Many with their own classifications, for example; Steven Black's. grep or awk or whatever is the easiest to remove the bad IP address-per-entry these come with put 'em in category folders, tar it, rsync it into a local web server, point pfSense to it. Maybe even add to the script to trigger the Squidguard update, there are some examples in the ACME package if I remember correctly. :) They should serve at least as hints to places in the filesystem.

Another option that comes to mind, is transforming the already-in-pfSense lists from pfBlockerNG but, I've never found it easy dealing with any native package-related thing on pfSense. They have some sort of obfuscation or inexplicably obvious oversight, I can't tell exactly what, but will make you miserable. 🔪

The file from l'Université Toulouse 1 appears to have additional files for heuristics or something (somebody will correct me, I hope), but the domain lists are on every category/folder whereas the others aren't, so I think it's a safe bet you'll be fine without them. Good luck!

Topic is quite old, just wanted to add this in case somebody else runs into this issue.
I fixed it by

SSH into the pfSense box Run : cd /usr/local/etc/squid cp mime.conf.sample mime.conf

and I could then start squid from the GUI.

@kom My use case was to restrict internet access to internal servers, allowing only permitted URL/IP combos, distro repos, etc. So no need for WPAD (+ I have no idea how it works)
And yes good of you to mention it because I forgot, also blocked all internet access in pfsense rules.

@jycai with free cf choose flexible mode.
Check your pfsense firewall.
Sometimes problem at frontend and backend. I remove and recreate. It’s work

how to bypasss pfBlockerNG from squid.

@dmalick Hit means its already stored, miss means its stored as of now because it was never stored yet, refresh means dynamic based refresh that is out of date or expired timer. Do a quick search on the specifics, you will never have 100 percent hits.

@mit the path is /usr/local/pkg/squid_antivirus.inc not squid.inc for latest pfsense 2.6 squid 0.4.45_9

@breezytm Thank for the reply. I finally was able to get it working after I found one site that provided some reference configurations. Here is my post on the netgate forum if you are still looking for a solution.

https://forum.netgate.com/topic/174705/haproxy-ssl-offloading-openvpn-ssh

@dmalick

This seems to fix a lot of the issues for me. Stop using squid with the loopback of the firewall only the LAN side.

I feel it speeds up the firewall traffic also. The loopback must access the squid cache for example, or the dns must access the loopback.

Again I feel it is a bit less safe to do this.

headers.PNG

@gertjan cheers mate thanks for the the clarification. I will try to get in deep on this will share here if get any outcome. Thanks again.