@jonathanlee have you ever worked with bind or reverse shells sometimes they say the port is already in use. Similar to this how can I set up squid to do a port load balance for http traffic. All https works.

@ageekhere Ya, I have the iPad manually set to use the proxy. Same as the iPhone. Looking at them both side by side right now, they are the same settings. I don't have my squidguard set up to auto set a proxy as I don't want it to apply to everything, just specific devices that I opt in to. I really only use it on those 2 devices, sometimes my PC but I've found I don't really have a need on the PC as the only ads I see are in my browser and adblock plus + privacy badger do the job fine enough. They're both using the same IP (192.168.1.1) and port (3128), the defaults of squidguard. I guess I could try adding an explicit youtube allow whitelist and see if that changes anything.... Edit: I don't know why I didn't think to try whitelisting youtube in the first place. I did that and it solved the problem. Not sure why I get different behavior with just that one site on two different devices but whatever, problem solved.

Well I posted into redmine.. https://redmine.pfsense.org/issues/9700 Over 2 years ago.. Didn't expect it in the next dev build but yeah..Over 2 years..

@krsengr Answering my own question to possibly save others some sanity. The system doesn't use a separate port (3129) for the SSL traffic. I saw "SSL Proxy Port" and "Default: 3129" and assumed that's what I should configure on the client...silly me. I removed the seperate entry for https on my browser and used 3128 for both and everything started working.

@bole5 may be it

I found the solution. Maybe it will help someone: HAProxy is intended only for reverse proxy behaviors, so don't bother with that. Their website even explicitly says so, and recommends using Squid if you need a regular proxy server. So, install the Squid package in pfSense, click Save on the Local Cache tab, adjust the settings on the General tab and click Save. In my case, I needed to set the listening port on the General tab to some random sacrificial port number that I'll never use, because the real ports will be handled by my code below. Now, scroll to the bottom of the General tab, expand the Advanced area, and put exactly this text in your box labelled "Custom Options (Before Auth)", except replace the IP addresses and port numbers with your own: ##### START MY CODE ##### # these are the IP addresses and ports that Squid should listen on. # Remember, ignore the listening port you put in the pfSense GUI. # I did not actually need these loopback IPs in my code but I included them here in case it helps the copy/pasters. http_port 10.200.1.1:8001 http_port 127.0.0.1:8001 http_port 10.200.1.1:8002 http_port 127.0.0.1:8002 http_port 10.200.1.1:8003 http_port 127.0.0.1:8003 # Give each port a name acl portA localport 8001 acl portB localport 8002 acl portC localport 8003 # Map each port name to the IP address you want the traffic to use as it leaves Squid. These IPs must match the WAN IPs assigned to your pfSense interfaces and/or Virtual IPs. Squid will automatically put the packets onto whichever interface these IPs are assigned to. tcp_outgoing_address 111.111.111.001 portA tcp_outgoing_address 111.111.111.002 portB tcp_outgoing_address 222.222.222.001 portC ##### END MY CODE #####

@johnpoz So, strike my previous comment. It looks like the nginx message is actually created by PfSense (i get the same message if i try to connect PfSense with a forced HTTPS that originates as an HTTP connection What I dont understand is why? SM i missing something in my settings (frontend/backend) that is causing PfSense to think im trying to connect with an insecure connection?

@jonathanlee [image: 1641862668684-screen-shot-2022-01-10-at-4.57.34-pm-resized.png] Kaspersky also works

Hi @do1984 ! Thanks for putting the list together. Works great for me! if you might need a whatsapp list: # whatsapp .whatsapp.com .whatsapp.net web.whatsapp.com whatsapp.com c.whatsapp.net whatsapp Regards

@jonathanlee [image: 1641526219060-443-not-working.jpg] (Image: Virus Protection working only with HTTP) If I download the file with HTTPS it does not catch it. However notice I am running SSL intercept with the logs seen above. [image: 1641526297475-clamavcaught.jpg] (Caught: Only working currently for me with HTTP) HTTPS will bypass this even with the certificates installed and proxy running. Amazing to see it run half way there !!!

@jonathanlee FIXED!!!! The only fix for me was a true reinstall from factory reset mode on the Netgate 2100 max. However when restoring the config it blocked the package install so you have to kill the stuck locked PID in shell with logging in console mode for squidguard. After that just delete the missing half installed packages reboot for file check and reinstall all of them. Once this is done you have control over the logs. The only setting missing was the blacklist URL and common acl for squid guard. [image: 1641516837265-report.jpg]

@jonathanlee I would suggest you go through the hangout by jimp https://www.youtube.com/watch?v=xm_wEezrWf4 While its a bit dated now with 2.5 and 2.6 around the corner.. I am not aware of any sort of major changes.. And for sure this hangout goes over the different options of doing https proxy.