@rle,  I'll definitely look more into RADIUS. I guess I forgot to mention the fact that I have HAproxy up and running, but it's currently only working for HTTP and HTTPS on ports 80 and 443, respectively. I'm also already running Snort with the paid rules set. I understand Suricata is somewhat better with Layer 7 app detection. Specifically, it can identify HTTP and SSH traffic on non-standard ports, which would likely be more beneficial in this use case now that you mention it. Trust me, I'm the same way! I'm learning as I go here! :-)

@piba see also https://github.com/pfsense/FreeBSD-ports/pull/1066

@memphis2k Anybody? Is this not possible? Just looking for some thoughts

@mcury Thanks for the reply, so got it working, i used the pf2ad script but on ldap for squidguard how to add a group with a space the group is called domain users ldapusersearch ldap://apolo.casa.local:3268/DC=casa,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=domain users%2cCN=Users%2cDC=casa%2cDC=local))

@johnpoz I am using the non-devel haproxy 0.61_1, so that is probably the difference. I'd imagine these changes in devel will eventually make it to the non-devel version? It seems like I could tweak this further without upgrading the haproxy package to devel so I'm going to keep it on the stable release for now, but it is good to know it might be easier in the future. I looked all over today and kept getting back to this post.

In the "Actions" table, look for the "Condition acl names" column. You can enter one or more ACL names for any action, separated by spaces. If you enter more than one ACL name for an action, ALL ACLs must match for the action to occur (ANDed conditions).

@viragomann said in HAproxy exposing only pfSense’ ip address at hosts log: @gschmidt You can run HAproxy in transparent reverse mode. It can be enabled in the backend advanced settings. Thanx, I will have a look at it! Update: sadly not an option, I also want to access the domotica web app inside my network (I have only one subnet)... I will ask first at the Domoticz forum if it is possible to retrieve the ip address from the header with a script...thanx

I already figured it out. Changed 2 options in my Cloudflare account [image: 1620770735398-b530eb2a-a2e9-4ec9-87eb-620378256273-image.png] Under SSL/TLS menu: Overview Default setting was Flexible, but needs to be Full(Strict) Edge Certificates I had checked "Always use HTTPS" to ON....but needs to be OFF Thats it...I think it was the HTPPS trick...because in HAproxy I use SSL Offloading and HTTP to access the Host

@joulester The short version is it just worked. Especially if you don't need the certificate part, it just works. To give me an idea how to be more helpful than just saying it works, is there a step you have a question about?

@valepe69 Fixed. Having a Multi-WAN configuration all was screwed up by the bug of the 2.5.1 release. Reloaded the 2.5.0 and the same configuration works great.

@piba I have a question about the 503 error page. If somebody is accessing my WAN IP adress (e.g. https://67.46.29.83:443) instead of my domain name, HAproxy shows a 503 error page, Is this normal behaviour of HAproxy? If so, this is nice because I want to block access to WAN ip, but is it also possible to modify the header and content of the 503 page?