@kom My use case was to restrict internet access to internal servers, allowing only permitted URL/IP combos, distro repos, etc. So no need for WPAD (+ I have no idea how it works)
And yes good of you to mention it because I forgot, also blocked all internet access in pfsense rules.

@jycai with free cf choose flexible mode.
Check your pfsense firewall.
Sometimes problem at frontend and backend. I remove and recreate. It’s work

how to bypasss pfBlockerNG from squid.

@dmalick Hit means its already stored, miss means its stored as of now because it was never stored yet, refresh means dynamic based refresh that is out of date or expired timer. Do a quick search on the specifics, you will never have 100 percent hits.

@mit the path is /usr/local/pkg/squid_antivirus.inc not squid.inc for latest pfsense 2.6 squid 0.4.45_9

@breezytm Thank for the reply. I finally was able to get it working after I found one site that provided some reference configurations. Here is my post on the netgate forum if you are still looking for a solution.

https://forum.netgate.com/topic/174705/haproxy-ssl-offloading-openvpn-ssh

@dmalick

This seems to fix a lot of the issues for me. Stop using squid with the loopback of the firewall only the LAN side.

I feel it speeds up the firewall traffic also. The loopback must access the squid cache for example, or the dns must access the loopback.

Again I feel it is a bit less safe to do this.

headers.PNG

@gertjan cheers mate thanks for the the clarification. I will try to get in deep on this will share here if get any outcome. Thanks again.

@kevin-ruffus
hello @kevin-ruffus
i have same problem (https://forum.netgate.com/topic/174699/not-update-new-config-port-in-server-list-backend-haproxy-pfsense?_=1663094167349)

@ageekhere Unfortunately that did not solve my problem :-(

I tried both variants, but none seems to solve my problem. I ended up checking the "do not verify remote certificate" option anyway.

5f5023a0-1620-49c9-95fd-875a35eddb8a-image.png

But I am still surprised, that Squid receives a request for port 5222.

Regards
Marcel

@basem already showed that error in your pic.. So since you clearly say auth works in browser, and your sure your putting in the correct username and password.. How is it pfsense issue?

I would suggest you open a ticket with them.. With this exact info - you can auth via browser, but anydesk isn't working and giving you that error.

I'll move this topic to there.

Check the logs to see what is being blocked and why.

You probably need to enable the finance categories. Though you might need to whitelist some domains yourself if the list you're using isn't current or simply doesn't include whatever sites you're seeing blocked.

Steve

I would also be interested if this is possible or not? I think its not possible...

@ageekhere

Done

Opened

Screen Shot 2022-08-22 at 4.29.24 PM.png

@jonathanlee

096e4435-3b0c-4f3e-a6c5-80fbc347097a-image.png
(IMAGE: After certificate is approved you can use your smartphone and it works again with Firefox as a browser)

@ghostshell Amazons Prime changed yesterday for me it was the same for 3 years now it has .am in the domain. I can see them resolve in logs under DNS resolver it will show them pull and resolve every 5 mins.

resolver.PNG

@ageekhere you would need a list of approved bypass urls. Apple, some android, Windows updates. . . Etc

If(list.contains) something like that? You as an administrator must have granular control. As well as approve trusted sources. A GUI would work better with just a button that says Apple, Android, Windows, to help create lists for bypass traffic.

Ok, so after checking the CRL with openssl, and finding it was set to new in 1950 I found this thread: https://forum.netgate.com/topic/172870/crl-has-expired

So I guess that patch would fix this?

Anyway, I just created a new CRL with only 7000 days and it is working again.

@jonathanlee I have few hits this morning that show HIT but not many

@jonathanlee Hello again Netgate community,

Why is items flagged as viruses coming from Google? I also checked some at Virus total and they have been flagged by other users of that site. Keylogger, and other items are marked found in links. It's amazing what the Netgate can find, and its also eye opening that they are coming from the cloud and not a random website.

@bluboy Thank you I used the ACL for a XBOX to splice only so I could still SSL check other devices with certificates

Screen Shot 2022-08-17 at 9.49.10 AM.png

This way I can cache and check for viruses on my laptop and my son can watch xbox and play games.

This workaround works, have to use it before this bugs gets fixed I guess.

https://dannyda.com/2022/08/17/how-to-fix-squidguard-on-pfsense-only-the-first-rewrite-rule-work-bug-workaround/

@blindmotphil Am seeing the same problem on my unit. Did you manage to fix this since you last posted?