• Offloading SSL in HAProxy to access NAS backend

    3
    0 Votes
    3 Posts
    214 Views
    triksT

    @noplan thanks for the reply, that’s exactly what I did, let me check over my settings again at least I know it’s possible.

  • HAProxy only Default backend is working

    4
    1 Votes
    4 Posts
    372 Views
    V

    @oldgeezy said in HAProxy only Default backend is working:

    I'm pretty sure I can set my firewall rules so that the incoming WAN traffic lands on the LAN listener and get the same result.

    Since you're talking about a VPN, where you get forwarded the traffic by the provider, I don't expect, that anything is coming in on the WAN, rather the VPN interface.

    Leads me to believe it's something to do with how my VPN service provider is forwarding the traffic, or my NAT / firewall rule

    If your main domain and subdomain resolve the the same IP, both should hit your interface or both not.
    The VPN server cannot intercept the HTTPS and split the traffic anyhow.

    I'm not sure how to troubleshoot traffic getting passed,

    Go to Diagnostic > Packet Capture and sniff the traffic on the involved interfaces.

    but getting striped of http headers along the way.

    Only a proxy working on the application layer can stripe a host header. And I don't expect, that you configured HAproxy to do this.

    Believe I am talking about HTTP, haha to the extent of my knowledge.

    So which application are you trying to reach and how. If you access it by an URL starting with http(s) it might obviously use HTTP.

  • Squid Proxy does not see external CA for SSL Interception

    2
    0 Votes
    2 Posts
    228 Views
    JonathanLeeJ

    Is it a certificate authority ?

  • Squid V6.10

    32
    1 Votes
    32 Posts
    4k Views
    B

    @michmoor
    Yes, it works for them, unfortunately only there :(

  • squid sites sometimes don't load completely help pls

    17
    0 Votes
    17 Posts
    1k Views
    M

    @JonathanLee I put my mod in custom mode and re-wrote the certificate. I'll try it a bit and I'll let you know again depending on the situation.

    2024/11/17 12:44:10| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
    2024/11/17 12:44:10| Processing: http_port 192.168.2.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
    2024/11/17 12:44:10| WARNING: UPGRADE: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in http_port. Use 'tls-cafile=' instead.
    2024/11/17 12:44:10| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'
    OpenSSL-saved error #1: 0x1e08010c
    2024/11/17 12:44:10| ERROR: Unsupported TLS option SINGLE_DH_USE
    2024/11/17 12:44:10| ERROR: Unsupported TLS option SINGLE_ECDH_USE
    2024/11/17 12:44:10| Processing: http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
    2024/11/17 12:44:10| Starting Authentication on port 127.0.0.1:3128
    2024/11/17 12:44:10| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
    2024/11/17 12:44:10| WARNING: UPGRADE: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in http_port. Use 'tls-cafile=' instead.
    2024/11/17 12:44:10| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'
    OpenSSL-saved error #1: 0x1e08010c
    2024/11/17 12:44:10| ERROR: Unsupported TLS option SINGLE_DH_USE
    2024/11/17 12:44:10| ERROR: Unsupported TLS option SINGLE_ECDH_USE
    2024/11/17 12:44:10| Processing: https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
    2024/11/17 12:44:10| Starting Authentication on port 127.0.0.1:3129
    2024/11/17 12:44:10| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
    2024/11/17 12:44:10| WARNING: UPGRADE: 'cafile=/usr/local/share/certs/ca-root-nss.crt' is deprecated in https_port. Use 'tls-cafile=' instead.
    2024/11/17 12:44:10| WARNING: Failed to decode EC parameters '/etc/dh-parameters.2048'
    OpenSSL-saved error #1: 0x1e08010c
    2024/11/17 12:44:10| ERROR: Unsupported TLS option SINGLE_DH_USE
    2024/11/17 12:44:10| ERROR: Unsupported TLS option SINGLE_ECDH_USE
    2024/11/17 12:44:10| Processing: icp_port 0
    2024/11/17 12:44:10| Processing: digest_generation off
    2024/11/17 12:44:10| Processing: dns_v4_first on
    2024/11/17 12:44:10| ERROR: Directive 'dns_v4_first' is obsolete.
    2024/11/17 12:44:10| dns_v4_first : Remove this line. Squid no longer supports preferential treatment of DNS A records.
    2024/11/17 12:44:10| Processing: pid_filename /var/run/squid/squid.pid
    2024/11/17 12:44:10| Processing: cache_effective_user squid
    2024/11/17 12:44:10| Processing: cache_effective_group proxy
    2024/11/17 12:44:10| Processing: error_default_language en
    2024/11/17 12:44:10| Processing: icon_directory /usr/local/etc/squid/icons
    2024/11/17 12:44:10| Processing: visible_hostname localhost
    2024/11/17 12:44:10| Processing: cache_mgr admin@localhost
    2024/11/17 12:44:10| Processing: access_log /var/squid/logs/access.log
    2024/11/17 12:44:10| Processing: cache_log /var/squid/logs/cache.log
    2024/11/17 12:44:10| Processing: cache_store_log none
    2024/11/17 12:44:10| Processing: netdb_filename /var/squid/logs/netdb.state
    2024/11/17 12:44:10| Processing: pinger_enable on
    2024/11/17 12:44:10| Processing: pinger_program /usr/local/libexec/squid/pinger
    2024/11/17 12:44:10| Processing: sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/lib/ssl_db -M 4MB -b 2048
    2024/11/17 12:44:10| Processing: tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt
    2024/11/17 12:44:10| Processing: tls_outgoing_options capath=/usr/local/share/certs/
    2024/11/17 12:44:10| Processing: tls_outgoing_options options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
    2024/11/17 12:44:10| ERROR: Unsupported TLS option SINGLE_DH_USE
    2024/11/17 12:44:10| ERROR: Unsupported TLS option SINGLE_ECDH_USE
    2024/11/17 12:44:10| Processing: tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS
    2024/11/17 12:44:10| Processing: sslcrtd_children 5
    2024/11/17 12:44:10| Processing: logfile_rotate 5
    2024/11/17 12:44:10| Processing: debug_options rotate=5
    2024/11/17 12:44:10| Processing: shutdown_lifetime 3 seconds
    2024/11/17 12:44:10| Processing: acl localnet src 192.168.2.0/24
    2024/11/17 12:44:10| Processing: forwarded_for on
    2024/11/17 12:44:10| Processing: uri_whitespace strip
    2024/11/17 12:44:10| Processing: refresh_pattern -i windowsupdate.com/..(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
    2024/11/17 12:44:10| Processing: refresh_pattern -i microsoft.com/..(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
    2024/11/17 12:44:10| Processing: refresh_pattern -i windows.com/..(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
    2024/11/17 12:44:10| Processing: refresh_pattern -i microsoft.com.akadns.net/..(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
    2024/11/17 12:44:10| Processing: refresh_pattern -i deploy.akamaitechnologies.com/.*.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
    2024/11/17 12:44:10| Processing: cache_mem 512 MB
    2024/11/17 12:44:10| Processing: maximum_object_size_in_memory 1024 KB
    2024/11/17 12:44:10| Processing: memory_replacement_policy heap GDSF
    2024/11/17 12:44:10| Processing: cache_replacement_policy heap LFUDA
    2024/11/17 12:44:10| Processing: minimum_object_size 0 KB
    2024/11/17 12:44:10| Processing: maximum_object_size 4 MB
    2024/11/17 12:44:10| Processing: cache_dir ufs /var/squid/cache 100 16 256
    2024/11/17 12:44:10| Processing: offline_mode off
    2024/11/17 12:44:10| Processing: cache_swap_low 90
    2024/11/17 12:44:10| Processing: cache_swap_high 95
    2024/11/17 12:44:10| Processing: cache allow all
    2024/11/17 12:44:10| Processing: refresh_pattern ^ftp: 1440 20% 10080
    2024/11/17 12:44:10| Processing: refresh_pattern ^gopher: 1440 0% 1440
    2024/11/17 12:44:10| Processing: refresh_pattern -i (/cgi-bin/|?) 0 0% 0
    2024/11/17 12:44:10| Processing: refresh_pattern . 0 20% 4320
    2024/11/17 12:44:10| Processing: acl allsrc src all
    2024/11/17 12:44:10| Processing: acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3129 1025-65535
    2024/11/17 12:44:10| Processing: acl sslports port 443 563
    2024/11/17 12:44:10| Processing: acl purge method PURGE
    2024/11/17 12:44:10| Processing: acl connect method CONNECT
    2024/11/17 12:44:10| Processing: acl HTTP proto HTTP
    2024/11/17 12:44:10| Processing: acl HTTPS proto HTTPS
    2024/11/17 12:44:10| Processing: acl step1 at_step SslBump1
    2024/11/17 12:44:10| Processing: acl step2 at_step SslBump2
    2024/11/17 12:44:10| Processing: acl step3 at_step SslBump3
    2024/11/17 12:44:10| Processing: acl allowed_subnets src 192.168.2.1/24 192.168.2.0/24
    2024/11/17 12:44:10| WARNING: aclIpParseIpData: Netmask masks away part of the specified IP in '192.168.2.1/24'
    2024/11/17 12:44:10| WARNING: (B) '192.168.2.0/24' is a subnetwork of (A) '192.168.2.0/24'
    2024/11/17 12:44:10| WARNING: because of this '192.168.2.0/24' is ignored to keep splay tree searching predictable
    2024/11/17 12:44:10| WARNING: You should probably remove '192.168.2.0/24' from the ACL named 'allowed_subnets'
    2024/11/17 12:44:10| Processing: acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
    2024/11/17 12:44:10| Processing: http_access allow manager localhost
    2024/11/17 12:44:10| Processing: http_access deny manager
    2024/11/17 12:44:10| Processing: http_access allow purge localhost
    2024/11/17 12:44:10| Processing: http_access deny purge
    2024/11/17 12:44:10| Processing: http_access deny !safeports
    2024/11/17 12:44:10| Processing: http_access deny CONNECT !sslports
    2024/11/17 12:44:10| Processing: http_access allow localhost
    2024/11/17 12:44:10| Processing: request_body_max_size 0 KB
    2024/11/17 12:44:10| Processing: delay_pools 1
    2024/11/17 12:44:10| Processing: delay_class 1 2
    2024/11/17 12:44:10| Processing: delay_parameters 1 -1/-1 -1/-1
    2024/11/17 12:44:10| Processing: delay_initial_bucket_level 100
    2024/11/17 12:44:10| Processing: delay_access 1 allow allsrc
    2024/11/17 12:44:10| Processing: url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
    2024/11/17 12:44:10| Processing: url_rewrite_bypass off
    2024/11/17 12:44:10| Processing: url_rewrite_children 16 startup=8 idle=4 concurrency=0
    2024/11/17 12:44:10| Processing: http_access allow whitelist
    2024/11/17 12:44:10| Processing: acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
    2024/11/17 12:44:10| Processing: request_header_access YouTube-Restrict deny all
    2024/11/17 12:44:10| Processing: request_header_add YouTube-Restrict none youtubedst
    2024/11/17 12:44:10| Processing: acl splice_it ssl::server_name .microsoft.com
    2024/11/17 12:44:10| Processing: acl splice_it ssl::server_name .windowsupdate.com
    2024/11/17 12:44:10| Processing: acl splice_it ssl::server_name .akamaitechnologies.com
    2024/11/17 12:44:10| Processing: acl splice_it ssl::server_name .akadns.net
    2024/11/17 12:44:10| Processing: acl splice_it ssl::server_name .cloudns.net
    2024/11/17 12:44:10| Processing: ssl_bump peek step1
    2024/11/17 12:44:10| Processing: acl hasRequest has request
    2024/11/17 12:44:10| Processing: access_log daemon:/var/log/squid/access.log hasRequest
    2024/11/17 12:44:10| Processing: http_access allow allowed_subnets
    2024/11/17 12:44:10| Processing: http_access allow localnet
    2024/11/17 12:44:10| Processing: http_access deny allsrc
    2024/11/17 12:44:10| WARNING: use of 'reload-into-ims' in 'refresh_pattern' violates HTTP
    2024/11/17 12:44:10| Requiring client certificates.
    2024/11/17 12:44:10| Loaded signing certificate: /CN=internal-ca/C=TR
    2024/11/17 12:44:10| Not requiring any client certificates
    2024/11/17 12:44:10| Loaded signing certificate: /CN=internal-ca/C=TR
    2024/11/17 12:44:10| Not requiring any client certificates
    2024/11/17 12:44:10| Loaded signing certificate: /CN=internal-ca/C=TR
    2024/11/17 12:44:10| Not requiring any client certificates

  • HAProxy backend server DOWN

    4
    0 Votes
    4 Posts
    624 Views
    V

    @jdenny
    If you use the HTTP check, you will need to configure it properly. You can specify the method, URL and also the protocol version.

    Note that HAproxy just request the server by its IP and port as stated in the backend setting. It doesn't send a host header to the backend. If your server requires this, the check will fail.
    Also it just requests the server root / if you didn't state any other URL.

    So ensure, that your server is responding to such requests.

  • pfsense squid

    Moved
    4
    0 Votes
    4 Posts
    643 Views
    JonathanLeeJ

    Do you have a blacklist?

  • How to use haproxy with valid SSL certificates other than ACME?

    3
    0 Votes
    3 Posts
    369 Views
    P

    @accidentallyadmin

    I use them with Godaddy, Sectigo and more. no issues - one of the best "features" with pfsense/Haproxy combo imho. :)

  • HAProxy very bad performance / throughput

    4
    0 Votes
    4 Posts
    984 Views
    P

    @AndyD Finally an explanation what happened after 2.4 where HAProxy performance dropped like a stone :), lets hope this comes to CE version too.

  • Squid managing wpad

    2
    1 Votes
    2 Posts
    264 Views
    A

    @JonathanLee

    There is an Unofficial-pfSense WPAD package

    https://forum.netgate.com/topic/116163/unofficial-wpad-package-for-pfsense-software

    https://github.com/freitasbr/unofficial-pfsense-wpad

    Works really well if you want to run a proxy and do not want to fully rely on the transparent proxy (which can have connection issues on some programs like sites not working in chrome).

    You can also set it up manually however the package makes it easy.

  • HAProxy jwt_verify on disk certificate location?

    1
    0 Votes
    1 Posts
    177 Views
    No one has replied
  • Migrating IIS Reverse Proxy to HA Proxy

    1
    0 Votes
    1 Posts
    177 Views
    No one has replied
  • Squid Proxy Service not running

    4
    0 Votes
    4 Posts
    710 Views
    JonathanLeeJ

    Check to see if your ports are set correctly.

  • Cannot connect via app iOS on nextcloud and haproxy

    1
    0 Votes
    1 Posts
    146 Views
    No one has replied
  • This topic is deleted!

    1
    0 Votes
    1 Posts
    32 Views
    No one has replied
  • This topic is deleted!

    1
    0 Votes
    1 Posts
    7 Views
    No one has replied
  • This topic is deleted!

    1
    0 Votes
    1 Posts
    5 Views
    No one has replied
  • This topic is deleted!

    1
    0 Votes
    1 Posts
    8 Views
    No one has replied
  • Is there a way to update to HA 0.63_5 on pfSense 2.7.2?

    1
    1 Votes
    1 Posts
    162 Views
    No one has replied
  • Youtube content getting filtered on Squid

    31
    1 Votes
    31 Posts
    5k Views
    T

    @JonathanLee Thats really great news, sorry was not following this since long (I switched from IT to Development). So to clean things up I will be closing PR and Redmine issue.

    Best
    Maharsh.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.