@sichent This link shows what to do in CentOS or Ubuntu and clearly states (on discussion) that it is not for pfSense.

Yay !!! Got this working.👌 Have to add rule to both interface to allow proxy port. Users will log in using CP credentials then access go through squidGuard 👏 👏

Thanks!

I ended up doing two things.

Completely deleting all the items from the list, killall of filterdns, and reloading the list - which appeared to properly resolve all the FQDNs in the proper alias table. Created a separate list of IPs to bypass as well.

Both seem to be working better now.

@veldthui
Haproxy does not 'understand' FTP protocol..
But you might be able to do something with 'FTPS' where the ftp connection is wrapped inside SSL, and haproxy might be able to use a SNI header if the ftp client sets that... Really guessing/hoping there bigtime though.. If thats not gonna fly then i don't think haproxy will be able to help you out here. For sure its not intended for this that is for sure.

Good the http/https part works nicely now :).

Hello

That's right! I've switched to TCP, but I still have not made it work.

I have finally passed these ports to a NAT / PAT, and only Proxy Reverse is being made to the http and https protocols.

@Rarog I have the same problem my friend!!
so how did u solve it??
where did u chage the port setting to 3268 ??
and about the AD password I use "pa$$w0rd' so you suggest me to change it?

@Draco32
The 0.59_17.txz indeed is not available, the 0.59_19.txz is though.. maybe the repository got updated in between of your retrieval of the metadata and actually trying install the package or something. Anyhow good the issue is resolved already.

Hi!

Works and now its even faster :)

Thanks!

@jimp said in Squid 4.x:

We now plan to include Squid 4.x in the 2.5 release based on FreeBSD 12. We have not yet begun the work on this, but will soon.

Very looking forward to it!

All..... The script came from user Remzej. I have it on a cron job to check every 5 minutes (we are a busy proxy environment)...

*/2 * * * * root /usr/bin/nice -n20 /usr/local/bin/php-cgi -f /usr/local/pkg/monitor_memory_usage.php

#!/usr/local/bin/php-cgi -f
<?php
/*

monitor_memory_usage.php

part of pfSense (https://www.pfsense.org)

Copyright (c) 2011-2015 Rubicon Communications, LLC (Netgate)

All rights reserved.

Licensed under the Apache License, Version 2.0 (the "License");

you may not use this file except in compliance with the License.

You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software

distributed under the License is distributed on an "AS IS" BASIS,

WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and

limitations under the License.
*/
require_once('config.inc');
require_once('util.inc');
require_once('squid.inc');
global $config;

// Monitor memory usage by remzej
// Get SWAP usage funtion
function swap_usage() {
exec("/usr/sbin/swapinfo", $swap_info);
$swap_used = "";
foreach ($swap_info as $line) {
if (preg_match('/(\d+)%$/', $line, $matches)) {
$swap_used = $matches[1];
break;
}
}
return $swap_used;
}

// Get memory usage function
function mem_usage() {
$memory = "";
exec("/sbin/sysctl -n vm.stats.vm.v_page_count vm.stats.vm.v_inactive_count " .
"vm.stats.vm.v_cache_count vm.stats.vm.v_free_count", $memory);

$totalMem = $memory[0]; $availMem = $memory[1] + $memory[2] + $memory[3]; $usedMem = $totalMem - $availMem; $memUsage = round(($usedMem * 100) / $totalMem, 0); return $memUsage;

}

// Get memory and SWAP usage value
$memusage_pct = mem_usage();
$swapusage_pct = swap_usage();

// Display memory usage
echo "Memory Usage: " . $memusage_pct . "%" . PHP_EOL;
echo "SWAP Usage: " . $swapusage_pct . "%" . PHP_EOL;

// If memory usage is above 90%, stop and restart squid services.
if (($memusage_pct > 90) or ($swapusage_pct > 80)) {
squid_stop_monitor();
if (is_service_running('squid')) {
stop_service("squid");
}
squid_restart_services();
log_error(gettext(sprintf("[squid] Memory usage is $memusage_pct percent, Swap Usage is $swap_usage percent, stopping and restarting services.")));
}
log_error(gettext(sprintf("[squid] Memory usage is $memusage_pct percent and Swap Usage is $swapusage_pct")));
?>

@ramalave , thanks for the list of networks. It helped in my case as well with squid in transparent mode.
Are there any other solutions available to fix Windows Updates issues when squid works in transparent mode?
Thanks!

Hello PiBa !

Thanks for your time,
can't believe it was that simple, but it works great !!!!
thank you again !!

Worked like a charm! Thank you!!

@veldthui
Deleting the backend would prevent the rule from being applied when rules get loaded again.. Maybe reloading rules is not triggered when applying settings for a disabled haproxy.. You could 'force' a reload of the rules from the status/filterreload page (if i remember the name of that menu correctly).. That would load the new ruleset without haproxy adding its rules at that time if the backend was deleted..

As for 'needing' transparent client ip.. to get traffic going its not needed. if you want make rules based on the client-ip on the server, then it might be required if proxy-protocol and http-headers are out of the question..
It does come with these disadvantages though that it needs to be in the reply path, and will 'block' other direct requests...

It might be possible to open a second port or adding a second private IP on the webserver for the purpose of haproxy connecting to it with client-ip's thus 'avoiding' blocking the regular direct traffic and your nat-portforward..

@2fst4u said in HAProxy client certificate validation per app:

What extra settings does the development package provide?

The development package allows specifying client certificate options per shared-frontend by using the crt-list option of haproxy 1.8 with a specific sslbindconf for each sni where 1.7 does not support that and thus hides those options in the webgui.

b.t.w. that the package is called -devel does not mean the software isn't stable.. The current development version of haproxy is '2.0-dev' and 1.9 is also marked stable.. though still as some rough edges... 1.8 is really stable for everything it supports.

thank you !
very good the video, the more I believe that my error is in the frontends, I created a standard frontend, and then I was creating new frontends sharing the first one.
I've done different now, I'm creating the ACLs and ACTIONS directly on the default frontend

like the image below

Captura de Tela 2019-04-17 às 06.01.04.png
Captura de Tela 2019-04-17 às 06.04.42.png

This has worked well for me.

@KOM I will wait for the purchase of the new Hardware and perform the system update. Thanks a lot for the help.