You need to use haproxy 1.5, 1.4 did not support ssl.

The config like you have should allow you to access the website with: https://192.168.172.251:443  , though i do find it strange that the frontend has a private ip, and your backend seems to point to a public ip..

The backend server is usually on the lan/dmz network and likely using a private ip..
The frontend should be listening on the wan-ip (or where you want to accept connections) firewall rule is needed to allow access to this port.

Not sure if this answers your question..? I couldnt make complete sense of it.

:o  I found a work around for my problem.

The Dansguardian inserts the user name in the log if the authentication mode is Proxy-Basic (Maybe other modes will do it).  I was using Proxy-NTLM.  (Authentication was successfull with NTLM and it was connecting to LDAP successfully also)

Yes, it's been like that as long as I can remember.

All right, I'll try the first option to see if it suits my needs :)

Thank you for your help.

By default squid will only allow 5 connections to squidguard if u have more than 5 users at the same time u are doom.
  Now that u are in your shell check cache.log and see if u have something like this:

2013/10/25 09:44:24| WARNING: All redirector processes are busy.
2013/10/25 09:44:24| Consider increasing the number of redirector processes in your config file.

If this is your case, just remember a formula:

of Squidguard threats x memory size each one=RAM memory for squidguard.

Because squidguard depends on RAM that is why is fast.

Hope this is your case and hope this helps!!!

Lets give a try I will let u know.

Sorry, yes the main point is to use thundercache in the network protect by pfsense.

Will be the main web proxy(Thundercache).

Thanks.

@KOM:

Will snort (lan) work with an access point connected directly to Pfsense?

Sure, why not?  It's just a WLAN.

I think Snort (lan) doesn't work if a switch is connected and the data is being sent directly to the other device through the switch and basically bypassing the firewall?

Yes, that's kind of obvious.  Snort on pfSense can only scan the networks attached to it.  It your existing WLAN goes to a switch that's upstream from pfSense then pfSense isn't even path of the network path for your wireless clients.

Thank you Kom, still a little new at this. Just to confirm, traffic between clients on a WLAN will pass through Pfsense (if directly attached)? Or does it work like a switch and traffic flows between wireless clients without passing through Pfsense?

Why don't you use a double firewall then? Leave the phone plugged into the first router (192.168.1.1), the PFSense box on the Wan interface can either be the IP you said or get a DHCP from the first router.
Then on the LAN side make it a 10.x.x.x IP scheme so that none of the LAN side will even see the same subnet as the first router. Then put all your computers behind the second router (PFSense).
I have that working here at home now. I think Dansguardian would be a better choice as it is a content filter not just a DNS URL blocker.
You will still need to have the SSL man in the middle working or google won't get filtered.

Jim

That sort of setup isn't possible currently. It would take a lot more code to allow the proxy to run multiple instances and use separate settings for each one. Probably more than double the code it has now, if not more. It's not likely to happen any time soon, the old style kernel FTP proxy may come back before that would happen.

ok looks like the problem was an intervace without IP config was inadvertedly selected under proxy interfaces on squid config page. Seems to be working now (at least service starts) these errors/warnings remain:

php-fpm[71851]: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was '2015/03/31 18:38:12| Warning: empty ACL: acl throttle_exts urlpath_regex -i "/var/squid/acl/throttle_exts.acl"'

which came from "Cache Dynamic Content" being unselected while multiple options like "Windows Update" where selected below it… so enabling it again got rid of that warning above.

hope it helps someone.

@reinaldo.feitosa:

I found the problem!

Yes, you did. Thank you very much for posting the fix. I applied it by patching the 2 new lines of code into my local version; it was a perfect diff save for those so I could also just have dropped your new file in.

It worked perfectly on the following configuration:

pfsense 2.2.1-RELEASE (amd64)
squid3 3.4.10_2 pkg 0.2.6
Lightsquid 1.8.2 pkg v 2.35

Again, thank you very much.

I thought you were looking for sgerror.php for use with SquidGuard.

@Spix:

Problem, publish with HAproxy removes host header information, the iis only sees a port80 request

check the haproxy config again(I suggest Haproxy1.5) and check if you are testing it via ip or fqdn.

Yep, did a full re-install and installed squid3 and squidguard-devel and all is working, except antivirus on squid3.

UPDATE: Clicked SAVE twice on antivirus settings of squid3, addressed stated config errors in red, and now antivirus is  working.

Snort, Squid3, and Squidguard-devel help contribute to make pfSense one hell of a firewall.

Hi

The proxy PAC file is provided by the filtering service provided to the school and nothing owrks without it.
However, I may now have a way past this as I'm being sent a fixed proxy IP and port which pfSense will take.

Thanks for respodning & trying to help.

Hey all,

I seem to be facing a similar issue, was wondering if any of you had any further insight. For the record, I'm running Squid 2.7.9 pkg v.4.3.6.

Here's the output to some of the commands mentioned previously:

php-fpm[27821]: /rc.start_packages: The command '/usr/pbi/squid-amd64/sbin/squid -k reconfigure' returned exit code '1', the output was 'squid: ERROR: No running copy'

But when I change something in the proxy configuration and save it, I only see the following in the logs:

php-fpm[96582]: /pkg_edit.php: Reloading Squid for configuration sync

I think this means it's working, but whenever my box reboots I see the "No running copy" error. Is this just a sham or is something really off?

Start again with Squid3.  Don't waste time trying to debug a broken package.

i dont understand why I'm blocking port 80

You typically block ports 80/443 so that your users are forced to use the proxy.  If your proxy is optional, then you don't need to bother blocking 80/443.

Thanks KOM,

You were right killing the antivirus (and stopping the services) did make everything work.

I now know where to look!

Thanks for all of your help!

The problem is squid version 3.4 is not compiled with ldap search custom sguid package should work

I was able to get it running by going through every tab and hitting save.  I saw this in another thread on here.

thanks for you help!

Well, you could do what I asked the other guy to do…

Hello, no I dont use captive portal. I Think this is related to the newer FreeBSD base operating system on 2.2, that it cannot listen on low ports. I get same error in HAproxy. I have disabled WebGUI redirect.

I will try to do a forwarding rule from port 80 to a higher port i firewall rules settings

Ok thank for Help :D

I will forward to other sys-log server.

bump

Hi,

I'm also having the same problem on the 2.2.1 update.
i have also tried this: https://forum.pfsense.org/index.php?topic=73640.0

although the service is now starting it's not blocking website as per categories.

Have you found a solution yet?

New SquidGuard apparently doesn't always stay running unless there is work for it to do.  Have you actually tried testing its functionality?

MS FTP "client" plus MS FTP "server" -> unusable junk. Get something usable, like http://www.ncftp.com/download/

Ok, but my very first problem is to know if squidguard could read ip addresses lists from mysql db as it can do for users list.

After uninstalling installing round and round I finally got it working. :)

I believe there's and issue if you ad your 1st webserver then add 2 mapping's right away it wont allow any other connections to work. I had to add 1 webserver at a time and 1 mapping at a time then go back and add the second mapping.

I found an error on my rule set.

Netflix/hulu were using ports that were grouped together that went out my cable modem interface.

thnx for the information.

worked fine  :)

Hi all

does no reply mean, there is no solution or did i post it in the wrong category or did i ask a wrong question or …?

Thx, inorx