• 0 Votes
    1 Posts
    519 Views
    No one has replied
  • 0 Votes
    9 Posts
    6k Views

    That was it, thank you for your help!

  • 0 Votes
    2 Posts
    616 Views

    Problem solved.
    Set SSL/MITM Mode to Splice All.

  • 0 Votes
    4 Posts
    1k Views

    Ok after some reading, it seems I don't need to filter https. All I really need to do is block certain https domains from my kids on my home network while allowing all other traffic, prevent kids from circumventing proxy, monitor traffic stats per IP, and no issues with online games like logging into Warframe.

    To block https domains, I found some info on setting the ssl intercept to "splice all" and putting ".*" in the acl whitelist, then use squidguard to block https. However, I'm not exactly sure how to set this up with squidguard or if it will fix my Warframe login issue.

    I'm trying to learn this so I don't really want to use something like OpenDNS if I can help it. I'm running psSense in a VM with working backup so I'll try any suggestions because I can easily restore my pfSense firewall.

    Thanks.

  • squid/clamav

    Moved Nov 2, 2018, 10:44 AM
    0 Votes
    1 Posts
    433 Views
    No one has replied
  • 0 Votes
    1 Posts
    338 Views
    No one has replied
  • Blocking Facebook with E2Guardian

    Oct 30, 2018, 6:11 PM
    0 Votes
    1 Posts
    424 Views
    No one has replied
  • multiple https with haproxy

    Oct 7, 2018, 6:38 PM
    0 Votes
    27 Posts
    5k Views

    @mats So part of the problem was my rules but the final stick ended up being a bug in the upgrade to the most current release where my default gateway was no longer 'marked' default.... what a headache.

    I did finally manage to get Zimbra OSE running in a docker alongside a NextCloud docker to work for files as well. Only then did I fully realize that since I chose the Open Source edition, I cannot fully integrate it into my android for calendars and such which is a major letdown. I was so impressed with the webmail features that I over looked the limitations of the free version.

    I may look into iRedMail. I didn't like the webmail portions but in the end I doubt I will really be using it compared to the ability to have fully integrated calendar & contacts.

  • 0 Votes
    2 Posts
    457 Views

    Ended up canceling Squid for HAProxy.

  • HAproxy Action on 2.2.6?

    Oct 24, 2018, 11:12 PM
    0 Votes
    5 Posts
    563 Views

    using the HAproxy Devel did the trick

  • Pfsense Squid block http traffic

    Oct 17, 2018, 8:44 AM
    0 Votes
    7 Posts
    2k Views

    @landrocket
    The best way I have found to set up squid on a home network is without transparent.
    It is pretty simple to set the proxy setting's in the browser.

    Also has the added benefit if you have a problem connecting you can reset your browser
    and just bypass the proxy until you figure out the problem (check the real time log's)

    The way I set up mine is pretty much default. (Create Internal Cert. of Auth.)
    1)Enable Proxy
    2)Select Lan and Loopback
    3)Allow User's
    4)Resolve IPv4 first
    5)Disable ICMP Pinger helper
    6)Enable SSL filtering
    7)Splice Whitelist Bump otherwise
    8)Select Lan
    9)Proxy port-3129
    10)Compatibility mode-intermediate
    11)Cert. Adapt Not Before
    12)X-Forward (transparent)
    13)Disable Via Header
    14)URL Whitespace (Strip)
    15)X-Forward (transparent)

    After you reboot the firewall you can go to the ACL's tab and can enter in site's that you don't
    want to SSL bump- here is what I use. Window's Updates, Live Mail, OneDrive, Steam etc.
    Some of them might not be relevant anymore. But steam will take the proxy down quick if
    it isn't whitelisted.
    I am sure there is a way around that but I didn't want to put in the effort.

    0_1540791260483_Whitelist.txt

  • 0 Votes
    9 Posts
    1k Views

    @derelict Thank you, i will try this, and hope that pfSense 2.4.4 will work without problems

  • 2 Votes
    34 Posts
    50k Views

    @nick2253
    Sorry but that was not what i'm saying.

    To make haproxy health-checks use SSL you should enable the "SSL checks" checkbox behind each server.

    0_1540496969032_cb3883c2-37b0-4062-a4bb-094704716f28-image.png

  • Problem with Squid

    Oct 25, 2018, 7:13 PM
    0 Votes
    1 Posts
    414 Views
    No one has replied
  • Where is Varnish ?

    Oct 24, 2018, 8:33 PM
    0 Votes
    4 Posts
    892 Views

    Varnish was removed years ago. Very few people used it, and it required keeping a compiler on the firewall which is generally a bad idea.

    Also, don't use ezjail or jails in general on the firewall. Either virtualize things or separate them. Don't try to force the firewall to take on roles for which it isn't well-suited.

  • 0 Votes
    18 Posts
    5k Views

    @comet424 I forgot to mention that the best source for information on pfSense is in the book written by the experts. Recently it has been made free to the public. Even when it was not free, it was worth every penny.
    https://www.netgate.com/docs/pfsense/book/

    Good luck
    Raffi

  • 0 Votes
    6 Posts
    719 Views

    If the proxy is in a DMZ separate from the clients then it's easy to do with NAT.

    port forward in on LAN for a destination of any, port 80, sent to a target of the proxy on the proxy port
    Repeat for 443 if you're doing SSL

    Maybe exclude the firewall from that, and local things, but that's the general gist. That's all the squid package does internally, just forwards to 127.0.0.1 instead of another box.

    If the proxy is in the same subnet as the clients then it's trickier since you'd have to exclude the proxy box as a source in that rule, and work around other issues to mask the source, so don't do that.

  • HAproxy and caching

    Oct 23, 2018, 12:11 PM
    1 Votes
    6 Posts
    7k Views

    @piba haha, i think i have to learn more about acls before asking questions ^^

    Thank for your help

  • 0 Votes
    2 Posts
    345 Views

    I found a solution, but I want to share it for people with the same problem.

    I could reproduce it by doing the update on the other machine and saving the logfile.

    The following happens:

    >>> Upgrading pfSense-pkg-haproxy... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. The following 2 package(s) will be affected (of 0 checked): New packages to be INSTALLED: haproxy17: 1.7.11_1 [pfSense] Installed packages to be UPGRADED: pfSense-pkg-haproxy: 0.59_11 -> 0.59_14 [pfSense] Number of packages to be installed: 1 Number of packages to be upgraded: 1 The process will require 2 MiB more space. 650 KiB to be downloaded. [1/2] Fetching pfSense-pkg-haproxy-0.59_14.txz: .......... done [2/2] Fetching haproxy17-1.7.11_1.txz: .......... done Checking integrity... done (1 conflicting) - haproxy17-1.7.11_1 [pfSense] conflicts with haproxy-1.7.11 [installed] on /usr/local/man/man1/haproxy.1.gz Checking integrity... done (0 conflicting) Conflicts with the existing packages have been found. One more solver iteration is needed to resolve them. The following 4 package(s) will be affected (of 0 checked): New packages to be INSTALLED: haproxy17: 1.7.11_1 [pfSense] Installed packages to be UPGRADED: pfSense-pkg-haproxy: 0.59_11 -> 0.59_14 [pfSense] Number of packages to be installed: 1 Number of packages to be upgraded: 1 The process will require 2 MiB more space. Fetching haproxy-1.8.14.txz: .......... done [1/4] Deinstalling haproxy-1.7.11... [1/4] Deleting files for haproxy-1.7.11: ........ done [2/4] Installing haproxy17-1.7.11_1... [2/4] Extracting haproxy17-1.7.11_1: ........ done [2/4] Installing haproxy-1.8.14... pkg-static: haproxy-1.8.14 conflicts with haproxy17-1.7.11_1 (installs files into the same place). Problematic file: /usr/local/man/man1/haproxy.1.gz ignored by forced mode pkg-static: haproxy-1.8.14 conflicts with haproxy17-1.7.11_1 (installs files into the same place). Problematic file: /usr/local/sbin/halog ignored by forced mode pkg-static: haproxy-1.8.14 conflicts with haproxy17-1.7.11_1 (installs files into the same place). Problematic file: /usr/local/sbin/haproxy ignored by forced mode pkg-static: haproxy-1.8.14 conflicts with haproxy17-1.7.11_1 (installs files into the same place). Problematic file: /usr/local/etc/rc.d/haproxy ignored by forced mode [2/4] Extracting haproxy-1.8.14: ........ done [3/4] Upgrading pfSense-pkg-haproxy from 0.59_11 to 0.59_14... [3/4] Extracting pfSense-pkg-haproxy-0.59_14: .......... done Removing haproxy components... Menu items... done. Services... done. Loading package instructions... Deinstall commands... done. Syslog entries... done. Saving updated package information... overwrite! Loading package configuration... done. Configuring package components... Loading package instructions... Custom commands... Executing custom_php_install_command()...done. Menu items... done. Services... done. Writing configuration... done. >>> Cleaning up cache... done. Success

    For any reason haproxy-1.8.14 is installed over the haproxy-1.7.11_1 including the binary.

    Solution:

    Per console I did:

    pkg remove haproxy-1.8.14 pkg remove haproxy17-1.7.11_1 pkg install pfSense-pkg-haproxy-0.59_14

    So only 1.7.11_1 was installed, the complete configuration remained untouched (although I took a backup before).

    Regards,
    Daniel

  • 0 Votes
    6 Posts
    712 Views

    @ismael-segovia
    Looks like smth similar to - https://forum.netgate.com/topic/113490/squid-and-squidguard-are-not-starting/12

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.