@piba

Thanks a lot for all your help.

I got Siri to work by adding the following to my wpad files:

if (shExpMatch(url, "guzzoni.apple.com")) ||
shExpMatch(url, ".guzzoni-apple.com.akadns.net"))
return "DIRECT";

Basically, it's bypassing the proxy but that's all I could find.

This is where I found it:
https://apple.stackexchange.com/questions/253843/siri-on-macos-behind-a-corporate-proxy#253947

and

https://blog.mansshardt.net/siri-ios-macos-hinter-squid-proxy-zum-laufen-bringen/

You will need to use google translate unless you know how to read German.

@piba

You were correct, I had to change the SSL checkbox for the wanhttps

Now everything is working and I am back to the SSL Labs A+ rating (if that is worth anything)

@ageekhere
In this case, do I keep the Proxy settings transparent with Splice All enabled?

[Solved] I found the log rotate check button for SquidGuard in the GUI. Thanks

I think I have cracked this. What you do is to upgrade in the package manager:
To:

haproxy net 0.59_4 The Reliable, High Performance TCP/HTTP(S) Load Balancer.
This package implements the TCP, HTTP and HTTPS balancing features from haproxy.
Supports ACLs for smart backend switching.

That seems to pull the HAProxy 1.7.11 as an dependency at least it now claims to be running 1.7.11 and the first tests looks reassuring.

I solved the problem myself.

All my configuration was correct, there is a bug with the squid addon: you can not start the squid service from the web interface, when you click on "start the service" in the image below nothing happens, the service doesn't start and you don't have any error message:
0_1533074663644_squid screenshot.png

I had to connect to the pfsense terminal and run a "ps aux |grep squid" to see that th service was not running (i didn't have any error message in /var/log/squid).

A simple "squid start" solves the problem, does someont knows where can i report this bug ?

@maverick_slo
using 2.4.4'beta' with php7 i guess? PR with version 0.59_6 that should fix that one is pending..

Same here, re-appearing in 2.4.3-RELEASE-p1 on a Netgate SG-3100. Looks to me too high i/o(???)

PFSense installed on 'thrid party' pc hardware works normally. Restarting ClamAV works for some hours and then protocol errors appear again. Updating ClamAV once a day lowered to once a week -> no difference Bypassing will prevent this ICAP protocol error but is not really a solution.

Thanks,
Imp

@gertjan said in SSL Man In the Middle Filtering blocking any app:

The MITM "problem" will probably never get solved.

Thank you very much

Hi
I had the same problem
But I put the list IP of this site in Bypass and the problem was resolved

Go to Firewall Aliases>ADD+
Name: trello
Type : Network(s)
23.45.96.0/20
104.66.78.18/20

Save

And Go to Services > Squid Proxy server
in Bypass Proxy for These Destination IPs type : trello

Save and restart squid service

@marcelloc said in pfSense keeps blocking google.com, I lost all hope:

If you run a tcpdump on your LAN while trying to google something with chrome, you will see it going on UDP port 443 instead of default TCP port.

That's the QUIC protocol right? You can block it with a firewall rule blocking udp80/443

https://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol

or disable it using a Chrome flag:
chrome://flags > QUIC protocol > Disable

I'm sure there was a good thread about it here on this forum but now for the life of me I can't find it.

I just can not believe this bug even exists, let alone after so many many years after it has been created (8 years).☹