@JonathanLee tls 1.3 has been used for quite some time.. Any time I bother to look at the connection to pretty much anything its tls 1.3.. This connection to the forums is using tls 1.3 ensi is dead but long live ech, that could be problematic I would bet.. But again I don't do any sort of mitm, its not good practice - I want my ssl/tls to be end to end.. As the internet gods intended it to be ;) I have no need or desire to run a proxy.. If I want to block someting I would filter on IP or DNS.. Yes I block the bane of filtering doh and dot. I run a reverse proxy, but not as a filtering method or as a way to do mitm.. But as a way to offload the ssl connection because the actual services have no ssl support at all, or are a pain to setup. These connections are tls 1.3.. And I don't even allow 1.2, if your not using 1.3 then your not accessing it. And use strict sni - so if you don't send the valid sni your not being proxied in either. This keeps rando port scanners from being able to actually get to the sites interface. And I block most of the known scanners from talking to any of my forwards anyway, and only allow access into my forwards if your coming from US IP, etc.

This seems to improve speeds http_upgrade_request_protocols websocket allow all accept_filter httpready accept_filter dataready collapsed_forwarding on half_closed_clients off pipeline_prefetch 6

@viragomann said in HAProxy forwardfor: @varazir You can see the http headers in the capture? yes, strange is that it's only for Authelia I don't get the header set. I think I'm going to remove it. Using wireguard to connect to my home network.

So generation 2 proxy technology can help if its built right...

@JonathanLee said in Any experience with HAproxy 3.0 ?: Sorry, could You be so please to explain Your reply? I asking because some improvements and new features in HAproxy 3.0 are really great (and some of them - was so long asking for). Of coarse, in hi-loading environment would be better to using SEPARATE HAproxy-balanser (no matter containerized or on bare metal) from pfSense . But the same time this not mean not to updating HAproxy to 3.0 in pfSense+ or CE. Am I wrong with this? @Sergei_Shablovsky Did you see you can run it in a docker container now? Sorry no time to seeking for right video, but this one probably not need the translation. @Sergei_Shablovsky is that the high availability software for running two different firewalls? As I know, One short example...., and another one. The last from this two examples are the "best pair" HAproxy+Keepalived that used widely and successfully from 2020-2024. And I personally know a bunch of projects (both hiload and enterprise) with implement, orcestrate and monitoring this HAproxy+Keepalived pair sucsessfuly

@w-hackl said in SquidGuard Target Categories and Groups ACL Sorting Problem: put on top of the list I can confirm that, it didnt happen in 2.6.x ver and appear on 2.7.x

try an acl http_access deny to_ipv6 http_access deny from_ipv6

@Tony-Soprano Does the site load correctly if you access it directly? How do you access it? Is the site running in a virtual directory? With the debugging mode enabled in the browser, are there any failures to see?

@oguruma You can do it now via the custom options. You just need to know the HA Proxy syntax. Might want to openAI that.. But there is no GUI option if that is what you are looking for.

@viragomann Thanks! I‘ll set it up tomorrow and report

I am suppose to enable sysctl -w kern.sugid_coredump=1

here are the error messages [image: 1717510746994-3c581f13-1c11-493a-9c59-4b1c1e4838e1-image.png]

@jdb67 You might also try to email the Squid users support email to get Squid help they are very helpful sometimes the original code writers chime in and help users. squid-users@lists.squid-cache.org FYI: You will have to register your email and wait for approval before you can send out a email to everyone on this however.

@kabeda contact Squid's user support email address they can help you. I also have the ec decode errors with the latest version however it works for me. squid-users@lists.squid-cache.org

@johnpoz In the screenshot below, access is denied when updating. Or is it like this for everyone?[image: 1716993353332-8.jpg]