You can run via SSH or Diagnostics -> Command prompt squid -k parse and paste output here.

@firefox I don’t think so, to be honest with you I am on an older version also. Just make sure you do the patch package and install all the system patches.

@KOM said in Squid: "Undefined symbol "_ZTVNSt3__117bad_function_callE" after upgrade to 2.8: I'm also not comfortable with the 'move lib somewhere else' fix as I don't know what side-effects it may have and I don't know how a future upgrade will handle it. I have two pfSense with longer upgrade history running, came across the same problem when upgrading to 2.8 and my thoughts were exactly the same. But then I was diving deeper and... The upgraded one, after the upgrade: # ls -l /usr/lib/libc++* -r--r--r-- 1 root wheel 9415736 May 22 03:19 /usr/lib/libc++.a -r--r--r-- 1 root wheel 48 May 22 03:19 /usr/lib/libc++.so -r--r--r-- 1 root wheel 819952 Jan 31 2022 /usr/lib/libc++.so.1 -r--r--r-- 1 root wheel 952 May 22 03:19 /usr/lib/libc++experimental.a The one still on 2.7.2 / FreeBSD 14: # ls -l /usr/lib/libc++* -r--r--r-- 1 root wheel 8603484 Dec 6 2023 /usr/lib/libc++.a -r--r--r-- 1 root wheel 48 Dec 6 2023 /usr/lib/libc++.so -r--r--r-- 1 root wheel 819952 Jan 31 2022 /usr/lib/libc++.so.1 -r--r--r-- 1 root wheel 87114 Dec 6 2023 /usr/lib/libc++experimental.a And last, but not least a stock FreeBSD 14.0 REL-p4: # ls -l /usr/lib/libc++* -r--r--r-- 1 root wheel 8579844 Nov 10 2023 /usr/lib/libc++.a -r--r--r-- 1 root wheel 48 Nov 10 2023 /usr/lib/libc++.so -r--r--r-- 1 root wheel 86778 Nov 10 2023 /usr/lib/libc++experimental.a As i see it, this libc++.so.1 as of 2022 must have been left back by an earlier update. Especially when looking at such a commonly used lib, I would speculate that the rm command used to remove it during this earlier update was using it itself and thus, was unable to remove it. Knowing this, I followed the recommendation to just remove it (or move it away to /root), rebooted and everything works fine. There is no need to un/reinstall squid. Just move away /usr/lib/libc++.so.1 and reboot. When updating from 2.7.2 or another FreeBSD 14 based release, it may also be an option to do this before starting the update to keep the downtime as short as possible. And, coming back to the concern quoted initially: I beleive that it is very unlikely that anybody will miss this old lib. Maybe somebody who upgraded an instance with less upgrade history can have a look in his /usr/lib and confirm that there is no libc++.so.1 at all.

@qupfer What did I bang my head over this strange 502 issue. Your solution did it! Thank you so much, even 2.5 years later!

Request for Continued Support of Squid Package Dear Netgate Team, Could we please continue to support the Squid package? The upstream project has already resolved the known security issues, and it appears the main task remaining is updating the package to accommodate the recent PHP changes affecting the status page and address the decode issue. I’m unsure how to address this on my end and would greatly appreciate any guidance. Has anyone else looked into this, or is there a fix currently in progress? Thank you for your time and support. Jonathan Lee

@andrew_cb said in haproxy 0.63_2 weird behavior, edits not working: @iSagen @TheCyborgWeasel The issue is likely the same as in https://forum.netgate.com/topic/178348/haproxy-backend-port-changes-are-not-applied/ Try adding load-server-state-from-file none to the Advanced Settings > Backend pass thru section of each backend. Great! I will do this.

@nick23369 You don't have to wait for the official fix. Adding the directive load-server-state-from-file none to each backend will override the default behavior and makes HAProxy backend changes take effect immediately. This is the easiest - do it one time and it's done. You can also stop HAProxy, delete run rm /tmp/haproxy_server_state from Diagnostic > Command Prompt, and then start HAProxy. There is no problem with HAProxy, it just takes some extra work to make negate the hardcoded config settings and make backend changes apply immediately without having to reboot pfSense.

Hi Andrew, thanks for the tip. I forgot reply here. In our case, the problem was the hardware. Since 2013 I use the same hardware an Athlon LE-1620(1 Core) with 2GB. Some months ago, we created an app with many HAProxy rules and the access is growing. We bought one fanless with Intel J6426 and 8GB and now it´s work fine.

@andrew_cb Thank you for the answer In the end it was a problem that any new backend i added just did not register, i confirm it by taking an existing one and overriding it and it worked so i want the nuclear option and just installed the entire pfsense because installing the haproxy did not help.

@viragomann Thank you, I had that a bit flipped in my mind!

@BelluX The Shared-Frontends message is because you have two different frontends configured that are listening on the same IP address and port. To resolve this error, you must choose the option Shared Frontend on the second frontend. However, if you do this, HAProxy will give an error that all shared frontends must be of the same type (you cannot mix http/https (offloading) with ssl/https (TCP mode). This is how I set up HAProxy to support mixed offloading and passthrough: Create a Backend called tcp_to_https which goes to server 127.0.0.1:4443 and Encrypt(SSL) is set to No. Create a Frontend called SSL_Termination that listens on port 4443. Enable SSL Offloading. Add all your ACLs and Actions like normal. Create a Frontend called SSL_Passthrough that listens on port 443 but do not enable SSL Offloading. Set it to ssl / https (TCP mode). Add ACLs using Server Name Indication TLS extension ends with for the hostnames that you want to pass through directly to the backends. Set the Default Backend to tcp_to_https. The way this works is HAProxy receives the request, it checks if the SNI matches the ACLs, and passes it through directly to the backends without performing SSL offloading. Otherwise, it passes the request to the default backend tcp_to_https, which connects to the frontend SSL_Termination, where the connections are processed a second time, this time performing SSL offloading.

@mojtaba-key For anyone reading this, the issue is likely the same as in https://forum.netgate.com/topic/178348/haproxy-backend-port-changes-are-not-applied/ The solution is to add load-server-state-from-file none to the Advanced Settings > Backend pass thru section of each backend.

@NickyDoes The issue is likely the same as in https://forum.netgate.com/topic/178348/haproxy-backend-port-changes-are-not-applied/ Try adding load-server-state-from-file none to the Advanced Settings > Backend pass thru section of each backend.

Retested on 24.11-RELEASE (amd64) all seems to work. So it seems right to file a bug for this issue.

@JonathanLee said in UNOFFICIAL GUIDE: Have Package Logs Record to a secondary SSD drive Snort Syslog Squid and or Squid cache system: ln -s -F /nvme/LOGS_Optane/snort /var/log/snort Also you can do this with suricata. /var/log/suricata remove this mkdir /nvme/LOGS_Optane/suricata ln -s -F /nvme/LOGS_Optane/suricata /var/log/suricata

This is a better WPAD file server.modules = ( "mod_access", "mod_staticfile", "mod_expire", "mod_setenv" ) server.document-root = "/var/www/html" server.errorlog = "/var/log/lighttpd/error.log" server.pid-file = "/run/lighttpd.pid" server.username = "www-data" server.groupname = "www-data" server.port = 80 server.bind = "192.168.1.6" server.tag = "" server.range-requests = "disable" server.max-connections = 10 connect-timeout = 2 server.max-keep-alive-idle = 2 server.max-keep-alive-requests = 1 server.max-read-idle = 2 server.max-write-idle = 2 dir-listing = "disable" $HTTP["request-method"] =~ "^(TRACE|TRACK)$" { url.access-deny = ( "" ) } # Cache WPAD and proxy PAC files for 1 day (good practice) expire.url = ( "/wpad.dat" => "access plus 1 day", "/proxy.pac" => "access plus 1 day" ) # Disable access logs to reduce SD card wear (optional) accesslog = "" $HTTP["url"] =~ "^/(wpad\.dat|proxy\.pac)$" { setenv.add-response-header = ( "X-Content-Type-Options" => "nosniff", "X-Frame-Options" => "DENY", "Content-Security-Policy" => "default-src 'none';", "Cache-Control" => "public, max-age=86400", "Referrer-Policy" => "no-referrer", "X-Download-Options" => "noopen", "X-Permitted-Cross-Domain-Policies" => "none" ) # Allow only GET and HEAD methods $HTTP["request-method"] !~ "^(GET|HEAD)$" { url.access-deny = ( "" ) } # Restrict access by IP subnets $HTTP["remoteip"] == "192.168.1.0/27" { } else $HTTP["remoteip"] == "2001:470:8052:a::/64" { } else { url.access-deny = ( "" ) } } # Deny all other URL requests $HTTP["url"] !~ "^/(wpad\.dat|proxy\.pac)$" { url.access-deny = ( "" ) } # Strict URL parsing for security and consistency server.http-parseopts = ( "header-strict" => "enable", "host-strict" => "enable", "host-normalize" => "enable", "url-normalize-unreserved"=> "enable", "url-normalize-required" => "enable", "url-ctrls-reject" => "enable", "url-path-2f-decode" => "disable", "url-path-2f-reject" => "enable", "url-path-dotseg-remove" => "disable", "url-path-dotseg-reject" => "enable", ) url.access-deny = ( "~", ".inc" ) static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) # Add WPAD MIME type for correct browser handling mimetype.assign = ( ".dat" => "application/x-ns-proxy-autoconfig", ".pac" => "application/x-ns-proxy-autoconfig" )

@brcuewayne DiagnosticsCommand Prompt Shell Output - ls -l /usr/local/sbin/dhcpleases6 ls: /usr/local/sbin/dhcpleases6: No such file or directory Execute Shell Command