I hate me sometimes… I hate inconsistent interfaces.  The way squidguard does this is completely different from every other part of pfSense.  No other option makes you go back to a different page to apply the settings like squidguard.  It catches people all the time like it did to you.

I got this working by simply binding squid to the two interfaces that made up the bridge (in my case). Eg rather than Bridge0, I used LAN and OPT1 (ath0). I have an atheros wireless card in the netgate box so this is really the only way to get it all working. Doesn't miss a beat.

Iae pessoal! Consegui liberar o Whatsapp no pfsense 2.4.2 A25, fiz o seguinte: Criei 4 Alias 1º Nome = "whatsapp", Tipo = "host's", IP ou FQDN = "web.whatsapp.com"; - (Este fará a liberação do site inicial). 2º Nome = "web_whatsapp_com", Tipo = "Rede's", Rede ou FQDN = "31.13.85.51/32, 2a03:2880:f205:c5:face:b00c::167/128, mmx-ds.cdn.whatsapp.net/32" - (Estes endereços foram obtidos pela Ferramenta de Diagnostico DNS Lookup - OBS: essas informações foram obtidas para o Brasil, faça o DNS Lookup caso esteja em outro pais, pois, os ips podem ser diferentes). 3º Nome = "whatswss", Tipo = "Host's", IP ou FQDN = "w1.web.whatsapp.com, w2.web.whatsapp.com, w3.web.whatsapp.com, w4.web.whatsapp.com, w5.web.whatsapp.com, w6.web.whatsapp.com, w7.web.whatsapp.com, w8.web.whatsapp.com - (Este fará a liberação do socket wss). 4º  Nome = "w2_web_whatsapp_com", Tipo = "Rede's", Rede ou FQDN = "169.55.74.45/32, 169.55.74.36/32, 158.85.224.179/32, 158.85.224.174/32, 169.55.74.56/32, 169.55.69.156/32, 158.85.224.173/32, 169.44.84.154/32, dyn.web.whatsapp.com/32 " - (Estes endereços foram obtidos pela Ferramenta de Diagnostico DNS Lookup para liberação do socket wss - OBS: essas informações foram obtidas para o Brasil, faça o DNS Lookup caso esteja em outro pais, pois, os ips podem ser diferentes). Como meu escopo é liberado por grupos, ex: "Engenharia, Financeiro, Compas, TI e Gerência", utilizei uma Expressão Regular para limitar os acessos, ex: Criei uma Categoria LiberaWhats, no campo Expressão Regular digitei o seguinte "./web.whatsapp.com/.|whatsapprede|.*/w.web.whatsapp.com/.|.rsdf$" São 3 expressões, uma para o site inicial, outra para permitir a o java script e outra para o socket wss,  após cria-lá vá no grupos ACL no meu caso o grupo Gerência a categoria ficou como Allow, já nos demais deixei como Deny, assim fica liberado somente para um grupo. OBS: Estou utilizando proxy transparente.

Make sure you have the unofficial repo added  and make sure you've got that CA generated for SSL MITM. After setting that up in E2G settings, it should work fine.

The 'Use "forwardfor" option' in the frontend might help? Otherwise use a 'action' to perform a "http-request header set" with name: X-Forwarded-Proto and fmt: https

Depends a little bit what kind of file you would like to use.. It is possible to use "Source IP matches IP or Alias" as a acl.. for which you then can create a alias in pfSense with IP's and subnets to match against.. But if you want to specify a domain>certificate or domain>backend 'list' or some other option that needs loading from file (besides a few things like lua and errorfiles..). Then the webgui is the thing that doesn't really 'support' it.. Haproxy binary itself is should have most if no all features described in the manual..

Also noticed opening HTTPS 443 still allows HTTP on 80

Hey! Thanks for the help man! For some reason when I switched the firewall to another network it started working, but thanks for the help!

Over a year later, I, too, am getting the same error but haven't found a solution yet. Antivirus is disabled so I don't know what else to try.

I remember when I built my first pfsense.  I just started adding every feature that looked cool and later realized that most of it I didn't need at home.  Squid and clam av were among those that I found not very useful for my home scenarios.  My clients were either windows which had far superior AV or linux systems which need no AV.  So, I don't use those now. There are scenarios where it is useful though.  For me, I used it to control what my kids could see on the net. Later when they reached their teen years I turned it off…

http://www.eicar.org/85-0-Download.html

looks like this is gonna be a manual process by editing the squidguard.conf manually but still won't work because we cannot edit the squidGuard.conf because it is generated automatically with SquidGuard configurator.

I think the best way to force YouTube and google into safe mode is to use DNS overrides.  This is what I have on my network.  The rewrites rarely work anymore as everything is HTTPS. See my post here: https://forum.pfsense.org/index.php?topic=133689.msg738677#msg738677

hi all, thanks for the solutions!

Tks for reply. I did, but dont fix. http proxy dont fail. only https.. if i disable ssl splice all interceptation i have no problems..