I think the best way to force YouTube and google into safe mode is to use DNS overrides.  This is what I have on my network.  The rewrites rarely work anymore as everything is HTTPS. See my post here: https://forum.pfsense.org/index.php?topic=133689.msg738677#msg738677

hi all, thanks for the solutions!

Tks for reply. I did, but dont fix. http proxy dont fail. only https.. if i disable ssl splice all interceptation i have no problems..

Would it be possible for someone to move this into the Packages > Cache/Proxy section of the forums - I should have looked around more before I posted it here. Sorry.

Yes, squidguard requires squid.  If you only want blocking, perhaps pfBlockerNG is a better fit.

Nevermind, answered my own question. I set redirect mode to ext url move (enter URL) And in the Redirect info field, I entered: https://<fqdn of="" my="" firewall="">/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u Works perfectly! Hopefully that's useful to someone else too.</fqdn>

Ended up not using port 80 and substituted that for a redirect rule. Not sure why adding that in breaks it

I did this as follows (short version): I have squid running on pfSense. I deployed a wpad.dat in /usr/local/www/ (and added links from wpad.da and proxy.pac to it). This wpad.dat checks the network the requesting client is located in and returns an appropriate address for the proxy server. In the DHCP server I have assigned domain names to the networks. Also I have configured option 252 in the DHSP Server to point to the wpad.dat file in each network. In the DNS Forwarder I have configured wpad. <local domain)="">to point to the corresponding default gateway in each network. Is this what you were requesting? -flo-</local>

It's now a week later and you're still worrying about this?  Stuff works when it's selected, stuff breaks when it isn't.  Just leave it selected.

What details do you want to know?

Thanks for the reply, so after hours trail and error this is the config that worked to redirect the www to mydomain.com whats odd that every browser worked by putting the www.mydomain.com besides safari on the iphone but i guess who knows what safari does that wont let redirect, besides that internet explorer, chrome, firefox, puffin all worked well. What i did is to create another acl web2 host start with www then below with the prefix prefix https://mydomain.com which points to web2 Thank you again for all the help hope this helps others see picture [image: Clipboarder.2017.11.06-010.png] [image: Clipboarder.2017.11.06-010.png_thumb]

Bump.  Should what I trying to do work?  Everything I have read seems to indicate that this is a supported scenario.  Don't think it is a cert issue since I have wildcard cert configured in the reverse proxy. Any ideas? Thanks, Mike

Hi vonfrank, i'm using pfsense packages haproxy and package acme on my pfsense for this similar situation. pfsense WebUI rconfigured to listen on Port 8443. pfsense WebUI disabled for redirect from Port 80. I've two frontends defined in haproxy: WAN:80 (for acme redirection and ssl cert sign) WAN:443 (for ssloffloading with all certificates for my websites) one acl for each certificate. configured as "Host matches:"-Expression. value is the CN of ssl-Certificate. one action for each acl to switch to every backend. SSL Certificates configured as "Additional certificates", in configuration area "SSL Offloading" checkbox "Add ACL for certificate CommonName. (host header matches the "CN" of the certificate)" checked backends in haproxy: one Backend for acme challenge. (I'm using the pfsense internal webserver for that) several other Backends. one for every site. some acl's for URL rewriting here my Backend config for acme to direct to pfsense's WebUI (listening on Port 8443): backend BE_ACME-Server_http_ipvANY mode http log global errorfile 403 /var/etc/haproxy/errorfile_BE_ACME-Server_http_ipvANY_403_http_503 timeout connect 30000 timeout server 30000 retries 3 acl acme_not_in_path path_beg -i /.well-known/acme-challenge http-request deny  if  !acme_not_in_path server pfsenseAdminWebpage 127.0.0.1:8443 ssl check inter 1000  verify none