I thought you were asking about the numbers, not the URLs  ;D Those look like weird-ass ASCII-encoded addresses like spammers use to obfuscate themselves.  Have your phone person do their thing and watch squid's realtime view to see what's going on.

I don't know PFBlocker so I can't provide any advice here. You could install just (only) the SquidGuard package again and recheck your ftp access. If it works, the fine. If not proceed as laid out in my previous post (check for alerts in Squidguard, then disable corresponding rules). -flo-

ok it seems to work I had to reboot pfsense

0.4.42 no longer allows users to select unusable certs/CAs.

Fixed in 0.4.4x

To help anyone else who googles a similar issue - I set this all up and it was failing on HAProxy health check and wouldn't work. Digging around, googling, viewing the log etc, I finally noticed that the logs shows (for the health check after turning logging on for this). ….....is DOWN, reason: Layer7 wrong status, code: 405, info: "Not Allowed" Googled and then realised that the code 405 is a HTTP code, and HTTP 405 is "Method Not Allowed". I changed the health check HTTP check method from OPTIONS to a simple GET. This resolved it. Thanks again for to doktornotor for such a simple elegant solution.

@RootMd5: Hi , Right now Squid Authentication is served over HTTP with browser. How to force it to HTTPS ,to secure authentication information ? Please Guide. Hi Everyone please help on this query , Thanks :)

Thanks for the help doktornotor, I will what I can do =/

Sichent Thanks for your assistance. I finally figured it out. Here is what worked in my environment: LDAP Version: 3 LDAP Server User DN: <service account="">@ <ad fqdn="">LDAP Password: <service account="" password="">LDAP Base Domain: DC=dsa,DC=<company>,DC=com LDAP Username DN Attribute: samAccountName LDAP Search Filter: (sAMAccountName=%s) I tried to use the User DN as CN=<service account="">,OU=<ou>, DC=dsa,DC=<company>,DC=com but it would not work. After getting this working, squid would identify the user so I was able to get Squidguard group ACLs working. The trick for that was to make sure that any OU that had a space in the name was converted with %20. ldap://<ad fqdn="">:3268/DC=dsa,DC=<company>,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=<group>2%2cOU=<ou1>%2cOU=North**%20**America%2cOU=<ou3>%2cDC=dsa%2cDC=<company>%2cDC=com)) Note in the above string the space between North America had to be converted. Hope this helps somoeone.</company></ou3></ou1></group></company></ad></company></ou></service></company></service></ad></service>

I got it, the problem was that I created a subdomain in HAProxy that lead to the pfsense WebGUI and HAProxy does a health check every 1000 ms by default. All I had to do was disabling the health checks for the backend.

To reiterate: the simple solution is to use an additional Squid proxy instance on a seperate machine, and setup that instance as a parent proxy for the pfSense Squid instance. I've implemente it like that because I wanted the Squid on pfSense to act as a transparent proxy. For multi-WAN, just use policy based routing (gateway groups). This leaves DNS as the only potential issue when the default gateway goes down I think, and that can probably be solved by using an additional Unbound instance on a seperate machine. I didn't test that yet, though, because my default gateway is pretty stable.

I have resolved the issue. I set the DHCP Server to use the interface as the DNS Server. I then applied the same server addresses into squid "use alternate DNS servers" IP addresses vary depending on your network scope. ex: LAN=192.168.1.1 use this as the DNS server applied to DHCP clients. Configure in DHCP Server>Servers>DNS Servers. Then enter the same DNS server(s) IP in Squid Proxy Server>General>Use Alternate DNS Servers for the Proxy Server. HTTPS filtering should work flawlessly using Splice All. And block only the sites set in Squidguard rules.

Hello Ashima, Did you find the solution for this case? tks, Santoro

You CANNOT use ACME cert!!! You need your own cert. authority!!!