To help anyone else who googles a similar issue - I set this all up and it was failing on HAProxy health check and wouldn't work. Digging around, googling, viewing the log etc, I finally noticed that the logs shows (for the health check after turning logging on for this).

….....is DOWN, reason: Layer7 wrong status, code: 405, info: "Not Allowed"

Googled and then realised that the code 405 is a HTTP code, and HTTP 405 is "Method Not Allowed".

I changed the health check HTTP check method from OPTIONS to a simple GET.

This resolved it.

Thanks again for to doktornotor for such a simple elegant solution.

@RootMd5:

Hi ,

Right now Squid Authentication is served over HTTP with browser.

How to force it to HTTPS ,to secure authentication information ?

Please Guide.

Hi Everyone please help on this query , Thanks :)

Thanks for the help doktornotor, I will what I can do =/

Sichent

Thanks for your assistance. I finally figured it out. Here is what worked in my environment:

LDAP Version: 3
LDAP Server
User DN: <service account="">@ <ad fqdn="">LDAP Password: <service account="" password="">LDAP Base Domain: DC=dsa,DC=<company>,DC=com
LDAP Username DN Attribute: samAccountName
LDAP Search Filter: (sAMAccountName=%s)

I tried to use the User DN as CN=<service account="">,OU=<ou>, DC=dsa,DC=<company>,DC=com but it would not work.

After getting this working, squid would identify the user so I was able to get Squidguard group ACLs working. The trick for that was to make sure that any OU that had a space in the name was converted with %20.

ldap://<ad fqdn="">:3268/DC=dsa,DC=<company>,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=<group>2%2cOU=<ou1>%2cOU=North**%20**America%2cOU=<ou3>%2cDC=dsa%2cDC=<company>%2cDC=com))

Note in the above string the space between North America had to be converted.

Hope this helps somoeone.</company></ou3></ou1></group></company></ad></company></ou></service></company></service></ad></service>

I got it, the problem was that I created a subdomain in HAProxy that lead to the pfsense WebGUI and HAProxy does a health check every 1000 ms by default. All I had to do was disabling the health checks for the backend.

To reiterate: the simple solution is to use an additional Squid proxy instance on a seperate machine, and setup that instance as a parent proxy for the pfSense Squid instance. I've implemente it like that because I wanted the Squid on pfSense to act as a transparent proxy. For multi-WAN, just use policy based routing (gateway groups). This leaves DNS as the only potential issue when the default gateway goes down I think, and that can probably be solved by using an additional Unbound instance on a seperate machine. I didn't test that yet, though, because my default gateway is pretty stable.

I have resolved the issue. I set the DHCP Server to use the interface as the DNS Server. I then applied the same server addresses into squid "use alternate DNS servers"

IP addresses vary depending on your network scope.

ex: LAN=192.168.1.1 use this as the DNS server applied to DHCP clients. Configure in DHCP Server>Servers>DNS Servers.

Then enter the same DNS server(s) IP in Squid Proxy Server>General>Use Alternate DNS Servers for the Proxy Server.

HTTPS filtering should work flawlessly using Splice All. And block only the sites set in Squidguard rules.

Hello Ashima,
Did you find the solution for this case?

tks,
Santoro

You CANNOT use ACME cert!!! You need your own cert. authority!!!

Services - Squid Proxy Server - Remote Cache?

Anyone?

For anybody who would have the same problems. I had the website already running for a while over NAT before it was changed to HAProxy. I let let's encrypt create new Certificates and changed the forwarding (http to https) to HAProxy, not the IIS anymore. Now it's working.

Clear your cache before you try though!

Nice, thanks. ;)

@Digital_ADHD:

I have searched, but has this been resolved? I don't know where to put this..

$sge_prefix = (preg_match("/\?/", $cl['u']) ? "&" : "?"); $str[] = '< iframe > src="'. $cl['u'] . $sge_prefix . 'sgr=ACCESSDENIED" width="1" height="1" > < /iframe >';

I wanna know too!