To reiterate: the simple solution is to use an additional Squid proxy instance on a seperate machine, and setup that instance as a parent proxy for the pfSense Squid instance. I've implemente it like that because I wanted the Squid on pfSense to act as a transparent proxy. For multi-WAN, just use policy based routing (gateway groups). This leaves DNS as the only potential issue when the default gateway goes down I think, and that can probably be solved by using an additional Unbound instance on a seperate machine. I didn't test that yet, though, because my default gateway is pretty stable.

I have resolved the issue. I set the DHCP Server to use the interface as the DNS Server. I then applied the same server addresses into squid "use alternate DNS servers" IP addresses vary depending on your network scope. ex: LAN=192.168.1.1 use this as the DNS server applied to DHCP clients. Configure in DHCP Server>Servers>DNS Servers. Then enter the same DNS server(s) IP in Squid Proxy Server>General>Use Alternate DNS Servers for the Proxy Server. HTTPS filtering should work flawlessly using Splice All. And block only the sites set in Squidguard rules.

Hello Ashima, Did you find the solution for this case? tks, Santoro

You CANNOT use ACME cert!!! You need your own cert. authority!!!

Services - Squid Proxy Server - Remote Cache?

Anyone?

For anybody who would have the same problems. I had the website already running for a while over NAT before it was changed to HAProxy. I let let's encrypt create new Certificates and changed the forwarding (http to https) to HAProxy, not the IIS anymore. Now it's working. Clear your cache before you try though!

Nice, thanks. ;)

@Digital_ADHD: I have searched, but has this been resolved? I don't know where to put this.. $sge_prefix = (preg_match("/\?/", $cl['u']) ? "&" : "?"); $str[] = '< iframe > src="'. $cl['u'] . $sge_prefix . 'sgr=ACCESSDENIED" width="1" height="1" > < /iframe >'; I wanna know too!

What version of pfSense are you running?  This might be helpful: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-DENIED-407-with-SSL-Sites-but-the-site-is-accessible-td2340748.html I can't be more specific since I don't have user auth for my squid and I've never seen this problem before.

Still no luck.. Is there any suggestion to my issue?

Replace /usr/local/www/sgerror.php with your own.

Issue resolved by adding a secondary front-end that piggybacks on the backend configurations of the primary frontend. Although this is a workaround we should not the pfsense has a limit of 121 entries in HAProxy front-end ACL section.

Plus One ! An article suggests tha SonicWall also uses MITM to block HTTPS content. https://www.sonicwall.com/en-us/support/knowledge-base/170505508942849 They call DPI-SSL but it seems like a MITM/SSL-Bump solution. Regards.