For anybody who would have the same problems. I had the website already running for a while over NAT before it was changed to HAProxy. I let let's encrypt create new Certificates and changed the forwarding (http to https) to HAProxy, not the IIS anymore. Now it's working. Clear your cache before you try though!

Nice, thanks. ;)

@Digital_ADHD: I have searched, but has this been resolved? I don't know where to put this.. $sge_prefix = (preg_match("/\?/", $cl['u']) ? "&" : "?"); $str[] = '< iframe > src="'. $cl['u'] . $sge_prefix . 'sgr=ACCESSDENIED" width="1" height="1" > < /iframe >'; I wanna know too!

What version of pfSense are you running?  This might be helpful: http://squid-web-proxy-cache.1019090.n4.nabble.com/TCP-DENIED-407-with-SSL-Sites-but-the-site-is-accessible-td2340748.html I can't be more specific since I don't have user auth for my squid and I've never seen this problem before.

Still no luck.. Is there any suggestion to my issue?

Replace /usr/local/www/sgerror.php with your own.

Issue resolved by adding a secondary front-end that piggybacks on the backend configurations of the primary frontend. Although this is a workaround we should not the pfsense has a limit of 121 entries in HAProxy front-end ACL section.

Plus One ! An article suggests tha SonicWall also uses MITM to block HTTPS content. https://www.sonicwall.com/en-us/support/knowledge-base/170505508942849 They call DPI-SSL but it seems like a MITM/SSL-Bump solution. Regards.

See alternative to SquidGuard and Dansguardian / e2. GUI is own though and harder to install than desired. https://docs.diladele.com/tutorials/filtering_https_traffic_squid_pfsense/index.html

You have to import the CA into firefox manually. Its under options/advanced/certificates/view certificates/import.

You have two certificates there (webGUI + CA), or just one?

No, absolutely NOT. You need to have your own CA so that Squid can issue certificates for arbitrary domains on the fly. Otherwise, use "Splice All".

That is generally not what people are asking for when they want "Inspection." But it does work pretty well.

Hello, did you find any solution?