A slightly longer answer is that any SSL/TLS endpoint that is going to decrypt and authenticate incoming HTTPS connections MUST have a certificate because it's the cryptographic identification and authentication of a peer. If an SSL/TLS server you're connecting to claims to be 'www.example.tld' it must present a certificate (preferably signed by a trusted third party so it verifies correctly) with a CN (common name) 'www.example.tld', otherwise the SSL/TLS handshake will be aborted if the server can not present such certificate.

try this ldapusersearch ldap://dc1.domain.com.uy:3268/dc=domain,dc=com,dc=uy?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet,OU=Grupos,dc=domain,dc=com,dc=uy)) "Internet" is my AD group located at "OU=Grupos"

All I can suggest here is starting a bounty for a complete package rewrite. Apparently noone will touch the current buggy code, since it's completely unreadable mess. Unfixable. Alternatively, get some blocklists in Squid's ACL format and use those.

(And, FWIW, about 99% sure this has completely nothing to do with "Bypass Proxy for These Source IPs" or any other Squid configuration. If you cleared whatever other fields, or simple re-saved the Squid config without doing any changes whatsoever, it'd have the same effect (restarting services, reloading firewall, working again until it breaks for god knows what reason…)

@doktornotor: It is intercepting just fine. Recently discussed in the proper forum. If things break, use the manual config, or don't MITM. apologies if I wasn't clear in my post - I am not implementing MITM and have never enabled it.  It would appear that while all other SSL traffic bypasses the proxy just fine (as intended), this one API call with the :443 appended may indeed be SSL but is attempting to go through the proxy.

that's correct.

That block of text is configurable in squidGuard's options.

@doktornotor: @sprinteroz: I found the setting in pfblockerBg that you where talking about but i could not work out what you meant by Force Reload all. Click the Update tab. Ok thanks done… Just a quick question before i install squidguard again how do i change the lists in squadguard once its installed encase I would like to add or remover rules on the lists.

Not ATM, no. Offload it to a logserver and do whatever you want with that, perhaps. (ELK, …)

would you mind telling me the model of Sophos UTM that you have before?

Inspecting the blocked content it all seems local to me, can't see any other domain names in it than just the domain name the site is running.

Awesome. I can confirm that the lightsquid_web is now running after the update.

I would move webgui to a non-standard port like 1443 or something, and disable the webgui-redirect.. Then at least you wont unintentionally end up on the webgui when trying to visit the wan-ip.

Content filtering == you can see the real content. Terminology mixup I guess. You cannot filter the content you do not see. http://wiki.squid-cache.org/Features/SslPeekAndSplice

Sorry, there is no support for packages on pfSense on 2.2.x. Also, the Squid version plus related packages there are extremely outdated and not really offering any of the recent features.

Well, at least things work now. (I certainly won't be able to debug any SIGSEGV issues there, my experience is that it was a HW issue ~95% of time. If not RAM, then CPU overheating, or bad PSU with unstable voltage.) If it's a bug with Squid, you'd need to move this to Squid mailing list or generally upstream, nothing pfSene specific there.

ok finaly I had to remove my domain name in the apache virtual host tag, replacing it by *.80 dont know why it was there in the tutorial