Thanks

I seen alot of the same thing and wondered even if my proxy was working.  so in pfsense 2.0 I think I started looking for something to tell me how many hits and misses.. I found something and made it work in pfsense 2.0 and up to the latest version as of today. I am trying to make a package for it. Here is what i did so far for it. https://forum.pfsense.org/index.php?topic=87982.0

As noted above, noone touched LDAP for ages in the pfSense package. If someone screwed things upstream, it needs to be fixed upstream. http://bugs.squid-cache.org/index.cgi Also, there shouldn't be any need to use a GC unless you cannot specify the search domain/OU.

What you can do is host the certificate somewhere within your network, either on the pfsense web server or any other internal web server you have. Then you can edit the captive portal page to have a download button for the certificate, and ask users to install it. However, I don't know how much I recommend using Squid for HTTPS filtering. I'm not having very good luck with it myself, it seems to give all sorts of random problems such as slow browsing, or causing HTTPS websites to not work, certificate errors and all sorts. It seems to really be bodged together, on top of that… It doesn't really have SSL inspection. You're kinda limited to categorical blocking via domains.

@ledj: How do I install latest changes https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-haproxy in pfsense 2.3.2 ? You don't. Use 2.3.3 snapshots. @ledj: And will haproxy (not dev) soon be based on upstream 1.7 stable branch ? Uhm, no? That'd be 1.8 when it's stable. And -dev would become whatever is the development branch upstream at that point.

Update: Like I thought, disabling dns rule had an immediate impact on the network.

You do not make it appear, it was removed (https://redmine.pfsense.org/issues/7017). Use LDAP.

What does your WPAD file look like? Should be somewhat similar to this for the basics… Mine's a little different from the most basic, but this works fine for me, even when I have the option to block by IP addresses in the URL set, since the connections aren't proxied and are connecting directly. function FindProxyForURL(url,host) {   if(isPlainHostName(host))   {     return "DIRECT";   }   if(isInNet(host,"127.0.0.1","255.255.255.0"))   {     return "DIRECT";   }   if(isInNet(host,"192.168.0.0","255.255.255.0"))   {     return "DIRECT"   }   return "PROXY 192.168.1.1:3128"; }

That's not Squid, that's from C-ICAP/ClamAV. You'd need to switch to the manual config there and find whatever to set there in docs. Good luck.

@doktornotor: notes that HAproxy works out of the box and whole lot better than Squid for reverse proxy. Configured HAproxy now.  Much better and flexible! And Exchange works perfect. thx

Well I finally got it to work by adding the CIDR networks in the Bypass Proxy for these Destination IPs field under the Squid Package but I believe there is a problem if I replace the entry with an alias. After adding the alias I was no longer able to connect. Is this a bug or an error on my part? Your help would be much appreciated. [image: Bypass.jpg] [image: Bypass.jpg_thumb] [image: Bypass2.jpg] [image: Bypass2.jpg_thumb] [image: Aliases.jpg] [image: Aliases.jpg_thumb]

It's too bad. Thanks for your feedback.

Pretty much anything belonging with a frontend can be configured in the 'Advanced pass thru' field. Or did you mean something else? Something like this: http-response add-header Public-Key-Pins "pin-sha256=\"KEY1\"; pin-sha256=\"KEY2\"; max-age=15768000" p.s. Do start with low age like 60 seconds, until your sure you've got the configuration right.