This is absolutely perfect! I have added HAProxy as a trusted proxy. It's working flawlessly now! Thanks for your help!

Today I learned… :)

######cache Pfsense
refresh_pattern -i .(gif|png|ico|jpg|jpeg|jp2|webp)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(jpx|j2k|j2c|fpx|bmp|tif|tiff|bif)$ 100000 90% 20000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(pcd|pict|rif|exif|hdr|bpg|img|jif|jfif)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(woff|woff2|eps|ttf|otf|svg|svgi|svgz|ps|ps1|acsm|eot)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
#cache content
refresh_pattern -i .(swf|js|ejs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(wav|css|class|dat|zsci|ver|advcs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
#cache videos
refresh_pattern -i .(mpa|m2a|mpe|avi|mov|mpg|mpeg|mpg3|mpg4|mpg5)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(m1s|mp2v|m2v|m2s|m2ts|mp2t|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|war)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(asx|mp2|mp3|mp4|mp5|wmv|flv|mts|f4v|f4|pls|midi|mid)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(htm|html)$ 9440 90% 200000 reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(xml|flow|asp|aspx)$ 0 90% 200000 refresh-ims
refresh_pattern -i .(json)$ 0 90% 200000 refresh-ims
refresh_pattern -i (/cgi-bin/|?) 0 90% 200000
#cache binaries
refresh_pattern -i .(app|bin|deb|rpm|drpm|exe|zip|zipx|tar|tgz|tbz2|tlz|iso|arj|cfs|dar|jar)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(bz|bz2|ipa|ram|rar|uxx|gz|msi|dll|lz|lzma|7z|s7z|Z|z|zz|sz)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(exe|msi)$ 0 90% 200000 refresh-ims
refresh_pattern -i .(cab|psf|vidt|apk|wtex|hz|ova|ovf)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
#cache microsoft and adobe and other documents
refresh_pattern -i .(ppt|pptx|doc|docx|docm|docb|dot|pdf|pub|ps)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims
refresh_pattern -i .(xls|xlsx|xlt|xlm|xlsm|xltm|xlw|csv|txt)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims

#cache specific sites
refresh_pattern -i ^http://liveupdate.symantecliveupdate.com.(zip)$ 0 0% 0
refresh_pattern -i ^http://premium.avira-update.com.(gz) 0 0% 0
refresh_pattern -i microsoft.com/..(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims
refresh_pattern -i windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims
refresh_pattern -i windows.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims
refresh_pattern -i apple.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80% 43200 reload-into-ims refresh-ims

refresh_pattern -i (get_video?|videoplayback?|videodownload?|.mp4|.webm|.flv|((audio|video)/(webm|mp4))) 241920 100% 241920 override-expire ignore-reload ignore-private ignore-no-store ignore-must-revalidate reload-into-ims ignore-auth store-stale
refresh_pattern -i ^https?://..googlevideo.com/videoplayback.    10080 99% 43200 override-lastmod override-expire ignore-reload reload-into-ims ignore-private reload-into-ims ignore-auth store-stale
refresh_pattern -i ^https?://..googlevideo.com/videoplayback.$    241920 100% 241920 override-expire ignore-reload ignore-private ignore-no-store ignore-must-revalidate reload-into-ims ignore-auth store-stale

refresh_pattern -i (yimg|twimg).com.*        1440 100% 129600 override-expire ignore-reload reload-into-ims
refresh_pattern -i (ytimg|ggpht).com.*        1440 80% 129600 override-expire override-lastmod ignore-auth ignore-reload reload-into-ims

#images facebook
refresh_pattern -i fbcdn.net/..((jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)|(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)(?|.$)) 241920 99% 241920 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-auth
refresh_pattern -i pixel.facebook.com..(jpg|png|gif|ico|css|js) 241920 80% 241920 override-expire ignore-reload reload-into-ims ignore-auth
refresh_pattern -i .akamaihd.net..(jpg|png|gif|ico|css|js) 241920 80% 241920 override-expire ignore-reload reload-into-ims ignore-auth
refresh_pattern -i ((facebook.com)|(85.131.151.39)).(jpg|png|gif) 241920 99% 241920 ignore-reload override-expire ignore-no-store store-stale
refresh_pattern -i fbcdn.net/..((jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)|(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)(?|.$)) 241920 99% 241920 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-auth
refresh_pattern static.(xx|ak).fbcdn.net.(jpg|gif|png) 241920 99% 241920 ignore-reload override-expire ignore-no-store
refresh_pattern ^https?://profile.ak.fbcdn.net*.(jpg|gif|png) 241920 99% 241920 ignore-reload override-expire ignore-no-store

refresh_pattern -i .video.ak.fbcdn.net.*.(mp4|flv|mp3|amf)                    10080 80% 43200 override-expire ignore-reload reload-into-ims ignore-private ignore-no-store ignore-must-revalidate
refresh_pattern (audio|video)/(webm|mp4) 129600 99% 129600 ignore-reload override-expire override-lastmod ignore-must-revalidate  ignore-private ignore-no-store ignore-auth store-stale
refresh_pattern -i ^http://.squid.internal.  241920 100% 241920 override-lastmod override-expire ignore-reload ignore-must-revalidate ignore-private ignore-no-store ignore-auth store-stale

same probleme with me and even the blacklists do not downloading

Not exactly a solution to the problem via pfSense, but I've done this with authentication on NGINX.  Theoretically, you could put an NGINX reverse proxy with auth setup on your internal server (I use auth_basic, but LDAP or other methods would work).  Then, if you hit https://nginx/myservice, you get the auth page.  Apache should work too.

I need to use something similar at work to "secure" a closed source timesheet server that is pretty poorly done, but I'm stuck with it.  I feel better using modern auth to protect the web interface to prevent threats on the poorly designed second level of auth provided by the timesheet server.

Yes put this to custom adv opt.
http_port  8080 
if you use enable ssl you can use something like below
http_port  8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/  ;

assuming you use the latest squid package from pfsense repo and pfsensen 2.3.2. not sure if it will work other version. the first one should work on all version. https will only tunnel.

OP wants to know how to transparent only selected IPs. ssl bumb is already added in the new squid config. including this one ssl_bump server-first all.

Yes he can add to donnot proxy source address using alias on the Bypass Proxy for These Source IPs if he does not want to use th NAT. It will be added in the NAT eventualy. But if you want to enable http to all client while only selected client will have https transparent to avoid certificate confussion then use the nat posted above. use destination port 443 to not redirect if not selected client.

Thank you.

@Willo:

@chris4916, I'm wondering if the authentication couldn't be "transparent" by authenticating to either a local user database or AD?  So when they browse, it silently authenticates in the background?

This wording is quite confusing especially when topic is proxy. Avoid "transparent authentication" wording, IMHO  ;)

This said, technically, yes you can enable SSO (single sign on) at browser level and configure Squid (and your browser) to support Kerberos (because SSO is Kerberos based) but be aware that:

1 - this is an extra level of complexity. Perhaps not the one to start with
2 - Behaviour differs depending on browsers
3 - This works with Squid / Squidguard but I don't know if pfSense packages allows such configuration
4 - last but not least, this means to have Kerberos domain configured (and used). This is often achieved with Windows domain.

I would suggest that you not try to achieve everything from scratch in one shot.

Start with authentication and filter then once this works, you can think about changing your authentication mechanism and move to SSO

Your method doesn't work for me. I have already follow your instructions and still nothing. Please help!

Thank  you so much It was something with the acl i fixed see picture, Yea its version 1.5 Haproxy im still using pfSense 2.2.4

Thank you

Clipboarder.2016.10.01.png
Clipboarder.2016.10.01.png_thumb

Just cause it is a stupid mistake on my part…..

you have to ADD port 7445 to the squid proxy server's ACL SSLPorts list...

I resolved, the problem was that he had in squidguard configuration about default !all
thanks.

@KOM:

You have something very weird going on.  I couldn't even begin to guess at what it might be.  Please report back if you get to the bottom of it.

Yes, I agree it is very strange. Thank you for trying to help.

@robertfranz:

Was this broken all the way through 2.2.6 then?

On older versions of squid it failed silently – It would accept a longer password but only check the first 8 chars. The newer version properly rejected that as a mismatch until the method was changed to used a password hash that allowed longer than 8 char passwords.

So before it was even more insecure, but it was not obviously insecure.

This going to sounds odd - but on the Squid Local Cache tab, at the bottom of the pager is a section labelled Dynamic and Update Content.

In that section is a text box "Custom refresh_patterns"

Apparently, there are a lot of options that can be passed here - I know I've passed log directives to change to combined and pipe it through syslog_ng.

Quite possible that your code could be passed here, and it does survive reboots and (so far) upgrades.