@killmasta93: sarg but not sure if they took it down on 2.3 Thanks. SARG does seem to be missing from 2.3 Andy

@KOM: I don't ever run a transparent proxy (less hassles with explicit) so I couldn't really try this myself.  Sorry for wasting your time.  It would have been nice if it had worked. Well…using WPAD no need to run transparent mode but I have had sometimes issues with some government websites that need to run transparent mode for some odd reason Also limiters Break NAT reflection also keep that in mind.

sarg also if your on 2.2.6

i would not recomend squid to use the virus scan, it takes a lot of resources and for what i saw its not that stable, i had this enabled it gave me issues when a user wanted to hear music though itunes or radio fm online

Alright, solution for this, in case anyone needs it, is to edit /usr/local/pkg/squid.inc: Go to section: // Set up the external authentication programs There's a switch function there, go to the LDAP section and modify the $port variable assignment to look like this: $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); In bold the -p oprion I believe is missing in the original .inc file. As a matter of facts, right below LDAP auth options, come RADIUS options and there the "-p" is present: case 'radius': $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); Cheers.

Yes the forward-for would insert the clientip, but even without it a wireshark should show the packets coming from the correct client-ip address if you have the 'source ipv4@ usesrc clientip' in the haproxy config. Its almost impossible for IIS to then see that traffic came from pfSense itself.. Also make sure youve got the name exactly right. HTTP_X_FORWARDED_FOR v.s. X-FORWARDED-FOR in the online screenshot might make the difference.?

For squidguard settings, you must click both the Save button on the tab you're working with, and then the Apply button at the top of the General Settings tab.

Over 70 views and no responses, how sad… Nevermind, ive switched to Captive Portal with Radius Authentication.

This is absolutely perfect! I have added HAProxy as a trusted proxy. It's working flawlessly now! Thanks for your help! Today I learned… :)

######cache Pfsense refresh_pattern -i .(gif|png|ico|jpg|jpeg|jp2|webp)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(jpx|j2k|j2c|fpx|bmp|tif|tiff|bif)$ 100000 90% 20000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(pcd|pict|rif|exif|hdr|bpg|img|jif|jfif)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(woff|woff2|eps|ttf|otf|svg|svgi|svgz|ps|ps1|acsm|eot)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims #cache content refresh_pattern -i .(swf|js|ejs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(wav|css|class|dat|zsci|ver|advcs)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims #cache videos refresh_pattern -i .(mpa|m2a|mpe|avi|mov|mpg|mpeg|mpg3|mpg4|mpg5)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(m1s|mp2v|m2v|m2s|m2ts|mp2t|wmx|rm|rmvb|3pg|3gpp|omg|ogm|asf|war)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(asx|mp2|mp3|mp4|mp5|wmv|flv|mts|f4v|f4|pls|midi|mid)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(htm|html)$ 9440 90% 200000 reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(xml|flow|asp|aspx)$ 0 90% 200000 refresh-ims refresh_pattern -i .(json)$ 0 90% 200000 refresh-ims refresh_pattern -i (/cgi-bin/|?) 0 90% 200000 #cache binaries refresh_pattern -i .(app|bin|deb|rpm|drpm|exe|zip|zipx|tar|tgz|tbz2|tlz|iso|arj|cfs|dar|jar)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(bz|bz2|ipa|ram|rar|uxx|gz|msi|dll|lz|lzma|7z|s7z|Z|z|zz|sz)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(exe|msi)$ 0 90% 200000 refresh-ims refresh_pattern -i .(cab|psf|vidt|apk|wtex|hz|ova|ovf)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims #cache microsoft and adobe and other documents refresh_pattern -i .(ppt|pptx|doc|docx|docm|docb|dot|pdf|pub|ps)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims refresh_pattern -i .(xls|xlsx|xlt|xlm|xlsm|xltm|xlw|csv|txt)$ 100000 90% 200000 override-expire reload-into-ims ignore-no-store ignore-private refresh-ims #cache specific sites refresh_pattern -i ^http://liveupdate.symantecliveupdate.com.(zip)$ 0 0% 0 refresh_pattern -i ^http://premium.avira-update.com.(gz) 0 0% 0 refresh_pattern -i microsoft.com/..(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims refresh_pattern -i windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims refresh_pattern -i windows.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200 reload-into-ims refresh-ims refresh_pattern -i apple.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80% 43200 reload-into-ims refresh-ims Youtube Video refresh_pattern -i (get_video?|videoplayback?|videodownload?|.mp4|.webm|.flv|((audio|video)/(webm|mp4))) 241920 100% 241920 override-expire ignore-reload ignore-private ignore-no-store ignore-must-revalidate reload-into-ims ignore-auth store-stale refresh_pattern -i ^https?://..googlevideo.com/videoplayback.    10080 99% 43200 override-lastmod override-expire ignore-reload reload-into-ims ignore-private reload-into-ims ignore-auth store-stale refresh_pattern -i ^https?://..googlevideo.com/videoplayback.$    241920 100% 241920 override-expire ignore-reload ignore-private ignore-no-store ignore-must-revalidate reload-into-ims ignore-auth store-stale Image Youtube refresh_pattern -i (yimg|twimg).com.*        1440 100% 129600 override-expire ignore-reload reload-into-ims refresh_pattern -i (ytimg|ggpht).com.*        1440 80% 129600 override-expire override-lastmod ignore-auth ignore-reload reload-into-ims #images facebook refresh_pattern -i fbcdn.net/..((jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)|(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)(?|.$)) 241920 99% 241920 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-auth refresh_pattern -i pixel.facebook.com..(jpg|png|gif|ico|css|js) 241920 80% 241920 override-expire ignore-reload reload-into-ims ignore-auth refresh_pattern -i .akamaihd.net..(jpg|png|gif|ico|css|js) 241920 80% 241920 override-expire ignore-reload reload-into-ims ignore-auth refresh_pattern -i ((facebook.com)|(85.131.151.39)).(jpg|png|gif) 241920 99% 241920 ignore-reload override-expire ignore-no-store store-stale refresh_pattern -i fbcdn.net/..((jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)|(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)(?|.$)) 241920 99% 241920 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-auth refresh_pattern static.(xx|ak).fbcdn.net.(jpg|gif|png) 241920 99% 241920 ignore-reload override-expire ignore-no-store refresh_pattern ^https?://profile.ak.fbcdn.net*.(jpg|gif|png) 241920 99% 241920 ignore-reload override-expire ignore-no-store Video Facebook refresh_pattern -i .video.ak.fbcdn.net.*.(mp4|flv|mp3|amf)                    10080 80% 43200 override-expire ignore-reload reload-into-ims ignore-private ignore-no-store ignore-must-revalidate refresh_pattern (audio|video)/(webm|mp4) 129600 99% 129600 ignore-reload override-expire override-lastmod ignore-must-revalidate  ignore-private ignore-no-store ignore-auth store-stale refresh_pattern -i ^http://.squid.internal.  241920 100% 241920 override-lastmod override-expire ignore-reload ignore-must-revalidate ignore-private ignore-no-store ignore-auth store-stale

same probleme with me and even the blacklists do not downloading

Not exactly a solution to the problem via pfSense, but I've done this with authentication on NGINX.  Theoretically, you could put an NGINX reverse proxy with auth setup on your internal server (I use auth_basic, but LDAP or other methods would work).  Then, if you hit https://nginx/myservice, you get the auth page.  Apache should work too. I need to use something similar at work to "secure" a closed source timesheet server that is pretty poorly done, but I'm stuck with it.  I feel better using modern auth to protect the web interface to prevent threats on the poorly designed second level of auth provided by the timesheet server.

Yes put this to custom adv opt. http_port  8080  if you use enable ssl you can use something like below http_port  8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/  ; assuming you use the latest squid package from pfsense repo and pfsensen 2.3.2. not sure if it will work other version. the first one should work on all version. https will only tunnel.

OP wants to know how to transparent only selected IPs. ssl bumb is already added in the new squid config. including this one ssl_bump server-first all. Yes he can add to donnot proxy source address using alias on the Bypass Proxy for These Source IPs if he does not want to use th NAT. It will be added in the NAT eventualy. But if you want to enable http to all client while only selected client will have https transparent to avoid certificate confussion then use the nat posted above. use destination port 443 to not redirect if not selected client.

Thank you.

@Willo: @chris4916, I'm wondering if the authentication couldn't be "transparent" by authenticating to either a local user database or AD?  So when they browse, it silently authenticates in the background? This wording is quite confusing especially when topic is proxy. Avoid "transparent authentication" wording, IMHO  ;) This said, technically, yes you can enable SSO (single sign on) at browser level and configure Squid (and your browser) to support Kerberos (because SSO is Kerberos based) but be aware that: 1 - this is an extra level of complexity. Perhaps not the one to start with 2 - Behaviour differs depending on browsers 3 - This works with Squid / Squidguard but I don't know if pfSense packages allows such configuration 4 - last but not least, this means to have Kerberos domain configured (and used). This is often achieved with Windows domain. I would suggest that you not try to achieve everything from scratch in one shot. Start with authentication and filter then once this works, you can think about changing your authentication mechanism and move to SSO