@ajnozari:

when you save Squid stops then re-starts to reload the configuration.

Why is pfsense not using the reload function/option instead of a restart? Atm you can't make any changes in a live environment. I have to wait until everyone has finished work to make any changes.

Thanks

"Bypass Proxy for Private Address Destination" did the job

The https://hostname/HAproxy_listeners.php never existed on 2.3.x versions.. (or at least it wasnt supposed to..) All the php package files for haproxy package where moved to a subfolder https://hostname/haproxy/HAproxy_listeners.php ..

It might have been that some old 2.2.x files remained or that old menu references where still present in the config file..

Anyway good that a reinstall of package fixed it..  :D

Hi,

getting the cert error that a cert is issued to "http" seems for me to be related to a squidguard target category or a blacklist which contains "unallowed" characters.
I have no problems with the "shallalist.de" blacklist. So I would suggest to determine which Target Categorie is leading to this problem to disable them all, click first "Save" and the "Apply" und squidguard General page and try again. If it is working then try to add target categories one after another with the same steps as long as it stops working.

Then if you have identified the target category causing the problem, then try to find the problematic characters or symbols and the with this information open a bug report on reminde.pfsense.org.
I did not found the causing characters until now.

Regards.

Here is some more information to try and clarify the issue.

Here is the following screen that is received when trying to navigate to the website hosted inside the network (behind pfsense/squid) when squid is turned on.

As from my previous post, the example url that I gave was http://git.gitserver.com. As from the image above, the URL has now turned into https://git.gitserver.com for no apparent reason.

Is there something that I'm missing because this site is hosted behind pfsense and squid? Why would squid automatically redirect the site to https if the site was never configured to accept https connections?

Thanks,
Uh_Hey

squid is/should be in the 'available packages' list on 2.3.1

As a reply to this in case people in the future are looking, I ended up going with HAProxy.  Not only was the setup 10x easier than squid, but it works with SNI so there's end to end encryption.  The ONLY downside is that clients who don't support SNI will need to be dealt with somehow, but I'm not sure what HAProxy does for them.  At some point in the future I will be testing this so if mods could leave this open for a bit longer so I can report that bit of information (or a solution for those users).

pfsense version 2.2.6 having squid and squid guard
pfsense able to see all the containers .However, when i tried to authenticate the users by proxy …each time i enter my credentials in the browser is not verified me and keeps popup the authentication page

How did you resolve it…?

Looks like it might be a cache issue.  In the console try and do the following

cd /var/cache/pkg ls -al | grep "squid"

If it finds anything (and even if it doesn't), just do the following to clear it:

cd /var/cache/pkg rm -rf *

PLEASE PLEASE PLEASE don't do that last command ANYWHERE but in the /var/cache/pkg folder or it will mess things up.

Hi cjb,

Its both possible each with its own (dis)-advantage..

If you leave the certificates on the webservers then haproxy only has to forward the tcp traffic which is a pretty simple job so little cpu usage on haproxy.
-only a few acl conditions that are available in 'mode tcp' (basically only the SNI name can be checked among a few others L4 fetches.)
-Higher cpu usage for decryption on webservers (probably easy to add more webservers in case cpu usage reaches 100% cpu..)
-Lower cpu usage on haproxy

If you put the crertificates on haproxy
-'mode http' with all advantages that come with that:
  -allows inserting/rewriting http headers (x-forwarded-for header)
  -and allows writing acl's for specific paths or other conditions with full access to all L7 information.
  -more detailed logging
-centralized certificate management. (1 place to upgrade every X time.)
-Higher cpu usage on haproxy (hard to scale up once haproxy reaches 100% cpu..)
-Lower cpu usage for decryption on webservers
-might cause issues with website if forwarded over :80 where it will try to redirect the client to :443 even though the actual request was already made over 443, as a workaround you could then reencrypt the communication on backend side, this would then increase cpu usage on haproxy even more, and the lower cpu on the webserver wouldn't be applicable, though for that last part you could use a 'easy' cipher on backend..

There might be some other differences i'm forgetting to mention a.t.m. … Anyway youl have to decide if you want more features on haproxy, or need to be conservative with cpu resources.

Regards,
PiBa-NL

Lightsquid is the only one currently available.  Sarg may reappear later on.  If you're brave then you could try getting Sarg to install & run by manually installing it from FreeBSD's repo.  You could manually grab the access.log and run it through AWStats, or Squidalyzer, or some other log analysis tool.

You can do this with Nginx, just google "nginx reverse proxy".  I will say I prefer apache, but that's because it's the httpd server I started with back when I didn't understand anything about the internet.

after a quick search I found: https://www.nginx.com/resources/admin-guide/reverse-proxy/ which looks to be a thorough guide and should help you on your way.  You don't mention anything about SSL though but IIRC the guide covers that as well.