As a reply to this in case people in the future are looking, I ended up going with HAProxy.  Not only was the setup 10x easier than squid, but it works with SNI so there's end to end encryption.  The ONLY downside is that clients who don't support SNI will need to be dealt with somehow, but I'm not sure what HAProxy does for them.  At some point in the future I will be testing this so if mods could leave this open for a bit longer so I can report that bit of information (or a solution for those users).

pfsense version 2.2.6 having squid and squid guard
pfsense able to see all the containers .However, when i tried to authenticate the users by proxy …each time i enter my credentials in the browser is not verified me and keeps popup the authentication page

How did you resolve it…?

Looks like it might be a cache issue.  In the console try and do the following

cd /var/cache/pkg ls -al | grep "squid"

If it finds anything (and even if it doesn't), just do the following to clear it:

cd /var/cache/pkg rm -rf *

PLEASE PLEASE PLEASE don't do that last command ANYWHERE but in the /var/cache/pkg folder or it will mess things up.

Hi cjb,

Its both possible each with its own (dis)-advantage..

If you leave the certificates on the webservers then haproxy only has to forward the tcp traffic which is a pretty simple job so little cpu usage on haproxy.
-only a few acl conditions that are available in 'mode tcp' (basically only the SNI name can be checked among a few others L4 fetches.)
-Higher cpu usage for decryption on webservers (probably easy to add more webservers in case cpu usage reaches 100% cpu..)
-Lower cpu usage on haproxy

If you put the crertificates on haproxy
-'mode http' with all advantages that come with that:
  -allows inserting/rewriting http headers (x-forwarded-for header)
  -and allows writing acl's for specific paths or other conditions with full access to all L7 information.
  -more detailed logging
-centralized certificate management. (1 place to upgrade every X time.)
-Higher cpu usage on haproxy (hard to scale up once haproxy reaches 100% cpu..)
-Lower cpu usage for decryption on webservers
-might cause issues with website if forwarded over :80 where it will try to redirect the client to :443 even though the actual request was already made over 443, as a workaround you could then reencrypt the communication on backend side, this would then increase cpu usage on haproxy even more, and the lower cpu on the webserver wouldn't be applicable, though for that last part you could use a 'easy' cipher on backend..

There might be some other differences i'm forgetting to mention a.t.m. … Anyway youl have to decide if you want more features on haproxy, or need to be conservative with cpu resources.

Regards,
PiBa-NL

Lightsquid is the only one currently available.  Sarg may reappear later on.  If you're brave then you could try getting Sarg to install & run by manually installing it from FreeBSD's repo.  You could manually grab the access.log and run it through AWStats, or Squidalyzer, or some other log analysis tool.

You can do this with Nginx, just google "nginx reverse proxy".  I will say I prefer apache, but that's because it's the httpd server I started with back when I didn't understand anything about the internet.

after a quick search I found: https://www.nginx.com/resources/admin-guide/reverse-proxy/ which looks to be a thorough guide and should help you on your way.  You don't mention anything about SSL though but IIRC the guide covers that as well.

Ok, I'm new but I'll do my best.

Your first issue is that you're trying to do two separate things.  You can just forward all web traffic from 443 that goes to the second NIC to that internal IP.  That works just fine, no squid is even needed.  In fact if you've dedicated an entire NIC for the lync then you shouldn't even need squid.  Just make sure you're setting the right NIC on the firewall, the right server IP, and disable squid, then see if it works.

However, if you want to use squid you should send the incoming NAT rule to 127.0.0.1 and set squid to use the loopback (Services->Squid Reverse Proxy->General) and instead of port 443 internally use something like 8443.

Remember that pfSense, as of 2.0 IIRC, doesn't like things coming through on 443 locally.  Also check the interface that you're using as I see that it's OPT1.  On my server hn0 is WAN, hn1 is local so the next one added (assuming I don't swap the local and the second WAN) would be hn2.  So for you OPT0 is probably your WAN1, OPT1 might be your internal network, and OPT2 might be your Wan2.

Let me know if this helps.  Pics below of my NAT rules:

Squid3 reverse proxy doesn't allow for keeping the path currently.  If you setup a redirect from http://mydomain.com/page.html to https://mydomain.com/page.html then you're better off setting some kind of javascript script.  You can use apache to redirect and keep the path, but in order to do so you will need to turn off ssl offloading off for that site.

Also of note because of how Squid3 works if you want to use PHP it won't work.  This is because squid uses HTTP to connect to your webserver, unless you use SSL passthrough which something I can't figure out for pfSense, but I know is possible with the version of Squid3 that pfSense has as a package based on the squid3 documentation.

Ive tried many possible configurations regarding HD and Mem caching, even setting sizes to 0 and/or disable totally.

But whatever I do, I still end up with speeds ~150/5.

CPU is around 50-100% when I speed test.

It doesnt seem to apply 1-1 to this issue https://redmine.pfsense.org/issues/6485, because it happens immediately when squid restarts after configurations.

Select the LAN interface. Squid will send traffic out of the default gateway.

I'm using transparent proxy.

Go explicit mode with WPAD and you should only have to worry about manually configuring Android phones to use the proxy

Also keep in mind that with android (without rooting) will only use the proxy for web browsing not apps and would need a port 80 and 443 pass rule.

I had the same problem
Executing this from Diagnostics > Command Prompt this solved it:

rm -rf /usr/local/etc/squid/errors/zh*

I think these folders are leftovers from a previous Squid instalation.

What do you have set for Blacklist Options under Services - Squidguard - General settings?  On the Services - Squidguard - Blacklist tab, what output do you get when you click the Download button?