same problem here.
pfSense 2.2.6
squid3 package 0.4.7

was this ever fixed for squid ?

can you clarify how you used HAproxy?
did you put HAproxy in front of reverse squid?
or directly in front of Exchange?

Yes, and cleared cache on browser just to be sure.

Edit: I clicked 'Save' again and 'Apply' and now it's working.  I'm sure I did it before (multiple times), but whatever, it's working now.  Thanks!

I'm not a squid expert.  Your GUI options won't make a difference in general.  If you have content that doesn't cache then you need to enable dynamic caching and then modify your refresh patterns to compensate for the content that doesn't cache.  Test, fix, repeat until working.

https://forum.pfsense.org/index.php?topic=105399.msg588219#msg588219

This is how I fixed mine…

Thanks you Jimp...

pf.png
pf.png_thumb

Turns out it doesn't quite work after all, but I can at least easily make the reverse proxy work alone which was the main thing I needed.

I did some more testing today and noticed that the antivirus option was disabled in squid and when I activate it, I get the ICAP error again.
If I disable the antivirus again, then the reverse proxy works properly.

Just for reference, I have identified the issue and submitted a pull request with the correction.  The Squid port was configured to correctly break out the real IP config onto two lines.  However, the section that handled reverse proxy IPs did not.  This became an issue with a single line would exceed the Squid limit of 1024 characters.

I failed to remove the settings in squid.conf, so the were set to cache to /var/squid/cache.  The reinstall picked up the old squid.conf settings and is now working well.

My install was corrupted somehow, just not sure how.

@irontec:

acl LAN1 src 192.168.100.1/24 acl LAN2 src 192.168.200.1/24 tcp_outgoing_address 192.168.0.246 LAN1 tcp_outgoing_address 10.10.0.246 LAN2

After doing that, all the traffic from LAN1 and LAN2 goes through squid+squidGuard (where we can filter all we want) and after that, squid send the traffic through the WAN watching its ACLs.

Altough this configuration works  (i don't know how to achieve this via firewall rules, as policy based routing is not working with squid), the question is: in case of fail of one of the two gateways (in your case 192.168.0.246 or 0.10.0.246) squid will use the faulty link; how to solve this?
I thought at a script that removes the "tcp_outgoing_address" directive when the gateway goes down, but i would avoid to use it in production enviroment…

Edoardo

cleaned up OP

please now refer to https://forum.pfsense.org/index.php?topic=112335.0

[2.3.1-RELEASE][root@pfSense.localdomain]/root: squid -v
Squid Cache: Version 3.5.19
Service Name: squid
configure options:  '–with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--with-openssl=/usr' 'LIBOPENSSL_CFLAGS=-I/usr/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--with-mit-krb5=/usr/local' 'CFLAGS=-I/usr/local/include -O2 -pipe  -I/usr/local/include -I/usr/local/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS=-L/usr/local/lib  -pthread -L/usr/local/lib -L/usr/local/lib  -Wl,-rpath,/usr/local/lib:/usr/lib -fstack-protector' 'LIBS=-lkrb5 -lgssapi_krb5 ' 'KRB5CONFIG=/usr/local/bin/krb5-config' '--enable-auth-basic=LDAP SASL DB SMB_LM MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=LDAP_group file_userip time_quota unix_group kerberos_ldap_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=aufs diskd ufs' '--enable-disk-io=DiskThreads DiskDaemon AIO Blocking IpcIo Mmapped' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.3' 'build_alias=amd64-portbld-freebsd10.3' 'CC=cc' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing ' 'CPP=cpp' --enable-ltdl-convenience

I've exactly the same problem. Unrestricted IP and whitelist don't work at all.
Try everything and restart. Nothing.

Useless at this stade…

Hi and thanks for your reply.
I managed  to see the lightsquid page.
I do not see nothing logged for the user web activity.
In tail -f /var/squid/logs/access.log  i get theese kind of messages
1463470841.514      0 127.0.0.1 TCP_MISS/200 759 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain

With the older release i could see the user web activity logs.

Thanks…

Found it: see topic https://forum.pfsense.org/index.php?topic=111859.new;topicseen#new

I'll put my reply on that topic.

The issues I've had only relate to multiple WAN IPs.  Everything has worked without major issue on the reverse proxy.  If you are still having issues, please post your config and I'll see if anything jumps out as troublesome.