It seams that haproxy does not include the hostname in the path. I've changed my hcl like this:

path starts with /MySite
host equals www.mysite.com

This works perfectly. Thanks for your help.

Those config options you mention are for squid..
Maybe however you could try adding 'option prefer-last-server' in the the advanced section of the backend.
http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#4.2-option%20prefer-last-server

Haproxy does not strip headers away unless it is configured to do so.. Could you perhaps post the haproxy.cfg to see if there are any options mentioned that might interfere? And give a little more understanding about your setup.

p.s.
The client browsers do have sharepoint.company.url configured in their 'local intranet' settings in IE ? AFAIK for 'internet' and 'trusted websites' the NTLM authentication is never automatically send. But i could be wrong there..

Fair enough. It's been a while since I've looked at this particular combination (Squid/AD) so I guess I fell out of the loop a bit.

I found this:

https://github.com/pfsense/FreeBSD-ports/pull/34

Any idea when this will come into squid?

This is needed for reverse proxy but the question is will there be a auth delegation to the proxy for sharepoint and owa?

OK, get rid of that and install the squid3 package.  That's your problem.  That package is for squid2 which is ancient and I'm not even sure it works properly.  Your eperiences seem to confirm that something weird is going on.  The squid3 package is the only one really being maintained moving forward, so you should use that one.

This should work.. Have you tried inspecting (tcpdump/wireshark) the traffic between haproxy and backend? And haproxy itself does perform ssl offloading right?

@phoenixsampras:

Same Problem!!

Dear lord, is pfsense getting worst with every version?? now https doesnt work with proxy….. traffic shapping doesnt work with XENSERVER, etc.

What's wrong Pfsense?? this are basic stuff!! come on!!

yeah  ::)

Some more info…

The proxy seems to work fine (normal and transparent) if I set the proxy settings in my browser.  However, if I have transparent proxy enabled and remove the proxy settings from my browser, that's when I can't browse any more.

It seems like the requests just aren't being routed properly.  How is the routing through the transparent proxy done?

Any update on this squiguard cannot be install on a new version of pfsense.

If I remember, you have to add the IP address that squid listens on to the External cache Managers field in Services - Squid Proxy Server - Local cache.  Your output should look like this:

[2.2.5-RELEASE][admin@pfsense.kominc.local]/root: squidclient -h 10.10.4.1 -p 3128 mgr:info Sending HTTP request ... done. HTTP/1.1 200 OK Server: squid Mime-Version: 1.0 Date: Wed, 10 Feb 2016 14:49:20 GMT Content-Type: text/plain Expires: Wed, 10 Feb 2016 14:49:20 GMT Last-Modified: Wed, 10 Feb 2016 14:49:20 GMT X-Cache: MISS from localhost X-Cache-Lookup: MISS from localhost:3128 Connection: close Squid Object Cache: Version 3.4.10 Build Info: Start Time:    Fri, 25 Dec 2015 17:55:34 GMT Current Time:  Wed, 10 Feb 2016 14:49:20 GMT Connection information for squid:         Number of clients accessing cache:      58         Number of HTTP requests received:      9997622         Number of ICP messages received:        0         Number of ICP messages sent:    0         Number of queued ICP replies:  0         Number of HTCP messages received:      0         Number of HTCP messages sent:  0         Request failure ratio:  0.00         Average HTTP requests per minute since start:  148.1         Average ICP messages per minute since start:    0.0         Select loop called: 261284164 times, 15.499 ms avg Cache information for squid:         Hits as % of all requests:      5min: 1.2%, 60min: 3.7%         Hits as % of bytes sent:        5min: 2.0%, 60min: 0.9%         Memory hits as % of hit requests:      5min: 9.1%, 60min: 5.6%         Disk hits as % of hit requests: 5min: 9.1%, 60min: 6.5%         Storage Swap size:      9437124 KB         Storage Swap capacity:  90.0% used, 10.0% free         Storage Mem size:      8100 KB         Storage Mem capacity:  98.9% used,  1.1% free         Mean Object Size:      34.64 KB         Requests given to unlinkd:      0 Median Service Times (seconds)  5 min    60 min:         HTTP Requests (All):  0.06640  0.06640         Cache Misses:          0.06640  0.06640         Cache Hits:            0.00000  0.00091         Near Hits:            0.00179  0.01164         Not-Modified Replies:  0.00000  0.00000         DNS Lookups:          0.03223  0.03374         ICP Queries:          0.00000  0.00000 Resource usage for squid:         UP Time:        4049625.975 seconds         CPU Time:      17684.284 seconds         CPU Usage:      0.44%         CPU Usage, 5 minute avg:        0.94%         CPU Usage, 60 minute avg:      0.80%         Maximum Resident Size: 478176 KB         Page faults with physical i/o: 168 Memory accounted for:         Total accounted:        52310 KB         memPoolAlloc calls: 1936117391         memPoolFree calls:  1943865739 File descriptor usage for squid:         Maximum number of file descriptors:  57960         Largest file desc currently in use:    267         Number of file desc currently in use:  135         Files queued for open:                  0         Available number of file descriptors: 57825         Reserved number of file descriptors:  100         Store Disk files open:                  0 Internal Data Structures:         272539 StoreEntries           1887 StoreEntries with MemObjects           1831 Hot Object Cache Items         272431 on-disk objects

In the backend edit page:

Transparent ClientIP WARNING Activating this option will load rules in IPFW and might interfere with CaptivePortal and possibly other services due to the way server return traffic must be 'captured' with a automatically created fwd rule. This also breaks directly accessing the (web)server on the ports configured above. Also a automatic sloppy pf rule is made to allow HAProxy to server traffic.

Maybe i should add that accessing haproxy-ip from the same network as where the server exists will be an issue to.. When that box is checked.

This problem is similar, method 2 should work with haproxy:
https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks
But do check your not trading 1 problem for another again.. OPT1 clients might not like the splitdns accessing the server on LAN…

Only way to get a redirect when visiting a blocked https website is if you use MITM method instead of WPAD.  Basically Squid will break an HTTPS tunnel, but isn't able to tell the browser to redirect since you aren't trusting the proxy server to handle the connection.  You are just tunneling through it when using wpad.

@laren626:

Everything works fine But there is a problem IDK why it is not serving as a proxy server I got this on my Squid Logs

05.02.2016 10:25:21 Starting Squid Cache version 3.4.10 for amd64-portbld-freebsd10.1…

05.02.2016 10:25:43 172.0.100.203 TAG_NONE_ABORTED/000 http://www.msn.com/

It may occur when you select loopback interface to listen squid on. Try to select only lan, restart the service and test again.

@osaka26:

Enable DNS Resolver, Host Overrides; add; on host: www; Domain: google.com; ip address: 216.239.32.20; Save, then ipconfig /flushdns and voila google safesearch on all lan!


any ideas on this?

This is normal and the reason you should avoid transparent mode unless you plan on installing a pfSense certificate into every client that will use the proxy.

You don't want an open proxy, it'll probably be no more than a few hours until someone finds it and starts abusing it. Much better off setting up a VPN and routing all traffic through it.

I might suggest that you try going through a free short online Linux Basics tutorial before you go any further so that you get some needed education on how to move around the file system, how to create & copy files, etc, or this entire exercise will just frustrate you.  Here is one, for example:

https://www.edx.org/course/introduction-linux-linuxfoundationx-lfs101x-2

Note that pfSense is based on FreeBSD, not Linux, but all the same concepts still apply.

Creating these scripts by typing them in manually is a guaranteed way to make a mistake.  You are better off cutting & pasting the scripts into their respective files on your local computer and then using a pfSense package like File Manager to actually upload the script files to their destination on pfSense.  Then you can try to run them.

You could add a cron job to do it for you but you would be better off figuring out the real problem.  Anything in /var/squid/logs/cache.log?

thanks ,,i made it there