This seems to only happen on WIFI.  With LAN its ok.

However, WIFI works well when not using pfsense.  Latency issues with pfsense?

@C0RR0SIVE:

How did you get youtube to work properly with the safesearch?  That is something I have been wanting to do, but, haven't had luck with as far as I can tell… How does one even test that it works?  (Still learning a good bit along with everyone else)

see my last post on how to setup dns safesearch for youtube
and as for how to check it … i tried searching "sex" and compared the results. its not perfect, but will settle  for what they offer

The problem of the auth I found what it was the password must be less then 8 characters long

have you checked the allow users on the interface??if not… do tick it..

Untitled.png
Untitled.png_thumb

I'm searching for this feature too…
OR
only proxy on specific URL (RegEx matching)

Hi there

According to package-info of Dansguardian (0.1.14):

WARNING! This package bundles ClamAV that conflicts with 'Squid3', 'Mailscanner' and 'HAVP antivirus' packages! Installing these will result in a broken state.

So, if i believe in this message, it's either squid3 or dansquardian, but not both of them at the same time. Might be the case also with you.

rgds
Walbog

It seams that haproxy does not include the hostname in the path. I've changed my hcl like this:

path starts with /MySite
host equals www.mysite.com

This works perfectly. Thanks for your help.

Those config options you mention are for squid..
Maybe however you could try adding 'option prefer-last-server' in the the advanced section of the backend.
http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#4.2-option%20prefer-last-server

Haproxy does not strip headers away unless it is configured to do so.. Could you perhaps post the haproxy.cfg to see if there are any options mentioned that might interfere? And give a little more understanding about your setup.

p.s.
The client browsers do have sharepoint.company.url configured in their 'local intranet' settings in IE ? AFAIK for 'internet' and 'trusted websites' the NTLM authentication is never automatically send. But i could be wrong there..

Fair enough. It's been a while since I've looked at this particular combination (Squid/AD) so I guess I fell out of the loop a bit.

I found this:

https://github.com/pfsense/FreeBSD-ports/pull/34

Any idea when this will come into squid?

This is needed for reverse proxy but the question is will there be a auth delegation to the proxy for sharepoint and owa?

OK, get rid of that and install the squid3 package.  That's your problem.  That package is for squid2 which is ancient and I'm not even sure it works properly.  Your eperiences seem to confirm that something weird is going on.  The squid3 package is the only one really being maintained moving forward, so you should use that one.

This should work.. Have you tried inspecting (tcpdump/wireshark) the traffic between haproxy and backend? And haproxy itself does perform ssl offloading right?

@phoenixsampras:

Same Problem!!

Dear lord, is pfsense getting worst with every version?? now https doesnt work with proxy….. traffic shapping doesnt work with XENSERVER, etc.

What's wrong Pfsense?? this are basic stuff!! come on!!

yeah  ::)

Some more info…

The proxy seems to work fine (normal and transparent) if I set the proxy settings in my browser.  However, if I have transparent proxy enabled and remove the proxy settings from my browser, that's when I can't browse any more.

It seems like the requests just aren't being routed properly.  How is the routing through the transparent proxy done?

Any update on this squiguard cannot be install on a new version of pfsense.

If I remember, you have to add the IP address that squid listens on to the External cache Managers field in Services - Squid Proxy Server - Local cache.  Your output should look like this:

[2.2.5-RELEASE][admin@pfsense.kominc.local]/root: squidclient -h 10.10.4.1 -p 3128 mgr:info Sending HTTP request ... done. HTTP/1.1 200 OK Server: squid Mime-Version: 1.0 Date: Wed, 10 Feb 2016 14:49:20 GMT Content-Type: text/plain Expires: Wed, 10 Feb 2016 14:49:20 GMT Last-Modified: Wed, 10 Feb 2016 14:49:20 GMT X-Cache: MISS from localhost X-Cache-Lookup: MISS from localhost:3128 Connection: close Squid Object Cache: Version 3.4.10 Build Info: Start Time:    Fri, 25 Dec 2015 17:55:34 GMT Current Time:  Wed, 10 Feb 2016 14:49:20 GMT Connection information for squid:         Number of clients accessing cache:      58         Number of HTTP requests received:      9997622         Number of ICP messages received:        0         Number of ICP messages sent:    0         Number of queued ICP replies:  0         Number of HTCP messages received:      0         Number of HTCP messages sent:  0         Request failure ratio:  0.00         Average HTTP requests per minute since start:  148.1         Average ICP messages per minute since start:    0.0         Select loop called: 261284164 times, 15.499 ms avg Cache information for squid:         Hits as % of all requests:      5min: 1.2%, 60min: 3.7%         Hits as % of bytes sent:        5min: 2.0%, 60min: 0.9%         Memory hits as % of hit requests:      5min: 9.1%, 60min: 5.6%         Disk hits as % of hit requests: 5min: 9.1%, 60min: 6.5%         Storage Swap size:      9437124 KB         Storage Swap capacity:  90.0% used, 10.0% free         Storage Mem size:      8100 KB         Storage Mem capacity:  98.9% used,  1.1% free         Mean Object Size:      34.64 KB         Requests given to unlinkd:      0 Median Service Times (seconds)  5 min    60 min:         HTTP Requests (All):  0.06640  0.06640         Cache Misses:          0.06640  0.06640         Cache Hits:            0.00000  0.00091         Near Hits:            0.00179  0.01164         Not-Modified Replies:  0.00000  0.00000         DNS Lookups:          0.03223  0.03374         ICP Queries:          0.00000  0.00000 Resource usage for squid:         UP Time:        4049625.975 seconds         CPU Time:      17684.284 seconds         CPU Usage:      0.44%         CPU Usage, 5 minute avg:        0.94%         CPU Usage, 60 minute avg:      0.80%         Maximum Resident Size: 478176 KB         Page faults with physical i/o: 168 Memory accounted for:         Total accounted:        52310 KB         memPoolAlloc calls: 1936117391         memPoolFree calls:  1943865739 File descriptor usage for squid:         Maximum number of file descriptors:  57960         Largest file desc currently in use:    267         Number of file desc currently in use:  135         Files queued for open:                  0         Available number of file descriptors: 57825         Reserved number of file descriptors:  100         Store Disk files open:                  0 Internal Data Structures:         272539 StoreEntries           1887 StoreEntries with MemObjects           1831 Hot Object Cache Items         272431 on-disk objects

In the backend edit page:

Transparent ClientIP WARNING Activating this option will load rules in IPFW and might interfere with CaptivePortal and possibly other services due to the way server return traffic must be 'captured' with a automatically created fwd rule. This also breaks directly accessing the (web)server on the ports configured above. Also a automatic sloppy pf rule is made to allow HAProxy to server traffic.

Maybe i should add that accessing haproxy-ip from the same network as where the server exists will be an issue to.. When that box is checked.

This problem is similar, method 2 should work with haproxy:
https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks
But do check your not trading 1 problem for another again.. OPT1 clients might not like the splitdns accessing the server on LAN…

Only way to get a redirect when visiting a blocked https website is if you use MITM method instead of WPAD.  Basically Squid will break an HTTPS tunnel, but isn't able to tell the browser to redirect since you aren't trusting the proxy server to handle the connection.  You are just tunneling through it when using wpad.