@j-sejo1 This used to work: acl LAN1 src 10.0.4.0/24 acl LAN2 src 192.168.0.0/21 tcp_outgoing_address (IP WAN1) LAN1 tcp_outgoing_address (IP WAN2) LAN2 http://www.squid-cache.org/Doc/config/tcp_outgoing_address/

@sub2010 I use the same config. domain.tld and matrix.domain.tld. I'm not sure about your srv record, I dont use one. For my certificate I use 1 certificate. In acme you can specify multiple domains for one certificate. Mine includes. *.domain.tld and domain.tld Get a cert like that, put it on your haproxy frontend and also put it on your matrix host and point your homeserver.yaml to it and restart matrix. The error is still saying your cert is expired, so I am assuming the cert you have on your matrix host that your homeserver.yaml is pointing to is expired.

It goes on and on for every client. Does Squid proxy require an ACL from the firewall IP and squids port to all the clients using the proxy?

@vlurk Thank you for this guide. I have the same issue but with Viber. How can I use your settings for viber desktop App

@periko Yes, now it's working correct. Thank you once more.

@dkzsys try this client_persistent_connections on client_persistent_connections off "Squid uses persistent connections (when allowed). You can use this option to disable persistent connections with clients." http://www.squid-cache.org/Doc/config/client_persistent_connections/

@colinstu Edit: Huh, after also checking on "Add ACL for certificate Subject Alternative Names." for the alt cert, it now works!

@johnpoz Yeah I did the 'offloading only' approach for quite a while and it works great - actually it's how I do it for most other services I host publicly. But in this case the backend server is Vaultwarden, an open source implementation of Bitwarden (password manager). I am currently in the progress of strengthen my security posture and I came to the conclusion to treat every network that has a live connection to the internet under 'assume breach' and evaluate the risk based on that. Under this assumption it is really really important that no one ever sees decrypted traffic to that server (e.g. master vault password of a user etc.) under any circumstance (except of course if vaultwarden itself is compromised). So for this specific scenario Internet > HAProxy > Vaultwarden the potential higher backend load is more than acceptable when compared to the security gain.

@planetinse removed package - then install package - did the trick

@jimp You think a resource can be assigned to review the redmine? This will be a quality of life improvement with the use of the application. https://redmine.pfsense.org/issues/14390

I followed your instructions but it still didn't work. Can anyone tell me what to do?

@periko This was my favorite how to website https://forum.it-monkey.net/index.php?topic=23.0

http://www.squid-cache.org/Doc/config/host_verify_strict/ This could be the solution to fixing this... host_verify_strict on host_verify_strict off

@Berick That's not really much. Maybe you can find more details, when running the browser debugging mode. I got a similar problem solved by adding this response header: http-response header set > name: content-security-policy, fmt: upgrade-insecure-requests You can try, but not sure if this helps.

@CaliPilot Hi Chris, I seem to be having issue even after configuring the firewall alias. I have created a post and would very much appreciate some input from you. https://forum.netgate.com/topic/182891/squid-proxy-bypass-proxy-for-these-destination-ips-not-working-transparent-http-proxy-mode-https-ssl-interception Thank you.

@mcury I'll give it a try and let you know, thanks