@jaredp select all sections from "Remote Certs Checks" and "Certificate Adapt" and tested. Now, what problems u have? a specific domain...? tell us...

@maturola said in HAProxy: Use UNLESS condition instead of default IF: Well, Honestly I'm not sure where the "Green/Red" would be but the back end status looks the same as all other services that are working. (screenshot of onlyoffice and "password" which is bitwarden You"ve disabled health check. So there is no information on the backend status.

@ntranx I test whitelist in squid, squidguard and squidclamav.conf but the problem is the same

@juananpc said in HAProxy doesn't resolve on LAN interface: instead of selecting "any" (IPv4) in the frontend, What exactly are you trying to proxy? Why would you pick the lan address?? I have to things I run through ha proxy. One frontent directly listens on my wan IP. Other listens on my loopback since I share this port with openvpn 443, and when its not openvpn traffic, openvpn using share port option sends this to the loopback on a port 9443 and haproxy sends that on to the backend. If I want to access either of these from my lan, I access my wan IP on the ports being used 443 or 44301 and the proxy sends me to the backend.

@stefan-bendler If you go to the settings page in HAproxy you can find a button at the bottom to display the whole configuration and would also give information about your backend settings. From the given information it's not clear to me, what you intend to achieve and what's not working. I'm wondering, if you're using a public IP inside your network. If this is your public external IP you may want to hide it. From your screenshots, I assume the http is working as expected, but for the https obviously gives you the pfSense web GUI. Is the web configurator listening on the same port as the HAproxy frontend? If so you can change it in System > Advanced > Administration.

@planetinse issue went away after upgrading to TEC (23.05) version (probably the reboot was the fix)

If you want the old blacklist from shalla use the wayback machine and download the last shalla file and place it on the firewall and tell the system to use the path to it. Or use http://dsi.ut-capitole.fr/blacklists/download/blacklists_for_pfsense_reducted.tar.gz Also you can manually enter items here is a nice DoH list to block combineddohlist.txt

@michmoor on your redirect URL do you have https:// in front of the URL? I had mtalk.google.com redirect to google.com without the https, and it would show on the browser to many redirects, I changed it to https://www.google.com the error stopped and it worked without the error on the browser. Keep in mind mtalk.google.com is used for Android push notifications, so my smart phones have approved access, but my desktops are not smartphone capable so it is disabled. Some devices like my iMac constantly had a connection to mtalk. I did some research and mtalk is also abused it seems by invasive actors. So my network now only lets the phones use it. I have googles assistant disabled on everything.

@jimp thanks for looking into this. I will use that URL for future items. I did not know about that other URL until today.

@michmoor Concerning logs , I have no idea about that How I can show the logs , I am using GUI

@viragomann someone told me to try and set my frontend to LAN IP in HAProxy and it broke the frontend [image: 1692372220569-c77f2192-0a3c-4a61-8d2d-1e9a08b9f06e-image.png] [image: 1692372246523-b31f6e71-3626-4f59-b7ae-21d5a5b04c8e-image.png] need to reset my config again