@Cabrinisamuele can you provide a screen shot of how you added them into Squidguard, and Squid ACL area?

Are you are attempting to block or approve domains/urls in Squid? Are you using SSL intercept or transparent mode? Do you have cache enabled? Browser in timeout means the URL is blocked. Did you mean the problem is when you attempt approved traffic it times out? Finally, why are you using both? Example: I use Squidguard to manage my blocks sites that I want no access to for Squid behalf. What is your end goal? Is it to block those URLs? Squidguard itself changes the Squid conf file and add the blocks or approve lists, so with Squidguard already running those domains are already included in Squids config in the background.

@Dobby_ So
openssl-1.1.1q,1 TLSv1.3 capable SSL and crypto library
ldd /usr/local/sbin/squid| grep ssl
libssl.so.111 => /usr/lib/libssl.so.111 (0x800b6c000)

It seems that squid used openssl 1.1.1 ,the openssl will use QAT, then the squid can use QAT ?

@ciscoqid thank you very much, your script solved my problem...

@SkippyTheMagnificent
First of all the backend state has to be online to get it work. If this isn't the case, the health checks might fail.

You have enabled HTTP health check + SSL checks + "/" as URL to check.
This means, HAproxy might try to access "https://10.0.1.160:443/" for checking the backends state. So the backend has to provide a valid SSL certificate for the CN "10.0.1.160". I'm in doubt...

I'd switch the health check method to basic instead.

@michmoor so that option allows the possiblity for a client to provide their own header that might include an IP address that isn't the real source IP. This allows for the possiblity for a backend to be connected by a client that is pretending to be a different IP then it really is.

The line I added above tells the proxy to strip any IP address provided by the client and forwards only the real IP.

@michmoor I use this blacklist:

http://dsi.ut-capitole.fr/blacklists/download/blacklists_for_pfsense_reducted.tar.gz

I have a 2100-MAX so I use this list t's not as big as the main version. Works great if you go to their website you can also report items for their lists.

My apologies I gave bad advice.

Documentation is opposite what I suggested. https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide-prepare.html#packages

Yes I am using haproxy-devel v0.62_13

@johnpoz said in import certificate on android deivces:

I am missing the advanced search feature..

oh man...its been killing me lately not having this. There are at least 4 threads i wished i bookmarked

@JonathanLee Thanks Jonathan!

That is a message from the FreeBSD ports system about the state of that dependency port in the FreeBSD ports system. It isn't relevant to how the package operates on pfSense for the time being.

Yes, if Squidguard broke because some dependency was no longer viable we would look to correct that.

Thanks everyone this is perfectly resolved and I am now getting A+.

I suspect the mixed content for the form is coming from the backend not having SSL enable so the content is transfer unencrypted internally only. Which can easily be fixed by encrypting all internal servers. Hopefully this is the case as the app is modern and created within last year and has both http and https capabilities but as the internal server is a test server running on http it is complaining as it is only accepting http as no SSL is setup yet. Probably need to set that up too eventhough it is just for internal usage and testing purpose.

96b5ffc6-8e97-4adc-9d42-cfcbb9dad5ed-image.png

New Pull submitted