@JonathanLee Thats really great news, sorry was not following this since long (I switched from IT to Development). So to clean things up I will be closing PR and Redmine issue.

Best
Maharsh.

@viragomann
Yes, the host is reachable and the exchange server has the correct certificate.

If I use normal portforwarding without a HAProxy at ports 80+443 from pfsense to the exchange server everything works properly.

@viragomann
Thanks so much for your help. I finally got it working with WAN and LAN

Some sites you need to splice it is complex software to configure. Don't give up you got your splice list keep going...

@Tom8 slope

Helpful, thanks.

@viragomann Got it working!
I wasn't able to reboot pfSense before because it's on production. Last night I scheduled a window and voilá... it works now.
Thanks!

@maverick_slo not always the case.. While sure its good idea to keep your software updated, but if there are no bug fixes to address an issue your seeing, or security fixes that are of concern, or new features you want. There is nothing pushing to running a newer version when your current version is working fine.

Ever hear the term if its not broke, don't fix it ;)

Normally when a new version of pfsense comes out, the packages normally get an update along with that. But they don't always push updates to packages unless the package maintainer updates it, or there is some sort of security issue, etc.

@jacklynjohnson

start page like this and it will work.

HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<!DOCTYPE html>.........

@planetinse

If someone reads this the problem was related to HTTP/2 and http/1.1
and known issues post Haproxy 2.4

Enforcing traffic in frontend with alpn http/1.1 - solved the issue in my scenario.

btw. the certificates was a blind-track, it was never related.

https://github.com/haproxy/haproxy/issues/162

I'm wondering, I changed my mode from "custom" mode to "splice all" mode and added these codes as you can see in the photo, the system and many blocked programs and applications started to work. What exactly is the logic behind this?

@JonathanLee
@stephenw10

Custom Options (SSL/MITM) =

acl splice_it ssl::server_name .microsoft.com
acl splice_it ssl::server_name .windowsupdate.com
acl splice_it ssl::server_name .akamaitechnologies.com
acl splice_it ssl::server_name .akadns.net
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice splice_it
ssl_bump bump all
ssl_bump peek step1
ssl_bump splice all

My custom refresh_options on the Local Cache tab

refresh_pattern -i windowsupdate.com/..(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i microsoft.com/..(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i windows.com/..(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i microsoft.com.akadns.net/..(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
refresh_pattern -i deploy.akamaitechnologies.com/.*.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims

If you want to restrict (bypass) ip addresses of your local Network :-
acl splice_it ssl::server_name .microsoft.com
acl splice_it ssl::server_name .windowsupdate.com
acl splice_it ssl::server_name .akamaitechnologies.com
acl splice_it ssl::server_name .akadns.net
acl localnet src 10.0.0.0/8 #local network
acl localnet src 192.168.0.0/16 #local network
acl localnet src 172.16.0.0/12 #local network
acl localnet src 2.2.2.2/32 #just for example
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice splice_it
ssl_bump splice localnet # splice one more time
ssl_bump bump all

@viragomann Thanks -- that worked!

2024 and still the same problem with Firefox... Try Edge or Chrome...

@coreybrett

Please, SAVE THE CONFIG.XML and try fresh install (and of coarse put config.xml back in place) from scratch (not forgot to cold reboot at the end of install),- may be this help…

@s0ulf3re said in Forwarding client IP from HAProxy in pfSense to Traefik:

Basically, how can I make it so that the Traefik proxy forwards the actual IP Addresses instead of just 192.168.1.1?

At the bottom of the backend settings there is an option "transparent mode", which does this.

However, I don't recommend this. I'd rather go with "forwarded-for" header. III think, also Traefik should be able to handle this.

@viragomann Yes, I meant to keep all ssl access local. I have the listening interfaces allowed to access all target destinations. I am just throwing the idea although I don't think it's the issue. Thank you for following through.

Just use https://y2mate.mov : )