Solved it. It's been more easy than I thought. I created an Errorfile ("Files" section of HA-Proxy) with a redirect to an external "construction" page: HTTP/1.0 302 Found Cache-Control: no-cache Location: https://constructionpage.example.com Content-Type: text/html !DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Moved Temporarily</title> </head><body> <h1>Moved </h1> <p>The document has moved <a href="https://constructionpage.example.com">here</a>.</p> </body></html> . .. and assigned that one with Error 503 I did not run the final test on the live system, but in a test environment it worked.

@emefff Thanks a lot Mario

@johnpoz hangs head Thanks. I skipped the step mentally on adding certs in the SSL Offloading section. I added it there, and no error. Again, Thank you.

@pixel24 It has been 7 months since I replaced it. I didn't wait for an official release because I don't have fixed wanip and it changes quite often. You won't lose any setup in the process.

Not sure it is the proper thing do to but in the SSH windows, I went to : /usr/local/etc/squid/errors then issued "cp -Rp templates/ en/ It created the "/usr/local/etc/squid/errors/en" directory and copied all the files into it. I restarted Squid. The Real Time Squid Cache Table now shows: Date-Time Message 28.06.2023 17:00:49 pinger: Initialising ICMP pinger ... 28.06.2023 17:00:49 Service Name: squid 28.06.2023 17:00:49 Starting Squid Cache version 5.8 for amd64-portbld-freebsd14.0... 28.06.2023 16:59:31 Creating missing swap directories 31.12.1969 19:00:00 31.12.1969 19:00:00 31.12.1969 19:00:00 28.06.2023 16:59:25 Shutdown: Basic authentication. 28.06.2023 16:59:25 Shutdown: Digest authentication. 28.06.2023 16:59:25 Shutdown: Negotiate authentication. 28.06.2023 16:59:25 Shutdown: NTLM authentication. No errors such as what I was seeing before like this: 28.06.2023 15:05:10 Unable to load default error language files. Reset to backups. 28.06.2023 15:05:10 ERROR: loading file 9;/usr/local/etc/squid/errors/en/ERR_NO_RELAY';: (2) No such file or directory 28.06.2023 15:05:10 Unable to load default error language files. Reset to backups. 28.06.2023 15:05:10 ERROR: loading file 9;/usr/local/etc/squid/errors/en/ERR_FORWARDING_DENIED': (2) No such file or directory 28.06.2023 15:05:10 Unable to load default error language files. Reset to backups. 28.06.2023 15:05:10 ERROR: loading file 9;/usr/local/etc/squid/errors/en/ERR_CACHE_MGR_ACCESS_DENIED': (2) No such file or directory 28.06.2023 15:05:10 Unable to load default error language files. Reset to backups. 28.06.2023 15:05:10 ERROR: loading file 9;/usr/local/etc/squid/errors/en/ERR_CACHE_ACCESS_DENIED': (2) No such file or directory 28.06.2023 15:05:10 Unable to load default error language files. Reset to backups. 28.06.2023 15:05:10 ERROR: loading file 9;/usr/local/etc/squid/errors/en/ERR_ACCESS_DENIED': (2) No such file or directory 28.06.2023 15:05:10 Service Name: squid 28.06.2023 15:05:10 Starting Squid Cache version 5.8 for amd64-portbld-freebsd14.0... 31.12.1969 19:00:00 31.12.1969 19:00:00 31.12.1969 19:00:00 28.06.2023 15:04:30 Shutdown: Basic authentication. 28.06.2023 15:04:30 Shutdown: Digest authentication. 28.06.2023 15:04:30 Shutdown: Negotiate authentication. Still hoping someone has thoughts about why they are missing to begin with. ~Eric

@johnpoz said in website name resolution: @viragomann that is not going to add the host header info to what gets asked of the client. Aha, I assumed that this HAproxy would implement it as host header. Didn't ever use a host name in the backend.

@Cabrinisamuele can you provide a screen shot of how you added them into Squidguard, and Squid ACL area? Are you are attempting to block or approve domains/urls in Squid? Are you using SSL intercept or transparent mode? Do you have cache enabled? Browser in timeout means the URL is blocked. Did you mean the problem is when you attempt approved traffic it times out? Finally, why are you using both? Example: I use Squidguard to manage my blocks sites that I want no access to for Squid behalf. What is your end goal? Is it to block those URLs? Squidguard itself changes the Squid conf file and add the blocks or approve lists, so with Squidguard already running those domains are already included in Squids config in the background.

@Dobby_ So openssl-1.1.1q,1 TLSv1.3 capable SSL and crypto library ldd /usr/local/sbin/squid| grep ssl libssl.so.111 => /usr/lib/libssl.so.111 (0x800b6c000) It seems that squid used openssl 1.1.1 ,the openssl will use QAT, then the squid can use QAT ?

@ciscoqid thank you very much, your script solved my problem...

@SkippyTheMagnificent First of all the backend state has to be online to get it work. If this isn't the case, the health checks might fail. You have enabled HTTP health check + SSL checks + "/" as URL to check. This means, HAproxy might try to access "https://10.0.1.160:443/" for checking the backends state. So the backend has to provide a valid SSL certificate for the CN "10.0.1.160". I'm in doubt... I'd switch the health check method to basic instead.

@michmoor so that option allows the possiblity for a client to provide their own header that might include an IP address that isn't the real source IP. This allows for the possiblity for a backend to be connected by a client that is pretending to be a different IP then it really is. The line I added above tells the proxy to strip any IP address provided by the client and forwards only the real IP.

@michmoor I use this blacklist: http://dsi.ut-capitole.fr/blacklists/download/blacklists_for_pfsense_reducted.tar.gz I have a 2100-MAX so I use this list t's not as big as the main version. Works great if you go to their website you can also report items for their lists.