@bavcon22
There is no access from the internet to your router possible if it's behind CG-NAT. So no idea how HAproxy should help here.

@nopanic Hello all
I have to come back cause the traffic goes only from LAN to OPT. From WAN site I dont get a connection.
Courious: When I do tcp tranparent entries and wnat back to nat-forwarding I have to reboot the machine, so forwarding work again. I have to delete the entries and reboot. Disabling is not enough.

Can someone help?
Tia
Stefan

@jonathanlee said in Squidguard Websitegeometry dash lite:

Hello fellow Netgate community can you please help?
I just noticed that Squidguard.org website seems to be not working,
has anyone else noticed this?

You can check if the website is down for everyone or just for you by using a website monitoring tool like Down For Everyone Or Just Me (https://www.isitdownrightnow.com/). Alternatively, you can try accessing the website from a different device or network to see if the issue is specific to your connection.

@gamehoundsdev NVM im a idiot, I forgot to disable a 443 mapping on nat ..

@j-koopmann You don't need to, it's already there:
Screen_Shot_2023-03-03_at_13_45_05_PM-2.png

You do need to add the FreeBSD repos though, and you're likely going to lose the GUI and there's no saying what going to happen during config changes if you don't remove pfSense's version of HAProxy first because it gets it's config from /cf/conf/config.xml which is updated every time you make a change, the reverse is true as well, if you edit that file the changes are reflected immediately on pfSense, it's pretty cool to test live…if you have snapshots or an editor with undo capabilities.

In /usr/local/etc/pkg/repos/, edit FreeBSD.confand pfSense.conf, change no to yes and that's it. You'll know what I'm talking about when you open the files.

If you decide to do it:
edit /usr/local/etc/pkg/repos/FreeBSD.conf, press ⎋⏎⏎ when you're done. Repeat with the other file.

or:
vi /usr/local/etc/pkg/repos/FreeBSD.conf, press i to switch to insert mode don't try deleting forward or beyond the end/beginning of the line, it's very easy to switch out of insert mode (which should be shown the whole time in the bottom of the window/screen) at which moment the keys on the keyboard can do the most random/destructive things. Press ⎋ to get back into viewing mode and ZZ to save and quit. Repeat with the other file.

Really long sidenote - Do you really want to support QUIC though? Right now you can't control it effectively because it's encrypted and it can be used as a conduit for DoH which is a very effective way of bypassing pfBlockerNG, Unbound and your ruleset protections. Support is not there yet on major forward proxies, it requires more resources on both servers and clients, being based on UDP, it has the same issues UDP has, the advantages I don't even remember what they were but they are minimal compared to http/2 over its predecessor. It sets a pathway for a dark future where you'll just have to MITM everything, manufacturers already refuse to let users/admin install custom certs and I'm sure they'll show even more onerous warnings and make it really difficult if they're forced, making people angry which in turn will blame IT. In the case of home users, "IT" is the guys/girl that knows stuff and gets berated over a Roku not being able to connect over all the ports and protocols it arbitrarily wants.

@ahole4sure no, it is not required if you're using SSL Offloading option on Haproxy frontend. In this case it is better to use http for backend (or issue some internal ssl cert on pfsense for your synology)

@jonathan-young
You can do something like this to insert the /test directory:

In the backend add an ACL:
name: notest
path starts with
"Not" checked
value: /test/

action:
http-request set-path
fmt: /test/%[path]
acl: notest

@safe Good luck!

I have solved my problem. The issue was that the backend server was only capable of HTTP/1.0. I must have missed this when checking the output. The curl outputs above is against the the HAproxy, and not the backend, and will return the protocol set in frontend, no matter what the backend use. So if anyone else has the same issue, make sure that your backend is using HTTP/1.1 or later.

Anyway I don't know why HAproxy is not able to gzip the output from an HTTP/1.0 backend. Nginx has no problems with this. The solution is to have the Nginx proxy in between the application and HAproxy.

Thanks.

@lavenetz Only one MiaB, so, Standard, I think.

@annwenn installed 23.01 version software.

@jonathanlee

As of 2-24-23 this has been resolved with . . .

"Empty script bytecode-334.cdiff, need to download entire database"

Clamd successfully notified about the update.
bytecode.cvd updated (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Database test passed.
Testing database: '/var/db/clamav//tmp.a3a9145360/clamav-e149ec24c4c3dccbcffc8540df3d4b2a.tmp-bytecode.cvd' ...
Empty script bytecode-334.cdiff, need to download entire database
bytecode database available for update (local version: 333, remote version: 334)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
daily.cld database is up-to-date (version: 26821, sigs: 2021707, f-level: 90, builder: raynman)
ClamAV update process started at Thu Feb 23 16:57:00 2023

Screenshot 2023-02-24 at 5.54.34 AM.png

@dochy Nice Config,

Screenshot 2023-02-22 at 10.13.55 PM.png

This is mine, I set specific devices to splice as source,

I have a regex list saved in /usr/local/pkg/url.nobump

after I peak at step1
splice the source addresses like the game system and tablets
after I splice the URLs I have marked as trusted like banks,

and I bump everything else.

Screenshot 2023-02-22 at 10.16.42 PM.png
This is my custom file I have items that won't work correctly with bump like antivirus, some updates, itunes etc.

The main sites I want bumped are sites I do not normally go to, random sites this way it still stops viruses with HTTPS being checked.

Screenshot 2023-02-22 at 10.18.19 PM.png

I hope that helps as it seems like you have some 409 errors look up the server errors "The HTTP 409 status code (Conflict) indicates that the request could not be processed because of conflict in the request"
These sites I would look into splicing if you need them, teams is one I splice its so slow without it.

@bluegrass-168 use https://github.com/mmd123/squid-cache-dynamic_refresh-list for refresh_pattern (note you can always submit pull requests to improve the list).

"Actually, I want to cache every thing as I can."
In order to cache https you need to use SSL Man In the Middle Filtering

However you do not want to mitm everything as it breaks way too many things. So use
Custom Options (SSL/MITM)

than add something like this

acl step1 at_step SslBump1 acl monitoredSites ssl::server_name "/home/bumpsites.txt" ssl_bump bump monitoredSites ssl_bump peek step1 ssl_bump splice all

and at the file location /home/bumpsites.tx add your list of sites you want to decrypt to cache.
Here is a list that i made (NOTE: i have not tested all domains, so if some have issues remove them, eg things like ubisoft.com)
bumpsites.txt

What i did was i went to winget https://github.com/microsoft/winget-pkgs and got a list of the download domains.

This should also cache steam and epic games.

Good luck

Awesome! Thank you!

@jlee_eye

d05bcb5c-2383-47af-a0b5-534b06632500-image.png

Have you tried to play around with the custom options and get one that works well yet? This was the one that consumes less memory and works better for me.

@kenj05

What browser are you using?

I follow this Video for my 2.6.0 pfsense and it works.

https://www.youtube.com/watch?v=DTD5lYPjLns&list=LL&index=1

So is the SSL inspection function.

@boatsman
No idea. But why don't you simply restore a config backup?
It's 15 in the console menu.

@michmoor said in Transparent Squid via Splice = Intermittent SSL Connectivity Failures:

@the_boss you will need to whitelist the domain. It’s possible there is certificate pinning going on.

I see, thanks. It is my understanding that Peek/Splice has no issue with pinning, and only Bump does, no?

The quantity of things getting blocked randomly would make any whitelisting insurmountable. Others seem to report no challenges with Splice.