@t3st That I don't know. Transparent proxy is a major pain in the ass. I prefer explicit mode.

@steve-williams said in ICAP protocol error: Not sure if this is in the right section but since updating to 2.6 I am now getting random ICAP protocol errors and Clam service stops working. The random website working can be one works and one won't a few hours later they might flip. After a quick Google Pfsense was the top result with a glitch with Squid just wondering if anyone else has been getting issues I am also encounter the same isssue. Even when I access my website cubes 2048, it announces that it can't be reached. I wonder whether this issue can be solved.

@hugoeyng I know in Java It would be something like this photo. Again it needs the C programming version of it so you can read the specific error. This photo I have a array that is out of bounds when it prints that element, notice the error is caught. You can do more than print the error you can redirect it to other code also, so if something was missing in that config it could flag it if needed would need more code. [image: 1679690802800-screenshot-2023-03-24-at-1.45.11-pm.png] [image: 1679690969353-screenshot-2023-03-24-at-1.49.18-pm-resized.png]

@viragomann so what utility does he use for this?

@ryan0413 Did you try re-installing the package?

That would likely need to be a feature request.

@bavcon22 There is no access from the internet to your router possible if it's behind CG-NAT. So no idea how HAproxy should help here.

@nopanic Hello all I have to come back cause the traffic goes only from LAN to OPT. From WAN site I dont get a connection. Courious: When I do tcp tranparent entries and wnat back to nat-forwarding I have to reboot the machine, so forwarding work again. I have to delete the entries and reboot. Disabling is not enough. Can someone help? Tia Stefan

@jonathanlee said in Squidguard Websitegeometry dash lite: Hello fellow Netgate community can you please help? I just noticed that Squidguard.org website seems to be not working, has anyone else noticed this? You can check if the website is down for everyone or just for you by using a website monitoring tool like Down For Everyone Or Just Me (https://www.isitdownrightnow.com/). Alternatively, you can try accessing the website from a different device or network to see if the issue is specific to your connection.

@gamehoundsdev NVM im a idiot, I forgot to disable a 443 mapping on nat ..

@j-koopmann You don't need to, it's already there: [image: 1677876455772-screen_shot_2023-03-03_at_13_45_05_pm-2.png] You do need to add the FreeBSD repos though, and you're likely going to lose the GUI and there's no saying what going to happen during config changes if you don't remove pfSense's version of HAProxy first because it gets it's config from /cf/conf/config.xml which is updated every time you make a change, the reverse is true as well, if you edit that file the changes are reflected immediately on pfSense, it's pretty cool to test live…if you have snapshots or an editor with undo capabilities. In /usr/local/etc/pkg/repos/, edit FreeBSD.confand pfSense.conf, change no to yes and that's it. You'll know what I'm talking about when you open the files. If you decide to do it: edit /usr/local/etc/pkg/repos/FreeBSD.conf, press ⎋⏎⏎ when you're done. Repeat with the other file. or: vi /usr/local/etc/pkg/repos/FreeBSD.conf, press i to switch to insert mode don't try deleting forward or beyond the end/beginning of the line, it's very easy to switch out of insert mode (which should be shown the whole time in the bottom of the window/screen) at which moment the keys on the keyboard can do the most random/destructive things. Press ⎋ to get back into viewing mode and ZZ to save and quit. Repeat with the other file. Really long sidenote - Do you really want to support QUIC though? Right now you can't control it effectively because it's encrypted and it can be used as a conduit for DoH which is a very effective way of bypassing pfBlockerNG, Unbound and your ruleset protections. Support is not there yet on major forward proxies, it requires more resources on both servers and clients, being based on UDP, it has the same issues UDP has, the advantages I don't even remember what they were but they are minimal compared to http/2 over its predecessor. It sets a pathway for a dark future where you'll just have to MITM everything, manufacturers already refuse to let users/admin install custom certs and I'm sure they'll show even more onerous warnings and make it really difficult if they're forced, making people angry which in turn will blame IT. In the case of home users, "IT" is the guys/girl that knows stuff and gets berated over a Roku not being able to connect over all the ports and protocols it arbitrarily wants.

@ahole4sure no, it is not required if you're using SSL Offloading option on Haproxy frontend. In this case it is better to use http for backend (or issue some internal ssl cert on pfsense for your synology)

@jonathan-young You can do something like this to insert the /test directory: In the backend add an ACL: name: notest path starts with "Not" checked value: /test/ action: http-request set-path fmt: /test/%[path] acl: notest

@safe Good luck!

I have solved my problem. The issue was that the backend server was only capable of HTTP/1.0. I must have missed this when checking the output. The curl outputs above is against the the HAproxy, and not the backend, and will return the protocol set in frontend, no matter what the backend use. So if anyone else has the same issue, make sure that your backend is using HTTP/1.1 or later. Anyway I don't know why HAproxy is not able to gzip the output from an HTTP/1.0 backend. Nginx has no problems with this. The solution is to have the Nginx proxy in between the application and HAproxy. Thanks.

@lavenetz Only one MiaB, so, Standard, I think.