@s3v3nd34dly51ns
When you forward the traffic, it cannot reach HAproxy anymore, no matter if it is installed and running or not.
Port forwarding happens at the first level on the incoming packets.
So HAproxy or even its settings might not be responsible for your issue at all.

If you're in doubt, you can sniff the traffic on the inside interface.
So there will be another reason for that. Best to investigate with packet capture to see, what's going on.

@myster_fr thank you, just ran into this issue and i confirm, it works.

@jonathanlee

Screenshot 2023-02-10 at 6.32.55 PM.png

I adapted this for testing and set it to stare all because of this statement on their website, "The following configuration obtains SNI by parsing TLS Client Hello (due to a matching peek rule at step1) and then either splices bank connections OR stares at the TLS Server Hello (due to a matching stare rule) and bumps non-bank connections (due to the default bump-after-stare rule)."

It has a default bump after stare rule, so bump step 3 is not needed
I am thinking. This also seemed to speed up everything.

Ref:
https://wiki.squid-cache.org/Features/SslPeekAndSplice

@viragomann I tried looking into absolute path but then why did it work when it was published with TMG? Nothing changed in the backeend.

@cyrus104

I was able to make this work by adding following custom ACL:

2M3tjblqot.png

@michmoor Thank you for your reply

The Squid logs doesn't show any activity concerning the Outlook application only web traffic through the browser. when i try to reach our webmail it fails with tcp:denied. i added 993 465 and 2096 (webmail port) to the list of safe ports. Now the webmail works but not Outlook.

As i have stated the end users needs to be routed through the 172.26.2.1 router because of our provider but the network doesn't have internet connection. The sole purpose of installing pfSense was to implement the proxy so the end users can use the internet(with exceptions added to the proxy), it's not really acting as a router.

@dbmandrake
799ecc95-da12-4329-8986-86e3b8bbb51d-image.png

61216ded-5a50-4492-b951-3825dfab0c9d-image.png

Thanks for the info, it's working great. 9:29 AM test ran automatically.

It could be likely that your work laptop creates a VPN to your business network and thus would be invisible to other devices on your home network.. That is true of mine.

That could be why other devices cannot ping it..

@dbmandrake thanks for the information on the auto update.

@dbmandrake It did not work for me unless I included the ip address of the firewall and the loopbacks in an alias, the other way it would just fail for me.

@michmoor exactly... To be honest, that is DO - in what scenario would they ever need to be inbound to you?

Block all of their ASNs

NetRange: 165.22.0.0 - 165.22.255.255 CIDR: 165.22.0.0/16 NetName: DIGITALOCEAN-165-22-0-0

pfblocker makes it easy to look up ASNs and put them into a alias and then block that completely from your services you don't want them to be able to talk to.. DO while is a big cloud provider - why would you have need of inbound traffic from them? They are not known for being to particular on how they allow their services to be used.

Thank you for this! Got my application to work. Much appreciated.