@gamehoundsdev NVM im a idiot, I forgot to disable a 443 mapping on nat ..

@j-koopmann You don't need to, it's already there: [image: 1677876455772-screen_shot_2023-03-03_at_13_45_05_pm-2.png] You do need to add the FreeBSD repos though, and you're likely going to lose the GUI and there's no saying what going to happen during config changes if you don't remove pfSense's version of HAProxy first because it gets it's config from /cf/conf/config.xml which is updated every time you make a change, the reverse is true as well, if you edit that file the changes are reflected immediately on pfSense, it's pretty cool to test live…if you have snapshots or an editor with undo capabilities. In /usr/local/etc/pkg/repos/, edit FreeBSD.confand pfSense.conf, change no to yes and that's it. You'll know what I'm talking about when you open the files. If you decide to do it: edit /usr/local/etc/pkg/repos/FreeBSD.conf, press ⎋⏎⏎ when you're done. Repeat with the other file. or: vi /usr/local/etc/pkg/repos/FreeBSD.conf, press i to switch to insert mode don't try deleting forward or beyond the end/beginning of the line, it's very easy to switch out of insert mode (which should be shown the whole time in the bottom of the window/screen) at which moment the keys on the keyboard can do the most random/destructive things. Press ⎋ to get back into viewing mode and ZZ to save and quit. Repeat with the other file. Really long sidenote - Do you really want to support QUIC though? Right now you can't control it effectively because it's encrypted and it can be used as a conduit for DoH which is a very effective way of bypassing pfBlockerNG, Unbound and your ruleset protections. Support is not there yet on major forward proxies, it requires more resources on both servers and clients, being based on UDP, it has the same issues UDP has, the advantages I don't even remember what they were but they are minimal compared to http/2 over its predecessor. It sets a pathway for a dark future where you'll just have to MITM everything, manufacturers already refuse to let users/admin install custom certs and I'm sure they'll show even more onerous warnings and make it really difficult if they're forced, making people angry which in turn will blame IT. In the case of home users, "IT" is the guys/girl that knows stuff and gets berated over a Roku not being able to connect over all the ports and protocols it arbitrarily wants.

@ahole4sure no, it is not required if you're using SSL Offloading option on Haproxy frontend. In this case it is better to use http for backend (or issue some internal ssl cert on pfsense for your synology)

@jonathan-young You can do something like this to insert the /test directory: In the backend add an ACL: name: notest path starts with "Not" checked value: /test/ action: http-request set-path fmt: /test/%[path] acl: notest

@safe Good luck!

I have solved my problem. The issue was that the backend server was only capable of HTTP/1.0. I must have missed this when checking the output. The curl outputs above is against the the HAproxy, and not the backend, and will return the protocol set in frontend, no matter what the backend use. So if anyone else has the same issue, make sure that your backend is using HTTP/1.1 or later. Anyway I don't know why HAproxy is not able to gzip the output from an HTTP/1.0 backend. Nginx has no problems with this. The solution is to have the Nginx proxy in between the application and HAproxy. Thanks.

@lavenetz Only one MiaB, so, Standard, I think.

@annwenn installed 23.01 version software.

@jonathanlee As of 2-24-23 this has been resolved with . . . "Empty script bytecode-334.cdiff, need to download entire database" Clamd successfully notified about the update. bytecode.cvd updated (version: 334, sigs: 91, f-level: 90, builder: anvilleg) Database test passed. Testing database: '/var/db/clamav//tmp.a3a9145360/clamav-e149ec24c4c3dccbcffc8540df3d4b2a.tmp-bytecode.cvd' ... Empty script bytecode-334.cdiff, need to download entire database bytecode database available for update (local version: 333, remote version: 334) main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr) daily.cld database is up-to-date (version: 26821, sigs: 2021707, f-level: 90, builder: raynman) ClamAV update process started at Thu Feb 23 16:57:00 2023 [image: 1677260283657-screenshot-2023-02-24-at-5.54.34-am-resized.png]

@dochy Nice Config, [image: 1677132868828-screenshot-2023-02-22-at-10.13.55-pm-resized.png] This is mine, I set specific devices to splice as source, I have a regex list saved in /usr/local/pkg/url.nobump after I peak at step1 splice the source addresses like the game system and tablets after I splice the URLs I have marked as trusted like banks, and I bump everything else. [image: 1677133017199-screenshot-2023-02-22-at-10.16.42-pm-resized.png] This is my custom file I have items that won't work correctly with bump like antivirus, some updates, itunes etc. The main sites I want bumped are sites I do not normally go to, random sites this way it still stops viruses with HTTPS being checked. [image: 1677133112868-screenshot-2023-02-22-at-10.18.19-pm-resized.png] I hope that helps as it seems like you have some 409 errors look up the server errors "The HTTP 409 status code (Conflict) indicates that the request could not be processed because of conflict in the request" These sites I would look into splicing if you need them, teams is one I splice its so slow without it.

@bluegrass-168 use https://github.com/mmd123/squid-cache-dynamic_refresh-list for refresh_pattern (note you can always submit pull requests to improve the list). "Actually, I want to cache every thing as I can." In order to cache https you need to use SSL Man In the Middle Filtering However you do not want to mitm everything as it breaks way too many things. So use Custom Options (SSL/MITM) than add something like this acl step1 at_step SslBump1 acl monitoredSites ssl::server_name "/home/bumpsites.txt" ssl_bump bump monitoredSites ssl_bump peek step1 ssl_bump splice all and at the file location /home/bumpsites.tx add your list of sites you want to decrypt to cache. Here is a list that i made (NOTE: i have not tested all domains, so if some have issues remove them, eg things like ubisoft.com) bumpsites.txt What i did was i went to winget https://github.com/microsoft/winget-pkgs and got a list of the download domains. This should also cache steam and epic games. Good luck

Awesome! Thank you!

@jlee_eye [image: 1676521116451-d05bcb5c-2383-47af-a0b5-534b06632500-image.png] Have you tried to play around with the custom options and get one that works well yet? This was the one that consumes less memory and works better for me.

@kenj05 What browser are you using? I follow this Video for my 2.6.0 pfsense and it works. https://www.youtube.com/watch?v=DTD5lYPjLns&list=LL&index=1 So is the SSL inspection function.

@boatsman No idea. But why don't you simply restore a config backup? It's 15 in the console menu.

@michmoor said in Transparent Squid via Splice = Intermittent SSL Connectivity Failures: @the_boss you will need to whitelist the domain. It’s possible there is certificate pinning going on. I see, thanks. It is my understanding that Peek/Splice has no issue with pinning, and only Bump does, no? The quantity of things getting blocked randomly would make any whitelisting insurmountable. Others seem to report no challenges with Splice.

@s3v3nd34dly51ns When you forward the traffic, it cannot reach HAproxy anymore, no matter if it is installed and running or not. Port forwarding happens at the first level on the incoming packets. So HAproxy or even its settings might not be responsible for your issue at all. If you're in doubt, you can sniff the traffic on the inside interface. So there will be another reason for that. Best to investigate with packet capture to see, what's going on.

@myster_fr thank you, just ran into this issue and i confirm, it works.

@jonathanlee [image: 1676082797244-screenshot-2023-02-10-at-6.32.55-pm-resized.png] I adapted this for testing and set it to stare all because of this statement on their website, "The following configuration obtains SNI by parsing TLS Client Hello (due to a matching peek rule at step1) and then either splices bank connections OR stares at the TLS Server Hello (due to a matching stare rule) and bumps non-bank connections (due to the default bump-after-stare rule)." It has a default bump after stare rule, so bump step 3 is not needed I am thinking. This also seemed to speed up everything. Ref: https://wiki.squid-cache.org/Features/SslPeekAndSplice