• HAProxy on pfSense anomaly

    15
    0 Votes
    15 Posts
    2k Views
    NightlySharkN
    @lavenetz Only one MiaB, so, Standard, I think.
  • 23.01 and very noticeable proxy speed increase

    Moved
    3
    1 Votes
    3 Posts
    994 Views
    JonathanLeeJ
    @annwenn installed 23.01 version software.
  • Squid ClamAV showing bytecode errors for version 334

    2
    0 Votes
    2 Posts
    1k Views
    JonathanLeeJ
    @jonathanlee As of 2-24-23 this has been resolved with . . . "Empty script bytecode-334.cdiff, need to download entire database" Clamd successfully notified about the update. bytecode.cvd updated (version: 334, sigs: 91, f-level: 90, builder: anvilleg) Database test passed. Testing database: '/var/db/clamav//tmp.a3a9145360/clamav-e149ec24c4c3dccbcffc8540df3d4b2a.tmp-bytecode.cvd' ... Empty script bytecode-334.cdiff, need to download entire database bytecode database available for update (local version: 333, remote version: 334) main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr) daily.cld database is up-to-date (version: 26821, sigs: 2021707, f-level: 90, builder: raynman) ClamAV update process started at Thu Feb 23 16:57:00 2023 [image: 1677260283657-screenshot-2023-02-24-at-5.54.34-am-resized.png]
  • Squid MITM Problem

    2
    0 Votes
    2 Posts
    1k Views
    JonathanLeeJ
    @dochy Nice Config, [image: 1677132868828-screenshot-2023-02-22-at-10.13.55-pm-resized.png] This is mine, I set specific devices to splice as source, I have a regex list saved in /usr/local/pkg/url.nobump after I peak at step1 splice the source addresses like the game system and tablets after I splice the URLs I have marked as trusted like banks, and I bump everything else. [image: 1677133017199-screenshot-2023-02-22-at-10.16.42-pm-resized.png] This is my custom file I have items that won't work correctly with bump like antivirus, some updates, itunes etc. The main sites I want bumped are sites I do not normally go to, random sites this way it still stops viruses with HTTPS being checked. [image: 1677133112868-screenshot-2023-02-22-at-10.18.19-pm-resized.png] I hope that helps as it seems like you have some 409 errors look up the server errors "The HTTP 409 status code (Conflict) indicates that the request could not be processed because of conflict in the request" These sites I would look into splicing if you need them, teams is one I splice its so slow without it.
  • 0 Votes
    4 Posts
    1k Views
    A
    @bluegrass-168 use https://github.com/mmd123/squid-cache-dynamic_refresh-list for refresh_pattern (note you can always submit pull requests to improve the list). "Actually, I want to cache every thing as I can." In order to cache https you need to use SSL Man In the Middle Filtering However you do not want to mitm everything as it breaks way too many things. So use Custom Options (SSL/MITM) than add something like this acl step1 at_step SslBump1 acl monitoredSites ssl::server_name "/home/bumpsites.txt" ssl_bump bump monitoredSites ssl_bump peek step1 ssl_bump splice all and at the file location /home/bumpsites.tx add your list of sites you want to decrypt to cache. Here is a list that i made (NOTE: i have not tested all domains, so if some have issues remove them, eg things like ubisoft.com) bumpsites.txt What i did was i went to winget https://github.com/microsoft/winget-pkgs and got a list of the download domains. This should also cache steam and epic games. Good luck
  • I'd like to combine different ACLs and order them in HAProxy

    3
    0 Votes
    3 Posts
    906 Views
    W
    Awesome! Thank you!
  • Our clamd service stops working

    clamd
    5
    0 Votes
    5 Posts
    1k Views
    JonathanLeeJ
    @jlee_eye [image: 1676521116451-d05bcb5c-2383-47af-a0b5-534b06632500-image.png] Have you tried to play around with the custom options and get one that works well yet? This was the one that consumes less memory and works better for me.
  • Squid Proxy Error

    2
    0 Votes
    2 Posts
    761 Views
    bluegrass-168B
    @kenj05 What browser are you using? I follow this Video for my 2.6.0 pfsense and it works. https://www.youtube.com/watch?v=DTD5lYPjLns&list=LL&index=1 So is the SSL inspection function.
  • How do I disable HAProxy from the shell?

    2
    0 Votes
    2 Posts
    1k Views
    V
    @boatsman No idea. But why don't you simply restore a config backup? It's 15 in the console menu.
  • Transparent Squid via Splice = Intermittent SSL Connectivity Failures

    3
    0 Votes
    3 Posts
    927 Views
    T
    @michmoor said in Transparent Squid via Splice = Intermittent SSL Connectivity Failures: @the_boss you will need to whitelist the domain. It’s possible there is certificate pinning going on. I see, thanks. It is my understanding that Peek/Splice has no issue with pinning, and only Bump does, no? The quantity of things getting blocked randomly would make any whitelisting insurmountable. Others seem to report no challenges with Splice.
  • Remove HAProxy and Configuration

    2
    0 Votes
    2 Posts
    1k Views
    V
    @s3v3nd34dly51ns When you forward the traffic, it cannot reach HAproxy anymore, no matter if it is installed and running or not. Port forwarding happens at the first level on the incoming packets. So HAproxy or even its settings might not be responsible for your issue at all. If you're in doubt, you can sniff the traffic on the inside interface. So there will be another reason for that. Best to investigate with packet capture to see, what's going on.
  • AFTER PFSENSE UPDATE TO 22.05 SQUID WILL NOT RESTART

    7
    0 Votes
    7 Posts
    2k Views
    A
    @myster_fr thank you, just ran into this issue and i confirm, it works.
  • 1 Votes
    5 Posts
    2k Views
    JonathanLeeJ
    @jonathanlee [image: 1676082797244-screenshot-2023-02-10-at-6.32.55-pm-resized.png] I adapted this for testing and set it to stare all because of this statement on their website, "The following configuration obtains SNI by parsing TLS Client Hello (due to a matching peek rule at step1) and then either splices bank connections OR stares at the TLS Server Hello (due to a matching stare rule) and bumps non-bank connections (due to the default bump-after-stare rule)." It has a default bump after stare rule, so bump step 3 is not needed I am thinking. This also seemed to speed up everything. Ref: https://wiki.squid-cache.org/Features/SslPeekAndSplice
  • Outdated options in squid.conf

    1
    0 Votes
    1 Posts
    405 Views
    No one has replied
  • HAProxy not rendering SSL traffic properly

    8
    0 Votes
    8 Posts
    1k Views
    B
    @viragomann I tried looking into absolute path but then why did it work when it was published with TMG? Nothing changed in the backeend.
  • Squid Proxy seeing Urbanairship.com??

    1
    0 Votes
    1 Posts
    824 Views
    No one has replied
  • Our clamd service stops working

    clamd
    1
    0 Votes
    1 Posts
    425 Views
    No one has replied
  • Synology Surveillance Station cannot be accessed when behind HAProxy

    4
    0 Votes
    4 Posts
    2k Views
    A
    @cyrus104 I was able to make this work by adding following custom ACL: [image: 1675623608382-2m3tjblqot.png]
  • Unable to access Outlook behind Squid Proxy

    3
    0 Votes
    3 Posts
    877 Views
    Y
    @michmoor Thank you for your reply The Squid logs doesn't show any activity concerning the Outlook application only web traffic through the browser. when i try to reach our webmail it fails with tcp:denied. i added 993 465 and 2096 (webmail port) to the list of safe ports. Now the webmail works but not Outlook. As i have stated the end users needs to be routed through the 172.26.2.1 router because of our provider but the network doesn't have internet connection. The sole purpose of installing pfSense was to implement the proxy so the end users can use the internet(with exceptions added to the proxy), it's not really acting as a router.
  • Automatic updates for squidguard blacklist

    Moved
    6
    1 Votes
    6 Posts
    4k Views
    JonathanLeeJ
    @dbmandrake [image: 1675445648251-799ecc95-da12-4329-8986-86e3b8bbb51d-image.png] [image: 1675445525877-61216ded-5a50-4492-b951-3825dfab0c9d-image.png] Thanks for the info, it's working great. 9:29 AM test ran automatically.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.