@gertjan Error squidclamav_check_preview_handler: Wed Nov 30 15:56:36 2022, 92197/1098002432, ERROR clientip is null, you must set 'icap_send_client_ip on' into squid.conf [image: 1669852992693-screenshot-2022-11-30-at-4.02.08-pm.png] It goes on and on... I have also just added adaptation_send_client_ip {$icap_send_client_ip} to line 234 of [image: 1669853016667-screenshot-2022-11-30-at-3.32.23-pm-resized.png] ref https://forum.netgate.com/topic/129331/adaptation_send_client_ip-vs-icap_send_client_ip?_=1669853066007 It seems to already be enabled also, any ideas? [image: 1669853231717-screenshot-2022-11-30-at-4.06.21-pm.png] Keep in mind it all worked until a week or so ago, not it will not even see the test virus anymore

@tyoungls adaptation_send_client_ip {$icap_send_client_ip} are you sure it is not line 234? [image: 1669851180192-screenshot-2022-11-30-at-3.32.23-pm-resized.png]

@bmeeks Thanks for the reply! Understood!

@cesd I answer because noone did till now. To create shared frontend, just create your 1st, then on 2nd, it will show you the warning msg and the second website will not work error 50x. a tthis point go to the first frontend, edit it and select, shared frontend, on dropdown menù, choose the 2nd frontend. thats'it

@llinty If your forwarding on your hypervisor - that is where you would have to put in the nat reflection its that simple.. Not sure how you expect the haproxy to proxy traffic it is never seeing.. Put in a host override in pfsense so you client resolves the fqdn to whatever pfsense actual wan IP is where the haproxy is listening.

@jimp Perfect, thanks for the explaination :)

@braunerroei Then your frontend config looks like this? [image: 1667605762622-196c1e01-1e74-49f5-87c8-4d22eb7bf590-image.png] That's the SSL Offloading I was talking about. If you don't check that box, then pfSense won't negotiate SSL. I was worried that you might be processing unencrypted. In any event, I resolved my 503 problems. I'm not using the default port 443 for this new connection. Therefore, the value of the "Host Matches" ACL entry needed to be my.host.com:6407. I had used my.host.com with no port. I had assumed that HAProxy would tack the port number on to the value because the port number is specified in the external address table. I see now it can't do that. The External Address table may contain multiple entries. It follows that the ACL match routine has no way to know your intentions unless you specify the port number in the ACL. Thanks for the help. Your answers got me questioning my own configuration which turned out to be in error.

Here's what worked for me. I did have to add the lua script to files, however, see my screen shot for the CORS settings. Once I read the lua documentation I was able to add what I needed to get my CORS data to work properly. [image: 1667359059584-screenshot-2022-11-01-at-23-13-27-thewall.jrfam.net-services-haproxy-frontend-edit.png] Not that I did remove my domain for privacy. It's .mydomain.com. I used the . to include all subdomains.

@creationguy Any further ideas?

Answering my own question... I had forgotten that the URL was originally configured in Squid Guard -> General Settings -> Blacklist options at the bottom of the page. Saving the new value here makes it permanent. I'm not really sure why there is the option to enter a different URL in the Blacklist update page - that seems like a confusing UI design decision.