Edit: The last couple of days I have tried to gather some information of why the service won't start. Unfortunately there is not much information that can help me for specific installations on FreeBSD. But I have tried the following commands, with the output I get. I don't know if someone can see why it fails.

/usr/local/etc/rc.d/haproxy start:
WARNING: failed precmd routine for haproxy
/usr/local/etc/rc.d/haproxy enable:
haproxy enabled in /etc/rc.conf
/usr/local/etc/rc.d/haproxy status:
haproxy is not running.
/usr/local/etc/rc.d/haproxy configtest:
Configuration file has no error but will not start (no listener) => exit(2).
haproxy -f /usr/local/etc/haproxy.conf -p /var/run/haproxy.pid:
[ALERT] 070/102644 (18074) : [haproxy.main()] No enabled listener found (check for 'bind' directives) ! Exiting.

Also, what I've done so far:

Set the protocol for the webConfigurator to https Changed the TCP port to something other than 443 Turned on the Disable webConfigurator redirect rule

Some other information that might be important:

When I click on the (I don't know what else to call it) play button, the gear will load for a few seconds, then reload and then silently fail. Because the Haproxy service isn't enabled, I can't save the change made in settings of; Enable HAProxy.

If anyone has an idea of what might be happening, please let me know because I'm out of idea's.

@jonathanlee said in Squid Proxy and antivirus update questions:

Could I not hand the firewall SSL certificate to the ClamAV antivirus software that is installed on the firewall's proxy?

ClamAV uses this when investigating "c-icap" since this is http proxy, https is not an option...

By the way, many people fall in love with this option Squid - ClamAV, but I'll tell you that AV stuff running on firewalls doesn't make sense... 😉

In this very dangerous IT world, host AV is the only solution, as it scans the traffic within the network, often the devil is not coming from the internet, but from the neighbour's machine with a pendrive, etc.

+++edit:

*"c-icap is an implementation of an ICAP server. It can be used with HTTP proxies that support the ICAP protocol to implement content adaptation and filtering services.

Most of the commercial HTTP proxies must support the ICAP protocol. The open source Squid 3.x proxy server supports it."* - from http://c-icap.sourceforge.net/

I was able to solve this by following the HAProxy documentation regarding HTTP to HTTPS redirect.

Adding unless { ssl_fc } to my ACL action on the front end got rid of the error.

Now it looks like : scheme https unless { ssl_fc }

image-01.jpg image-02.jpg

After several tests, enabling CARP Status VIP on squid of primary node, it changes on secundary node.

But If I disable primary CARP temporary (or even disconnect the cable of that interface), and secundary node, changes to master, there is no changes on squid and squidguard services in both nodes. In other words it doenst change anything.

If I leave CARP Status VIP disabled, all services work in both sides. When I set to none on CARP Status VIP, those services on secundary node, come back to life.

There is any impact on both enduser and backoffice sides, on leaving CARP Status VIP disabled on a high availability system?

@anandpeculiar this can be done under Advanced Settings--> Backend Pass thru using the expect string,

http-check expect string XS01

I made it work with regex matching, though, I'd still like to edit the file--the HAProxy docs mention regex matching hits on performance. :/

I don't know how regex works but I hope a super simple catch all host regex "(.*)" rule plus creative rule re-ordering are easier on the cores.

yes i had this problem too and thanks to instazoomhd i fixed it

Yeah, you wouldn't want to do that because the backend/frontend need to stay the same protocol.

But if you want to be able to enter fqdn.com and have that redirect to www.fqdn.com/home/somepage.htm you should be able to. And doing it there prevents HAProxy accidentally overmatching.

Steve

@joefromnowhere said in pf2ad breaks my domain controllers (lsass.exe):

I don't know if it's important, but I have this message in squid logs : "negotiate_kerberos_auth: ERROR: krb5_read_keytab: Key table file '/etc/krb5.keytab' not found".

Could get rid of "Key table file '/etc/krb5.keytab' not found".
But the problem remains.

Ok, I solved that:

Redirects: sub.domain.com
Path Regex: ^/.*$
URL to Redirect to: https://specific.domain.com/sub%R

Ok for anyone who may need this in the future:

It's as simple as pasting that config portion into the "Advanced pass through" box

2.png

Tested and verified by writing a webserver to debug the headers.

@orwi said in Squid with clamav whitelist:

https://www.securiteinfo.com/services-cybersecurite/anti-spam-anti-virus/whitelisting_clamav_signatures.shtml

Seeing the same issue. ClamAV detected the InterServer defs as a virus and so blocks the download. Added the domain to the ACLs whitelist in squid but it did not help. Anyone?

ClamAV - freshclam Logs:

WARNING: Can't download interserver256.hdb from http://sigs.interserver.net/interserver256.hdb
WARNING: Download failed (56) WARNING: Message: Failure when receiving data from the peer

@menethoran Not that I can see from that port forward.

I would test say going to can you see me .org and hitting port 443 on your wan IP. While sniffing, do you see that traffic?

Then doing the test again sniff on yoru lan side interface going to 9443 do you see it send on the traffic?

Keep in mind you really need to test from outside.. Testing from something on your 192.168.2 network hitting your wan IP could be problematic, have you setup nat reflection. Where are you testing from?

Keep in mind pfsense can not forward what it doesn't see.. I see hits on your plex wan rule, see that 40MB, but see no hits on the rule for your 9443 forward.

Ill be happy to pay someone for advice/work on this :)