Yeah, you wouldn't want to do that because the backend/frontend need to stay the same protocol. But if you want to be able to enter fqdn.com and have that redirect to www.fqdn.com/home/somepage.htm you should be able to. And doing it there prevents HAProxy accidentally overmatching. Steve

@joefromnowhere said in pf2ad breaks my domain controllers (lsass.exe): I don't know if it's important, but I have this message in squid logs : "negotiate_kerberos_auth: ERROR: krb5_read_keytab: Key table file '/etc/krb5.keytab' not found". Could get rid of "Key table file '/etc/krb5.keytab' not found". But the problem remains.

Ok, I solved that: Redirects: sub.domain.com Path Regex: ^/.*$ URL to Redirect to: https://specific.domain.com/sub%R

Ok for anyone who may need this in the future: It's as simple as pasting that config portion into the "Advanced pass through" box [image: 1644666271059-2.png] Tested and verified by writing a webserver to debug the headers.

@orwi said in Squid with clamav whitelist: https://www.securiteinfo.com/services-cybersecurite/anti-spam-anti-virus/whitelisting_clamav_signatures.shtml Seeing the same issue. ClamAV detected the InterServer defs as a virus and so blocks the download. Added the domain to the ACLs whitelist in squid but it did not help. Anyone? ClamAV - freshclam Logs: WARNING: Can't download interserver256.hdb from http://sigs.interserver.net/interserver256.hdb WARNING: Download failed (56) WARNING: Message: Failure when receiving data from the peer

@menethoran Not that I can see from that port forward. I would test say going to can you see me .org and hitting port 443 on your wan IP. While sniffing, do you see that traffic? Then doing the test again sniff on yoru lan side interface going to 9443 do you see it send on the traffic? Keep in mind you really need to test from outside.. Testing from something on your 192.168.2 network hitting your wan IP could be problematic, have you setup nat reflection. Where are you testing from? Keep in mind pfsense can not forward what it doesn't see.. I see hits on your plex wan rule, see that 40MB, but see no hits on the rule for your 9443 forward.

Ill be happy to pay someone for advice/work on this :)

@johnpoz yeah, i actually created my own post thinking i didnt want to hijack his. Please see here (I explain what im running): https://forum.netgate.com/topic/169703/pfsense-and-traefik-on-truenas-scale

@netblues said in Using Haproxy to Redirects Calls to FreePBX: @nollipfsense Making srtp to work properly isn't always straight forward. But its certainly worth investigating. Are you hosting anything? Any open ports to the Internet? Why do you need a dmz in a home office scenario? Well, my setup has two firewalls: pfSense as edge and Mikrotik as LAN guard. I had tried using FreePBX that way and that was too much limitation. Then, I saw Jimp's video (Netgate hangout) on DMZ: https://www.youtube.com/watch?v=QFk5jX-oeSo That convinced me that was the way to go and had started using FreePBX with the same Lenovo but with a Mac Mini running pfSense. I used Twillio for a short while but had problems with inbound calls. Then I had to abandon the project for a year. No, I am not host anything internally so not ports open. I have been using Namecheap for domain hosting for six years now, and I stay with them only because I have a kick ass Cpanel suite. Voip.ms responded today saying there should not be a problem using HAproxy and sent links to their document wiki. Of course, support would say that to get me to commit to using their service ; so, I am taking it with a grain of salt. Most of the time one isn't dealing with a real knowledgeable support person; so who knows, I certainly trying. inbound calls is usually the troublesome part. I am checking this Jimp's firewall best practice for VOIP video (Nategate hangout) as final refresher preparation: https://www.youtube.com/watch?v=C0JgrzxXIBY

Got more information from the log file. Feb 4 14:38:25 fw1 haproxy[14494]: 192.168.0.1:37014 [04/Feb/2022:14:38:22.412] HTTPS_443~ Production_ipvANY/si-erp14 0/0/0/216/2799 200 3455367 - - SD-- 4/4/0/0/0 0/0 "GET https://domain.com/web/assets/334-e80f7c3/web.assets_backend.min.js HTTP/2.0" The "SD" in the connection state says the S : the TCP session was unexpectedly aborted by the server, or the server explicitly refused it. D : the session was in the DATA phase. In the backed setting I tried to set "retries" to 3 but it didn't retry on failure. Any other thoughts.

@snide_remarks said in HAproxy can't make any ACL rules work.: I see examples of ACL rules online and try to follow them to make something happen, but nothing works. Are you using a test pfSense VM on your network? I found it doesn't work that way since you would be binding the device your on and not the real WAN. @snide_remarks said in HAproxy can't make any ACL rules work.: Many dropdown options for a novice to wrap his head around to be sure I agree...I have been working on mine since last week to make sure I have the concept corrected before moving to production. I'll be opening a post.

@viragomann Okay, thanks a lot for your repply !

@jonathanlee Fellow Netgate community, if anyone ever wants to talk about content accelerators or web accelerators just let me know. Reply here-->

Put ssl verify none in per server passtrough under advanced in the backend. That way a self-signed cert will be accepted. The frontend can still be encrypted with a valid (Letsencrypt) cert.

@jonathanlee Playing with this setting also seemed to improve the refresh hits for windows updates. [image: 1643227641354-4302a82a-f0b8-4c37-8b9a-6456a4d325e2-image.png] Squid's updates that are cached are considered a different pc over the standard windows url that provides updates