Right so if Squidguard is blocking that traffic it will try to display an error page but that is hosted in the firewall behind that self signed cert over https.

As a test only try setting the firewall webgui to http.

If that works you need to change the Squidguard settings to either not display an error page or redirect to an externally host page over http.

Steve

@rupesh issue resolved.Found this great post @ (https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

Note

**My Squid is not on Transparent mode because I need to authenticate users.

@derelict thanks a lot for providing insights on your setup! I'd be interested in setting up something similar and have a couple of question I was hoping you could help answer.

I made an RFC1918 VIP on localhost.

Unfortunately it's this very first point I already don't understand 😁 If my understanding of the documentation is correct then an IP Alias (VIP) is simply an additional IP address one can assign to an interface, right? If so, what is the purpose of assigning it to localhost? So that it is reachable from each of the local interfaces/networks?

HAproxy binds to that.

Why not binding it to the WAN interface/address?

I port forward WAN to that.

I guess that's necessary because the HAProxy is bound to the VIP and not the WAN address?

I have split DNS inside pointing to the inside VIP address.

What does this mean exactly? Do you have a domain override for your domain(s)? If so, what's the purpose of that? To avoid NAT reflection that you mentioned in your post above?

Outside DNS, of course, points to WAN through various Dynamic DNS trickery. I CNAME all the domains to one record that is updated via Dynamic DNS (on hurricane).

I use a wildcard certificate and have only a * CNAME and an A DNS record pointing to my WAN address (dynv6.com as dynamic DNS provider). I have the DNS-01 challenge running and the certificate is currently retrieved via a dedicted certbot instance and used on a dedicated nginx instance. However, I'd like to switch to the pfsense HAProxy/ACME setup.

It all works great. The nextcloud app on my phone does not care if it is inside or outside. It just works.

The ACME package handles all the certs. inside or outside get the same ones. Connections to the backends are unencrypted. And, like you, I grew weary of maintaining certificates on all the backends and haven't thought about it for months.

If I'm not mistaken, I could keep the traffic encrypted even in the backend with my dedicated nginx reverse proxy, right? So HAProxy would do the SSL/TLS offloading and communicate via https with my dedicated nginx reverse proxy (which in turn is proxying to the various docker containers/services I have). The HAProxy would be used also for other various hosts on the network (via host overrides), including the pfsense host itself, in order to get rid of the self-signed certificate warnings. As all the other hosts have https enabled by default, the complete traffic should be encrypted and a valid certificate should be proviced by the HAProxy. Or am I missing something here? 🤔

The only thing that might need further consideration is limiting access to the internal hosts, i.e. they should not be reachable from outside. I guess that's what the HAProxy access lists are for?

@kasalencar

below this line

@kom I'm totally open to rethinking it 😊. I was reading about what Squid does with caching and figured it would be really useful. But hey if it's not then it's not. One less thing for me to worry about. I'll look into webcrawlers and site downloaders. My connection speed is rarely an issue, but you know our connection to a site is only as fast as the site is. Even then, maybe I will just dump the entire idea. Thx for the reply!

@Michele-trotta I'm not using transparent mode, but to make WhatsApp work, I had to whitelist whatsapp.net and whatsapp.com.

@periko I do this:

Add ACL to the squidguard.conf (Diagnostics / Edit File / /usr/local/etc/squidGuard/squidGuard.conf)

src admins {
ip 192.168.2.0-192.168.2.255
ip 172.16.12.0/255.255.255.0
ip 10.5.3.1/28
}

From squid GUI I definied this IP ranges in Unrestricted IPs.

This work for me. Thanks !!!

@kom
I've configured squid as transparent/ssl proxy server with one bypass for windows updates.
SSL/MITM mode: Splice Whitelist, Bump Otherwise. (see attacment)

Squid-Config_210816.jpg

It was working ok when first installed, then for no apparent reason that I can trace, it just stopped filtering,
Should I proceed to clear squid proxy server cache?
Do you require any other config/specifics to help diagnose?

Well you could give it a shot, and see if you have any issues reported by clients..

Yeah I went through the whole security thing awhile back, there is a thread around here about it somewhere - wanted to get A+, and discovered that if you only allow for tls 1.3, that ssllabs will only give you a A vs A+ ;)

edit: here is that thread
https://forum.netgate.com/topic/162125/get-a-on-ssl-labs-test

@viktor_g

Thank you for the promp reply,
Presently I'm just running Squid - Proxy Service.
Unfortuneately, I've removed Squidguard temporarily to avoid issues with Net Users.
I normally do diagnostics/net management on Fridays, so I will reinstall/try again and send log at that time, or sooner if possible.

I don't believe you can do that since the front end needs to bind with 'verify required' for everything. See the discussion linked from that article:
https://discourse.haproxy.org/t/how-to-set-ssl-verify-client-for-specific-domain-name/1489/3

It may not be something you can do using only the gui options in the pfSense package. You might have to use the custom pass though fields. It's not something I've ever seen done.

But if you;re using different front ends I would expect to use the 'SSL Client issued by CA common name:' option.

Steve