• HAProxy valid certs at host

    2
  • HAproxy return 403 or pfsense webGUI overides port 80

    1
    0 Votes
    1 Posts
    350 Views
    No one has replied
  • Erro 503 proxy squid acesso com reflexão Nat + proxy

    1
    0 Votes
    1 Posts
    217 Views
    No one has replied
  • If cancel authentification request the web page load correctly

    1
    0 Votes
    1 Posts
    229 Views
    No one has replied
  • 0 Votes
    2 Posts
    534 Views
    J

    Note

    **My Squid is not on Transparent mode because I need to authenticate users.

  • Using HAproxy for internal web servers

    7
    0 Votes
    7 Posts
    6k Views
    C

    @derelict thanks a lot for providing insights on your setup! I'd be interested in setting up something similar and have a couple of question I was hoping you could help answer.

    I made an RFC1918 VIP on localhost.

    Unfortunately it's this very first point I already don't understand 😁 If my understanding of the documentation is correct then an IP Alias (VIP) is simply an additional IP address one can assign to an interface, right? If so, what is the purpose of assigning it to localhost? So that it is reachable from each of the local interfaces/networks?

    HAproxy binds to that.

    Why not binding it to the WAN interface/address?

    I port forward WAN to that.

    I guess that's necessary because the HAProxy is bound to the VIP and not the WAN address?

    I have split DNS inside pointing to the inside VIP address.

    What does this mean exactly? Do you have a domain override for your domain(s)? If so, what's the purpose of that? To avoid NAT reflection that you mentioned in your post above?

    Outside DNS, of course, points to WAN through various Dynamic DNS trickery. I CNAME all the domains to one record that is updated via Dynamic DNS (on hurricane).

    I use a wildcard certificate and have only a * CNAME and an A DNS record pointing to my WAN address (dynv6.com as dynamic DNS provider). I have the DNS-01 challenge running and the certificate is currently retrieved via a dedicted certbot instance and used on a dedicated nginx instance. However, I'd like to switch to the pfsense HAProxy/ACME setup.

    It all works great. The nextcloud app on my phone does not care if it is inside or outside. It just works.

    The ACME package handles all the certs. inside or outside get the same ones. Connections to the backends are unencrypted. And, like you, I grew weary of maintaining certificates on all the backends and haven't thought about it for months.

    If I'm not mistaken, I could keep the traffic encrypted even in the backend with my dedicated nginx reverse proxy, right? So HAProxy would do the SSL/TLS offloading and communicate via https with my dedicated nginx reverse proxy (which in turn is proxying to the various docker containers/services I have). The HAProxy would be used also for other various hosts on the network (via host overrides), including the pfsense host itself, in order to get rid of the self-signed certificate warnings. As all the other hosts have https enabled by default, the complete traffic should be encrypted and a valid certificate should be proviced by the HAProxy. Or am I missing something here? 🤔

    The only thing that might need further consideration is limiting access to the internal hosts, i.e. they should not be reachable from outside. I guess that's what the HAProxy access lists are for?

  • Log Pages Denied by SquidGuard? (SOLVED)

    10
    0 Votes
    10 Posts
    5k Views
    K

    @kasalencar

    below this line

    $sge_prefix=(preg_match("/\?/",$cl['u'])?"&":"?");
  • A few squid questions

    3
    0 Votes
    3 Posts
    562 Views
    F

    @kom I'm totally open to rethinking it 😊. I was reading about what Squid does with caching and figured it would be really useful. But hey if it's not then it's not. One less thing for me to worry about. I'll look into webcrawlers and site downloaders. My connection speed is rarely an issue, but you know our connection to a site is only as fast as the site is. Even then, maybe I will just dump the entire idea. Thx for the reply!

  • Squid Proxy not working with WhatsApp (not trasparent mode)

    3
    0 Votes
    3 Posts
    2k Views
    J

    @Michele-trotta I'm not using transparent mode, but to make WhatsApp work, I had to whitelist whatsapp.net and whatsapp.com.

  • Enable Squidguard only in one Computer

    3
    0 Votes
    3 Posts
    517 Views
    J

    @periko I do this:

    Add ACL to the squidguard.conf (Diagnostics / Edit File / /usr/local/etc/squidGuard/squidGuard.conf)

    src admins {
    ip 192.168.2.0-192.168.2.255
    ip 172.16.12.0/255.255.255.0
    ip 10.5.3.1/28
    }

    From squid GUI I definied this IP ranges in Unrestricted IPs.

    This work for me. Thanks !!!

  • SquidGuard 1.16.18_20 Not Filtering (cont.)

    1
    0 Votes
    1 Posts
    336 Views
    No one has replied
  • Squidguard 1.16.18_20 squid 0.4.45_5 pfsense 2.5.2

    1
    0 Votes
    1 Posts
    415 Views
    No one has replied
  • SquidGuard 1.16.18_20 Not Filtering

    5
    0 Votes
    5 Posts
    768 Views
    D

    @kom
    I've configured squid as transparent/ssl proxy server with one bypass for windows updates.
    SSL/MITM mode: Splice Whitelist, Bump Otherwise. (see attacment)

    Squid-Config_210816.jpg

    It was working ok when first installed, then for no apparent reason that I can trace, it just stopped filtering,
    Should I proceed to clear squid proxy server cache?
    Do you require any other config/specifics to help diagnose?

  • Squid Reverse Proxy - SSTP VPN Quit working after update

    1
    0 Votes
    1 Posts
    377 Views
    No one has replied
  • consider configure haproxy to preffer hardware cryptos?

    6
    0 Votes
    6 Posts
    746 Views
    johnpozJ

    Well you could give it a shot, and see if you have any issues reported by clients..

    Yeah I went through the whole security thing awhile back, there is a thread around here about it somewhere - wanted to get A+, and discovered that if you only allow for tls 1.3, that ssllabs will only give you a A vs A+ ;)

    edit: here is that thread
    https://forum.netgate.com/topic/162125/get-a-on-ssl-labs-test

  • SquidGuard 1.16.18_19 update is borked

    15
    2 Votes
    15 Posts
    2k Views
    D

    @viktor_g

    Thank you for the promp reply,
    Presently I'm just running Squid - Proxy Service.
    Unfortuneately, I've removed Squidguard temporarily to avoid issues with Net Users.
    I normally do diagnostics/net management on Fridays, so I will reinstall/try again and send log at that time, or sooner if possible.

  • Client Authentication on path with HAProxy

    Moved
    4
    0 Votes
    4 Posts
    701 Views
    stephenw10S

    I don't believe you can do that since the front end needs to bind with 'verify required' for everything. See the discussion linked from that article:
    https://discourse.haproxy.org/t/how-to-set-ssl-verify-client-for-specific-domain-name/1489/3

    It may not be something you can do using only the gui options in the pfSense package. You might have to use the custom pass though fields. It's not something I've ever seen done.

    But if you;re using different front ends I would expect to use the 'SSL Client issued by CA common name:' option.

    Steve

  • SSL Splicing uses IP address instead of SNI

    1
    0 Votes
    1 Posts
    302 Views
    No one has replied
  • Problem with NTLM + pf2ad

    Moved
    2
    0 Votes
    2 Posts
    516 Views
    K

    @lucas-borges
    remeber that is left alone and click save then you go squidguard and configure to your LDAP config
    f74b6bae-57a9-4fab-a1c7-bf85d2dbcc50-image.png

  • HAproxy www with multiple sites?

    2
    0 Votes
    2 Posts
    328 Views
    K

    edit: fixed it had to add another access control list with www pointing to the acl hope this helps someone else

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.