@mrpushner When your site is broken, go to Squid -> Real Time -> String filter -> input the URL domain you have trouble with.
If you see things like below, we maybe on the same boat.

6dcb9934-63da-4100-b43d-88ebc366a4dc-image.png

@viberua
If you setup squid/squidguard correctly, you don't need install certificate on the clients.

I watched this video and it helped me a lot:
https://www.youtube.com/watch?v=xm_wEezrWf4

@prx the 409 error is so annoying. I have the same issue here.
I also created a new thread about it.

https://forum.netgate.com/topic/159364/squid-squidguard-none-409-and-dns-issue/1

@nathanielmorais said in pfSense 2.4.5-RELEASE-p1, squid 0.4.44_35, no fqdn on access.log with transparent proxy:

Does anyone know how to make access.log file write the FQDN or full url for https connections

Hi,

these will help, if you read and interpret them in a row:

https://forum.netgate.com/topic/96970/solved-where-to-configure-squid-log-format-please/2 http://www.squid-cache.org/Doc/config/logformat/ (Linux, but it's true): https://www.linuxquestions.org/questions/linux-software-2/log_fqdn-on-and-logformat-aren%27t-included-in-the-conf-file-4175507004/

I draw your attention to this: 😉

c7183e77-4741-417e-92da-c1a091113811-image.png

@periko fix the issue.

Kill all the process first, letter stop squid, once I double check if pfsense won't show me any process related to squid or squidGuard, pfsense let me do the update.

Regards!!!

@piba

Thanks I have managed to fix the issue, the docker container didn't have the ws listening port open.

Thankyou for your help

Here are some screenshots:

Here we can see that the number of "current conns" requests increases exponentially.
So I deduce that Haproxy is not able to distribute the requests to the servers in the backend.

text alternatif

In the backend we can see that the servers have responded individually to a maximum of 64 requests per server and 190 when adding all the servers together.
Whereas without using haproxy we get 500 requests per server per second.

text alternatif

Finally, I realized that the problem was visible before the backend. Directly in the frontend.
On the screenshot you can see that the frontend transfers a maximum of 180 requests per second.

Maybe the web servers receive a defined number of requests and therefore can't respond to more requests than previously received from the frontend.

text alternatif

The data in the screenshots come from a test corresponding to 2000 https requests in 10 seconds.
That is 200 requests per second.

@daddygo said in Squid Error Access HTTP Website:

@peter_apiit said in Squid Error Access HTTP Website:

I have configured squid in transparent proxy but could not load any webpage.

Hello,

What do you use a transparent proxy for? (proxy in SOHO?)
This is always the question.

glassdoor uses http to https redirection, ergo an http based proxy is not relevant here

Squid and the like, weird animals since we love https...
a serious and workable configuration will be painful,..... can be 😉

I would pay attention to these in your place:

SSL MITM

41960390-e636-4674-8d75-35aec40a2503-image.png

the ICAP error is a warning anyway, maybe a configuration error?
so give me more handrails 😉

Thanks for your prompt reply. After added acl network list, it working successfully. Thread closed.

@tomschlick No problem! I was having trouble finding examples of this in any of the documentation myself, its not entirely obvious that you can simply specify more than one ACL in the Haproxy action table. So I myself was trying to figure this out and luckily somebody answered my question on HAProxy forums.

I will add to this that if you reference a pfsense alias that you have to restart the haproxy service if you add any additional entries to the alias, at least this seems to be the behavior I was noticing.

@falassion said in Squidguard stop Squid Proxyserver:

I’m trying to set up proxy for cache web pages and for the antivirus tool.

I understand, thanks for the info about you

we also run it in several copies (Squid)... (250 - infinity)

but they are only used to cache internal intranets (http) and such things..

the proxy assumes a serious configuration, as MITM and HTTPS are exist

http virus filtering is almost negligible as there are few such requests these days, so installing a single proxy due to CLAM AV is unnecessary and not worth it...

and endpoint protection is the primary device...

so what can I do for you, I need a more serious description of what you want to achieve?

Hi,

Just to update... We have changed our ethernet cable and I have tick the "disable Gateway action".

We didn't have any issue since we did that :-)

It will be interesting to confirm who is the culprit by uncheck the tick (disable gateway action), I will see if I do...

Thanks !

@viberua

Right. I did some reading on what Splice is capable of and it does seem Splice can see the domain name (not the full URL), but only after the tunnel is closed. It is then logged, rather than Bump which actually looks at the whole URL and replaces the certificate. But, this has its own set of problems for mobile devices.

Anyone? Please help me pfsense guru? Should I try to delete their browser cache, cookies and history?

We did a hangout on it:
https://youtu.be/FJSHMyrd29E

There is some relayd stuff there too but it's mostly about setting up HAProxy.

Steve

@briang70
Yep, have same issue. I've solved this with disable MITM mode before, but today i tried clear cache and is helped.

Dec 4 05:00:10 kernel pid 85818 (squid), jid 0, uid 100: exited on signal 6 Dec 4 05:00:11 kernel pid 86437 (squid), jid 0, uid 100: exited on signal 6 Dec 4 05:00:13 kernel pid 96986 (squid), jid 0, uid 100: exited on signal 6 Dec 4 05:00:15 kernel pid 654 (squid), jid 0, uid 100: exited on signal 6 Dec 4 05:00:16 kernel pid 3896 (squid), jid 0, uid 100: exited on signal 6 Dec 4 05:00:18 kernel pid 7281 (squid), jid 0, uid 100: exited on signal 6 Dec 4 05:01:05 Squid_Alarm 81770 Squid has exited. Reconfiguring filter. Dec 4 05:01:05 Squid_Alarm 82248 Attempting restart... Dec 4 05:01:08 Squid_Alarm 90439 Reconfiguring filter... Dec 4 05:01:08 check_reload_status Reloading filter Dec 4 05:01:10 php-fpm 44241 /rc.filter_configure_sync: [squid] Installed but not started. Not installing 'nat' rules. Dec 4 05:01:10 php-fpm 44241 /rc.filter_configure_sync: [squid] Installed but not started. Not installing 'pfearly' rules. Dec 4 05:01:10 php-fpm 44241 /rc.filter_configure_sync: [squid] Installed but not started. Not installing 'filter' rules.

in this thread we talking about it, and waiting for resolving
https://forum.netgate.com/topic/153933/solved-squid-0-4-44_25-assertion-failed-http-cc-1533-comm-monitorsread-serverconnection-fd
In PfSense redmine is created task https://redmine.pfsense.org/issues/10608
Need to wait for new ported squid version for PfSense. In FreeBSD this issue already patched.

Fresh news.
When MITM enabled in Splice all mode - Chrome Remote Desktop is connecting.
Even with removed ip 74.125.247.128 from ACL whitelist.
Will try to compare config with this two modes and add this ip to exclusion list.