@palomero as I can see from your squid.conf this is not pfSense please check the squid/distr documentation

@thewismit It might be haproxy, dns by itself shouldn't cause this error.. Unless if its pointing to a wrong/different server/(caching)proxy.. If DNS is pointing to the cloudflare 'proxy', then you need to make sure that they have the proper certificate and encryption cipher options to accept the connection from the browser.. If DNS is pointing directly to the WAN ip, then it has to be haproxy that is sending the wrong allowable ciphers. Perhaps you could try with SSLlabs to see if/what ciphers are currently shown when visiting your wanip and/or domainname.? Can you share the haproxy.cfg file perhaps? (with obfuscated ip/domain names) Can you maybe share the domainname and your public ip? Or send me a PM, maybe i can see something hinky.?.

@kiokoman thanks for the reply certbot on the server ubuntu 18.04 i prefer not use the firewall to hold my SSL as i tried before and had a few issue on some platforms so my question how i can pass the HTTP request for /.well-known/acme-challenge though HA proxy so it can go to the server?

@johnpoz u sure its a duck? id start with dna profiling and disecting it

@pitou because it's still redirecting to port 5000 instead of 8310 if your backend is still Host "Matches: darkserver20.ddns.net" it will always match and be used first i suppose or there is something else wrong with the acl not matching for some reason I don't see, maybe post a new screenshot without cutting it

Nevermind this. I just found a post that I needed to do a http request set headers in the backend section. https://forum.netgate.com/topic/147131/how-do-i-set-headers

@viktor_g Hi Viktor any planed release for that? Thanks & BR Gregor

Also encountered and solved this error. To fix, set the "Max SSL Diffie-Hellman size" to be >= 1024 In version 1.8.25 it is in the third from last option group

@viragomann I was thinking about this overnight and was trying to work out which would be more secure. Already having an OpenVPN set up just need to put it on my new phone and skip the HAproxy I think. Cheers and thanks for confirming what I was already thinking. Girkers

@piba Thank you so much. It works like a charm!!

@mrpushner When your site is broken, go to Squid -> Real Time -> String filter -> input the URL domain you have trouble with. If you see things like below, we maybe on the same boat. [image: 1608765235577-6dcb9934-63da-4100-b43d-88ebc366a4dc-image.png]

@viberua If you setup squid/squidguard correctly, you don't need install certificate on the clients. I watched this video and it helped me a lot: https://www.youtube.com/watch?v=xm_wEezrWf4

@prx the 409 error is so annoying. I have the same issue here. I also created a new thread about it. https://forum.netgate.com/topic/159364/squid-squidguard-none-409-and-dns-issue/1

@nathanielmorais said in pfSense 2.4.5-RELEASE-p1, squid 0.4.44_35, no fqdn on access.log with transparent proxy: Does anyone know how to make access.log file write the FQDN or full url for https connections Hi, these will help, if you read and interpret them in a row: https://forum.netgate.com/topic/96970/solved-where-to-configure-squid-log-format-please/2 http://www.squid-cache.org/Doc/config/logformat/ (Linux, but it's true): https://www.linuxquestions.org/questions/linux-software-2/log_fqdn-on-and-logformat-aren%27t-included-in-the-conf-file-4175507004/ I draw your attention to this: [image: 1608719987904-c7183e77-4741-417e-92da-c1a091113811-image.png]

@periko fix the issue. Kill all the process first, letter stop squid, once I double check if pfsense won't show me any process related to squid or squidGuard, pfsense let me do the update. Regards!!!