@viktor_g
Hi Viktor any planed release for that?

Thanks & BR
Gregor

Also encountered and solved this error. To fix, set the "Max SSL Diffie-Hellman size" to be >= 1024

In version 1.8.25 it is in the third from last option group

@viragomann

I was thinking about this overnight and was trying to work out which would be more secure.

Already having an OpenVPN set up just need to put it on my new phone and skip the HAproxy I think.

Cheers and thanks for confirming what I was already thinking.

Girkers

@piba
Thank you so much. It works like a charm!!👍 👍 👍 👍

@mrpushner When your site is broken, go to Squid -> Real Time -> String filter -> input the URL domain you have trouble with.
If you see things like below, we maybe on the same boat.

6dcb9934-63da-4100-b43d-88ebc366a4dc-image.png

@viberua
If you setup squid/squidguard correctly, you don't need install certificate on the clients.

I watched this video and it helped me a lot:
https://www.youtube.com/watch?v=xm_wEezrWf4

@prx the 409 error is so annoying. I have the same issue here.
I also created a new thread about it.

https://forum.netgate.com/topic/159364/squid-squidguard-none-409-and-dns-issue/1

@nathanielmorais said in pfSense 2.4.5-RELEASE-p1, squid 0.4.44_35, no fqdn on access.log with transparent proxy:

Does anyone know how to make access.log file write the FQDN or full url for https connections

Hi,

these will help, if you read and interpret them in a row:

https://forum.netgate.com/topic/96970/solved-where-to-configure-squid-log-format-please/2 http://www.squid-cache.org/Doc/config/logformat/ (Linux, but it's true): https://www.linuxquestions.org/questions/linux-software-2/log_fqdn-on-and-logformat-aren%27t-included-in-the-conf-file-4175507004/

I draw your attention to this: 😉

c7183e77-4741-417e-92da-c1a091113811-image.png

@periko fix the issue.

Kill all the process first, letter stop squid, once I double check if pfsense won't show me any process related to squid or squidGuard, pfsense let me do the update.

Regards!!!

@piba

Thanks I have managed to fix the issue, the docker container didn't have the ws listening port open.

Thankyou for your help

Here are some screenshots:

Here we can see that the number of "current conns" requests increases exponentially.
So I deduce that Haproxy is not able to distribute the requests to the servers in the backend.

text alternatif

In the backend we can see that the servers have responded individually to a maximum of 64 requests per server and 190 when adding all the servers together.
Whereas without using haproxy we get 500 requests per server per second.

text alternatif

Finally, I realized that the problem was visible before the backend. Directly in the frontend.
On the screenshot you can see that the frontend transfers a maximum of 180 requests per second.

Maybe the web servers receive a defined number of requests and therefore can't respond to more requests than previously received from the frontend.

text alternatif

The data in the screenshots come from a test corresponding to 2000 https requests in 10 seconds.
That is 200 requests per second.

@daddygo said in Squid Error Access HTTP Website:

@peter_apiit said in Squid Error Access HTTP Website:

I have configured squid in transparent proxy but could not load any webpage.

Hello,

What do you use a transparent proxy for? (proxy in SOHO?)
This is always the question.

glassdoor uses http to https redirection, ergo an http based proxy is not relevant here

Squid and the like, weird animals since we love https...
a serious and workable configuration will be painful,..... can be 😉

I would pay attention to these in your place:

SSL MITM

41960390-e636-4674-8d75-35aec40a2503-image.png

the ICAP error is a warning anyway, maybe a configuration error?
so give me more handrails 😉

Thanks for your prompt reply. After added acl network list, it working successfully. Thread closed.

@tomschlick No problem! I was having trouble finding examples of this in any of the documentation myself, its not entirely obvious that you can simply specify more than one ACL in the Haproxy action table. So I myself was trying to figure this out and luckily somebody answered my question on HAProxy forums.

I will add to this that if you reference a pfsense alias that you have to restart the haproxy service if you add any additional entries to the alias, at least this seems to be the behavior I was noticing.

@falassion said in Squidguard stop Squid Proxyserver:

I’m trying to set up proxy for cache web pages and for the antivirus tool.

I understand, thanks for the info about you

we also run it in several copies (Squid)... (250 - infinity)

but they are only used to cache internal intranets (http) and such things..

the proxy assumes a serious configuration, as MITM and HTTPS are exist

http virus filtering is almost negligible as there are few such requests these days, so installing a single proxy due to CLAM AV is unnecessary and not worth it...

and endpoint protection is the primary device...

so what can I do for you, I need a more serious description of what you want to achieve?

Hi,

Just to update... We have changed our ethernet cable and I have tick the "disable Gateway action".

We didn't have any issue since we did that :-)

It will be interesting to confirm who is the culprit by uncheck the tick (disable gateway action), I will see if I do...

Thanks !

@viberua

Right. I did some reading on what Splice is capable of and it does seem Splice can see the domain name (not the full URL), but only after the tunnel is closed. It is then logged, rather than Bump which actually looks at the whole URL and replaces the certificate. But, this has its own set of problems for mobile devices.