@PiBa

As this is a production system, let me stand up a test device and will execute your instructions there. If that goes well then I will execute on the production system to make sure it works for us.

I realized I forgot to say what is the goal of this !
The goal is to log usernames is they are connected to the domain, and just let pass those who are not. But "http_access allow all" seems to ignored...

@skilledinept here is good article: https://cbonte.github.io/haproxy-dconv/

i don't think you can see it anymore.

haproxy / backend / advanced configuration

Transparent ClientIP

but read the warning

@dragoangel Yes, it is already resolved, it is now possible to redirect successfully to my web application, and already using https, as shown in the image below.

Captura de tela de 2020-10-27 14-54-55.png

I take this opportunity to thank you and everyone who somehow interacted for a solution to my problem, grateful for all the support and patience in the instructions.

@S_m do you tried http/2? In theory it not help on one big file but still. Also you can try something like loader.io

Correct answer: stop use tcp mode for http backend. This stupid tbh! You lose all benefits of haproxy you can have.

Haproxy also can have letsencrypt (acme). More over it more good way to handle ssl on haproxy frontend then on iis where you simply at black hole with tls setup which apply only after reboot, not correctly working http/2 and much more stuff about what benefits haproxy have with http and miss with tcp... If you want have full encryption this also not an issue: you create own CA at pfsense and issue own certificate from this CA for 10years and put them on iis. Haproxy connect to iis over https and also validate that ssl is not faked. For frontend you use same lets encrypt...

Jti I also never had such bug while I had many pfsense with haproxy in various setups

@DaddyGo Thanks I will the second option. May be I will have to something more on Linux, but I will. best regards Kiran

@trilobite said in Proxy: content filtering, IP/DNS filtering, TLS 1.3:

I know there is a lot in the Netgate forums but I find much is quite outdated.

Because, as you already discovered : the MITM concepts is entering it's final, ending phase. It's getting really hard.
It's not only you who tries to enforce privacy. The entire browser - network - server setup goes that way. It's actually you who wants this happening. For all of us. And good rules do not permit exceptions ;)

Also : OpenDNS might have some good (never perfect) results as you off-load the tedious and ongoing filtering work to others. And yeah, they will say 'no' if your DNS filtered network was asking for 'p0rn.xxx' domain name. And now they know. Up to you to trust them.
If you do not want others to see what you do, then it will be you and your network, which means you'll have to invest in hardware - like a dedicated proxy machine for best results - and lots of your time, which will be an on going battle, as the net and it's tricks and rules change all the time.
It might be easier to take control the device your kids are using.

PS : Actually happy that mine are over 25.

I had the same problem. Turned off ClamAV in Squid and problem solved.

For android you may have to manually set the proxy for it. Proxy auto config had issues with android.

@rnholvast

so how it may work together.. ???
I mean... 3129 port set by default in PFS and port 2128 set in firefox ???