@emeric what if you disable squid for LAN users? or disable reverse squid? Will you see the same errors?

I found that I had to delete the front end entry that had a logging setting, it fixed the error. A new question, how do you enable logging for HAPROXY within pfSense properly?

@aracloud using https? and certificate acl's checkbox set ? -edit- uh sorry you Already mention using http.. check that the browser is actually sending a Host header ?

hi Crazybrain, might i ask how you got wordpress to work behind HAproxy? for some reason i am unable to login when going true the HAproxy, but when i try to acces the local ip adres everything works. made a new post about this, > https://forum.netgate.com/topic/152756/haproxy-unable-to-login-on-wordpress-wp-admin-page Thanks in advance!

@PiBa Good news, I got it to work! I did as you suggested and got a self signed certificate on the server using this guide. After that HAProxy is able to route traffic to the host. It even works with the Let's Encrypt wildcard cert I have through the ACME package, so there's no cert errors getting to the site. Thank you for the help again.

Hi PiBa - Many thanks for the reply! I've managed to fix this issue. The problem was caused by using Jitsi's embedded webserver during the installation, which didn't work atall when performing SSL offloading. This seems to be a common issue looking at their forums. Instead I started again, this time installing Apache prior to the Jitsi installation. Jitsi then configured Apache2 accordingly. I had to configure the backend in HAProxy for port 443 and now offloading is working correctly. Here's my working apache2 config for reference. <VirtualHost *:80> ServerName mydomain Redirect permanent / https://mydomain/ RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </VirtualHost> <VirtualHost *:443> ServerName mydomain SSLProtocol TLSv1 TLSv1.1 TLSv1.2 SSLEngine on SSLProxyEngine on SSLCertificateFile /etc/jitsi/meet/mydomain.crt SSLCertificateKeyFile /etc/jitsi/meet/mydomain.key SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED" SSLHonorCipherOrder on Header set Strict-Transport-Security "max-age=31536000" DocumentRoot "/usr/share/jitsi-meet" <Directory "/usr/share/jitsi-meet"> Options Indexes MultiViews Includes FollowSymLinks AddOutputFilter Includes html AllowOverride All Order allow,deny Allow from all </Directory> ErrorDocument 404 /static/404.html Alias "/config.js" "/etc/jitsi/meet/conference.apollon-domain.co.uk-config.js" <Location /config.js> Require all granted </Location> Alias "/external_api.js" "/usr/share/jitsi-meet/libs/external_api.min.js" <Location /external_api.js> Require all granted </Location> ProxyPreserveHost on ProxyPass /http-bind http://localhost:5280/http-bind/ ProxyPassReverse /http-bind http://localhost:5280/http-bind/ RewriteEngine on RewriteRule ^/([a-zA-Z0-9]+)$ /index.html </VirtualHost> Kind Regards

@jimp said in pimd 0.0.2 package defects/anomalies: What specific interfaces does PIMD fail on for you? I am not aware of any issues with realtek (reX) but I could see issues with some virtual types. I took the time to dig in on this, because I've been forever a bit confused on just what interfaces I even need to define :) BACKGROUND 0) I do and did have Default Bind set to Bind to None. As you'll see, it doesn't necessarily help (and I may have found at least part of the bug ;) ) I have two HW ifc's, re0 (LAN - VLAN trunked) and re1 (WAN, via pppoe, specified as VLAN 201 by the ISP) Thus, for my WAN there are three levels of interface: re1 (raw hardware) re1.201 (VLAN tagged) pppoe0 (PPP interface) For my LAN there's two levels: raw re0 and the re0.NN VLAN's. I also have OpenVPN (ovpns1) OBSERVATIONS A) At the time of the above report: I had interfaces defined for re0, re1.201, and ovpns1 (I didn't define one for re1) On startup, PIMD always reads vif's from the kernel, and tries to bring them up. (this WITH Default Bind of None.) pimd was seeing, and failing for: re1, ovpns1, and re1.201 ("Invalid phyint address") B) Outside of pimd, having vif's re0 and re1.201 defined has not caused issues elsewhere in pfsense. I've now removed them and pimd no longer tries to bring up re1 or re1.201. C) Even with the above cleaned up... if I try to bring up interface ovpns1 (Bind Always Enable), pimd says it is an invalid interface. (FWIW, pimd does not see ovpns1 when it brings up the kernel-defined list of interfaces.) Presumably, this means pimd can't handle going across openvpn. Any idea how to enable this? (I used to do that all the time with multicast scanning... it would VERY much help to get this working!) D) As reported already, but with more specificity: Not sure why but pimd is defining a "Local static RP: 169.254.0.1, group 232.0.0.0/8" For a while, every N seconds (16?) pimd reports "route to: 169.254.0.1 destination is: 0.0.0.0 gateway is: (my ISP gateway!)" then spits out an error: "For src 169.254.0.1, iif is <WAN iif>, next hoprouter is ...: NOT A PIM ROUTER" AND in the log shows this as a Candidate RP: (69.254.0.1, incoming 9, pref 232/8, prio 1, holdtime 65535) A while later, that entry disappears. But the error logs are there anyway for my pleasure ;) Any idea how to configure so 169.254.0.1 is never defined as an RP? That just seems el-wrongo :( E) Not sure what is causing the following. Doesn't seem to cause harm yet it is anomalous so I'm mentioning it: :) After working through the kernel vifs, and the pimd.conf config... And JUST before first listing the Virtual Ifce Table in the log... pimd is adding one more vif of its own: Vif (n+1), Local address: same as Vif 0, Subnet: "register_vif0", Thresh: 1, Flags: (blank) That vif just sits there... I don't find any docs on register_vif0. Do you know? THANK YOU for getting this into pfSense!!! p

@DefectiveRobot these changes are merged to the latest version of squid pkg: https://redmine.pfsense.org/issues/10450 can you test it?

[image: 1587246872744-584c8a5f-8466-42f5-afbe-4be601b72f7a-image.png] I would get it working before enabling things like this too. You really have to know what you are doing to get all of that right.

@jimp thanks.. that did it

@anandpeculiar It might be enough to restart the pfSense's syslog service, so that it can re-create the log unix-socket also inside the haproxy chroot directory.?.

Native FreeBSD 11.3 packages don't know nothing about pfSense. So how could they support it ? pfSense packages can be based on packages build for FreeBSD 11.3, and have then added to them the GUI part , and more code to use the right places. pfSense uses FreeBSD "with modifications". @RahulGarg said in CLI installed pfsense packages not showing up in GUI: I used the command "pkg install squid-4.9" and the installation was successful. then you should continue using the official FreeBSD command interface : the console or SSH access. But be ware : you didn't install it on a native FreeBSD 11.3, but on pfSense, based on FreeBSD - there is a difference.