@PiBa Awesome! Thank you again @PiBa and apologies again for the ignorance on my part. Your insight was extremely helpful and the proxy is now behaving as I had hoped. Just a note in case anyone wonders, I tried disabling the transparent IP and that did not help with the interVLAN traffic. The problem only affected the ports defined in HAProxy (80,443) and did not resolve until I added the binded interface in the frontend. I did not expect to have to do that as I thought HAProxy would only listen on the defined ports but it happened to me.

@vinceepic Yes TCP mode would work.. But do you have a reason for not using "ssl/https(TCP mode)" which would give the same frontend/backend configuration regarding the passing of the ssl traffic without any changes, but would allow to set some SNI based acl's in the webgui?

@xternaal Add a acl X that checks 'host matches: service' Then add a action that will perform a 'http-request redirect' for fmt: 'location https://service.contoso.com' when the acl X matches.

@PiBa Thank you very much, for all the support you provided.

does a fix for this issue exist? Stop using FTP?

Hi, I'm very interrested by your configuration, since this is exactly what I want to perform. Is it possible to put your config (GUI) or a link to a tuto about. I expect that you put a DNS record to point to HaProxy for internals requests? Are you caching all Zimbra services behind HaProxy? Best. Hope this post will be read since it is a little outdated.; )

@truacaldwell Without providing more detail info, it's difficult for us to see how pfSense is involved.

I ran across this in my recent searches as an option but the cron script that they have only works for one ovpnc1 interface. This wouldn't work because I use a Gateway Group that is both ovpnc1 and ovpnc3. Is it possible to create a floating rule that says anything going out of WAN on port 80 (assuming only http transparent proxy) from "This Firewall (self)" gets passed to a gateway group?

I connect to the backend servers directly. I refuse to rely on NAT reflection or crap like that on my network.

@Gertjan said in Squid?: @Waqar-UK said in Squid?: for its anti virus capability. It's capable for sure. You are aware of the fact that nearly all fraffic is TLS based these days, which means : the router firewall can't "see" the actual traffic, the payload. And, as far as I know, virus are not transmitted in the Ethernet frame headers. Also, TLS traffic is often marked as non cacheable. I advise you really to look around and see what Squid can really do for you. Thanks. It looks like I will have to look elsewhere. Any hints?

Ok, but you said general filtering works just not with schedules right? How do you have that configured? Please post screenshots so we can see exactly what is set. Steve

@PiBa GET or HEAD in "Http check method" works!

@PiBa Thank you! This advice saved me from drastic measures!

@petrt3522 The only thing I can suggest is to use pfSense and openDNS to resolve all your DNS request.

thanks a ton It worked.. the only downside is that i run nextcloud without any ssl certs inside the docker container (insecure mode) and when i access it i get these errors There are some warnings regarding your setup. The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗. Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation. Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.