Hi,
I'm very interrested by your configuration, since this is exactly what I want to perform.
Is it possible to put your config (GUI) or a link to a tuto about.
I expect that you put a DNS record to point to HaProxy for internals requests?
Are you caching all Zimbra services behind HaProxy?
Best.

Hope this post will be read since it is a little outdated.; )

@truacaldwell

Without providing more detail info, it's difficult for us to see how pfSense is involved.

I ran across this in my recent searches as an option but the cron script that they have only works for one ovpnc1 interface. This wouldn't work because I use a Gateway Group that is both ovpnc1 and ovpnc3.

Is it possible to create a floating rule that says anything going out of WAN on port 80 (assuming only http transparent proxy) from "This Firewall (self)" gets passed to a gateway group?

I connect to the backend servers directly.

I refuse to rely on NAT reflection or crap like that on my network.

@Gertjan said in Squid?:

@Waqar-UK said in Squid?:

for its anti virus capability.

It's capable for sure.
You are aware of the fact that nearly all fraffic is TLS based these days, which means : the router firewall can't "see" the actual traffic, the payload.
And, as far as I know, virus are not transmitted in the Ethernet frame headers.
Also, TLS traffic is often marked as non cacheable.

I advise you really to look around and see what Squid can really do for you.

Thanks. It looks like I will have to look elsewhere. Any hints?

Ok, but you said general filtering works just not with schedules right?

How do you have that configured? Please post screenshots so we can see exactly what is set.

Steve

@PiBa
GET or HEAD in "Http check method" works!

@PiBa Thank you! This advice saved me from drastic measures!

@petrt3522 The only thing I can suggest is to use pfSense and openDNS to resolve all your DNS request.

thanks a ton

It worked..

the only downside is that i run nextcloud without any ssl certs inside the docker container (insecure mode) and when i access it i get these errors

There are some warnings regarding your setup.

The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗. Your web server is not properly set up to resolve "/.well-known/caldav". Further information can be found in the documentation. Your web server is not properly set up to resolve "/.well-known/carddav". Further information can be found in the documentation.

@Xivexell
I notice that you have the "NOT" checkbox set.. So i wonder what you expect to happen.?

If the user is 'NOT requesting /api/user' AND the user is 'NOT using method GET/POST/DELETE' then do something.?

Or would you perhaps prefer to have and 'OR' = || between those 2 acls.?

add0a4e8-3533-48fe-a796-f6a808eb60ec-image.png
Result in haproxy.cfg (see the ! signs and the | ..):

acl Rule1 var(txn.txnpath) -m beg -i /api/user/ acl Rule2 method GET POST DELETE http-request deny deny_status 402 if !Rule1 || !Rule2

Ho, okay, my probleme come from the checkbox.
Since I don't have a valid certificate for the moment, it was the webConfigurator default certificate which was used, hence the "pfsense-5e2183c31ebed" host verification.

It's weird because I don't remember unchecking this option, but if I create a Frontend in my Haproxy 59_20, it's indeed checked by default. I must have a bad memory.

Thanks PiBa =)

I deleted everything, did a hard reboot, then re-installed from the CLI and it worked this time, thanks.

@tn1rpi3 I'm using 'PiBa-NL' there. Currently online ;).