Yes, you are correct in terms of the checkbox.

Thanks!

@luisramos
It gets them from the pfSense webgui: System/CertificateManager/CA

9afbbc04-5863-4d1d-8f89-f911e058cd02-image.png

Problem solved!
Thanks for the quick support action ;)

Note: I had to disable libc resolution to get it working (in Global > custom options)

Hey guys, i just solved it entering the ACL where the target category was active and hitting the save button!

Funny enough, I had hit the general save button on Groups ACL tab, but it seems to have had no effect.

After I delete a certain target category, is it necessary to enter every single ACL (in the Groups ACL tab) that target category was active and hit save?

upgraded to 8Gb gives a much better result. big test will be when i actually enable interfaces and squid guard

I would like to know how to do this for Split Bump default config.

I have a WiFi VLAN which all connections on the interface use the proxy, however,
my work laptop uses the PulseVPN client.

Even though i have the destination host in the bypass list, the pulse client which connects over 443,
picks up my ca certificate and can't make a connection to the vpn host.

Show yt link.

Thanks

Since I wrote this I kept testing and discovered that there's something wrong with the software itself--I think; I've been using de dev version (haproxy18-1.8.23-ish) since forever so I thought it was my own fault for not using the official one, but, I downgraded to the official version (haproxy17-1.7.12-ish) and it got worse.

Now neither TLS termination/offloading nor SNI work. It shows something about the data not being complete:
Screen Shot 2020-01-28 at 19.33.44.png

Like if it were being corrupted somewhere. I tried different connections to the same result. I thought, maybe other tools like Suricata and ntopng were getting in the way but disabling them (and clearing the states) made no diff.

I wanted to send logs to help out devs but I have none. I forgot to set them. My bad. :)

When I switched back to the dev version things got working again but I've seen this tends to last like for a little while only. I've also observed that on the SNI front when all backends inevitably fail, the loopback backend (for the offloading front) is the only backend that works--as I mentioned earlier, offloading and http work fine.

I'll set up a logging server for the next time. :)

@jonathanp123 I gave up on transparent mode too. i'm still running without the wpad for a moment. But when blocking a website with HTTPS pfSense tries to resolve a host 'https://http*', like the error. With HTTP it displays the correct page.

@viktor_g
Is updated... so SSL filtering works only in transparent proxy ?

I found this and haven't been able to test yet.

SquidGuard is broken for https out of the box. You need configure Common ACL Target Rules List Default access [all] to Allow, save. Then click Apply in General settings tab.

My best bet is that Default access has no block page configured for some reason. If anyone knows how to get Default access to deny working please let me know.

Here is my working SquidGuard configuration step by step tested on pfSense 2.3.4-RELEASE-p1 (amd64):

General Settings -> Blacklist options -> check to enable blacklist
Put in Blacklist URL: shalla list
Go to Blacklist tab.
Hit download (Black list url is already there)
Wait for it to finish downloading.
2. You need to configure your blacklist default to Allow state (The default state which is Deny all is what causes https://http/* error)

Go to Common ACL Tab
Hit plus button on Target Rules List
Scroll down to Default access [all], set access to allow
Set other categories that you want to be blocked to deny.
Hit save at the bottom of the page.
Go to General settings Tab.
Click Apply at to Top of the page so your settings will be applied from Common ACL Tab.
Check if https sites load properly now.

Remember to clear cache from before playing with pfsense from your browser or it will show you old state of web filtering.

@kevdog
Config seems to look fine.. The haproxy stats page does count your connection/request? And shows the server as 'up'? Testing from 'outside' ? Perhaps disable the transparent-client-ip feature until stuff starts working, then try enabling that again.?

@kevdog
Yes openssl is 'build in'. Those settings should work alright.. Does it work without them? Do you get a 'error' or 'warning' when applying the settings?

@nico1234 said in Crash pfsense when squid is enable:

panic: ufs_dirbad

== file system error.
Ran fsck ?