@Xivexell I notice that you have the "NOT" checkbox set.. So i wonder what you expect to happen.? If the user is 'NOT requesting /api/user' AND the user is 'NOT using method GET/POST/DELETE' then do something.? Or would you perhaps prefer to have and 'OR' = || between those 2 acls.? [image: 1581969975163-add0a4e8-3533-48fe-a796-f6a808eb60ec-image.png] Result in haproxy.cfg (see the ! signs and the | ..): acl Rule1 var(txn.txnpath) -m beg -i /api/user/ acl Rule2 method GET POST DELETE http-request deny deny_status 402 if !Rule1 || !Rule2

Ho, okay, my probleme come from the checkbox. Since I don't have a valid certificate for the moment, it was the webConfigurator default certificate which was used, hence the "pfsense-5e2183c31ebed" host verification. It's weird because I don't remember unchecking this option, but if I create a Frontend in my Haproxy 59_20, it's indeed checked by default. I must have a bad memory. Thanks PiBa =)

I deleted everything, did a hard reboot, then re-installed from the CLI and it worked this time, thanks.

@tn1rpi3 I'm using 'PiBa-NL' there. Currently online ;).

Yes, you are correct in terms of the checkbox. Thanks!

@luisramos It gets them from the pfSense webgui: System/CertificateManager/CA [image: 1581290601973-9afbbc04-5863-4d1d-8f89-f911e058cd02-image.png]

Problem solved! Thanks for the quick support action ;) Note: I had to disable libc resolution to get it working (in Global > custom options) defaults default-server init-addr last,none

Hey guys, i just solved it entering the ACL where the target category was active and hitting the save button! Funny enough, I had hit the general save button on Groups ACL tab, but it seems to have had no effect. After I delete a certain target category, is it necessary to enter every single ACL (in the Groups ACL tab) that target category was active and hit save?

upgraded to 8Gb gives a much better result. big test will be when i actually enable interfaces and squid guard

I would like to know how to do this for Split Bump default config. I have a WiFi VLAN which all connections on the interface use the proxy, however, my work laptop uses the PulseVPN client. Even though i have the destination host in the bypass list, the pulse client which connects over 443, picks up my ca certificate and can't make a connection to the vpn host.

Show yt link. Thanks

Since I wrote this I kept testing and discovered that there's something wrong with the software itself--I think; I've been using de dev version (haproxy18-1.8.23-ish) since forever so I thought it was my own fault for not using the official one, but, I downgraded to the official version (haproxy17-1.7.12-ish) and it got worse. Now neither TLS termination/offloading nor SNI work. It shows something about the data not being complete: [image: 1580265548001-screen-shot-2020-01-28-at-19.33.44.png] Like if it were being corrupted somewhere. I tried different connections to the same result. I thought, maybe other tools like Suricata and ntopng were getting in the way but disabling them (and clearing the states) made no diff. I wanted to send logs to help out devs but I have none. I forgot to set them. My bad. :) When I switched back to the dev version things got working again but I've seen this tends to last like for a little while only. I've also observed that on the SNI front when all backends inevitably fail, the loopback backend (for the offloading front) is the only backend that works--as I mentioned earlier, offloading and http work fine. I'll set up a logging server for the next time. :)