@pintu1228 no special. Use corect ACL, action and create backend. What you mean special? This even not websocket. Acme will newer overwrite another cert with same Common Name. You need remove previous incorrect certificate from certificate manager and after it run get cert again.

@mcury you are right its happening due to transparent proxy. Yes I m using transparent proxy and when I disable the transparent proxy my country blocking works but at the same time domain blocking dont work for me. Now what next please tell me where and what rule should i put to make it work. and I thnk so that client using DNS resolver as DNS server coz I configured the google/youtube/bing safe search which are configured with the help of DNS resolver and on my client browser the google safesearch is working that's means client is using DNS resolver.

@remzej said in Intermittent ERR_SSL_PROTOCOL_ERROR: I've been having the same problem ever since but I managed to make it work perfectly. Just be sure to set 127.0.0.1 as the first DNS server by unchecking the Disable DNS Forwarder in General Setup. That was the way I solved the same issue

Hi @PiBa you are maintaining HAproxy package? Can I ask you please? Why "stable" release still 1.7? The point many new people see develop and afraid of it. 1.8 is depracating... 1.7 is dinosaurs. Could you please update haproxy to 1.8.23. current 1.8.21 one has fresh CVE in http2 realization https://www.reddit.com/r/PFSENSE/comments/e5j6dc/haproxy_upgrade_needed_http2_cve201919330/?utm_medium=android_app&utm_source=share Could HAproxy begin support pfBlockerNG IP aliases? There is future are must have! https://www.reddit.com/r/PFSENSE/comments/d8zndd/haproxypfblockerng_future_request/?utm_medium=android_app&utm_source=share https://redmine.pfsense.org/issues/9793 Thanks

Not really I'm afraid. I'm not that familiar with those URLs. The form you are referencing there seems to maybe have different name structure to regular docs I have used. If any part of that string is fixed though you should be able to match on it. Steve

Have u check squid logs , there u can find your answer

Thanks for the clarification. But squid v3.5 has the same problem and at this moment doesn't has a fix. The last version of 3.5 branch it's 3.5.28 ant it's affected too.

@Napsterbater yes indeed, I'm using Chrome! Thank you for the reply, I was beginning to doubt that Chrome is probably using some other protocol to establish connections.

Yup, because it's not setup correctly. You are probably trying to bump all without loading the CA onto all your clients so you just see a cert error. See the complete walkthrough here: https://youtu.be/xm_wEezrWf4?t=636 Steve

Scan for viruses on the endpoints. They have access to the data after it is decrypted. Nothing between the server and client does.

@Gertjan Ahh, I see what you're saying. Thanks!

https://redmine.pfsense.org/issues/9652 It's a known issue

You don't necessarily have to use SSH and the easyrule block. It's just one possibility. You could always take fail2ban, add a custom action and use it to push the IPs that try to hit your webservers to a central instance/vm/whatever and collect it there. Then use pfBlockerNG to fetch this list of IPs and block it from WAN. Only "problem" is, that pfBNG isn't faster than "hourly", a thing that I tried to bring to the developers attention so that you had the possibility to go down to let's say 5-10min to blacklist an IP. But besides that, that's totally possible (we're running something along those lines ourselves).

https://redmine.pfsense.org/issues/9922 https://github.com/pfsense/FreeBSD-ports/commit/47f4f91aa8159e47f24990eb2496784cb9ef07c6 https://github.com/pfsense/FreeBSD-ports/commit/e8bec3bf1a773bdc61ebb7555941a2b9e26db732

@PiBa Thank you for your response. I was asking because I am experiencing a similar issue using PostgreSQL 11 on the back end. Every time we close the session, HAProxy logs an error with a termination state of SD. I'm just curious if it's a configuration issue with either HAProxy or PostgreSQL. If it's a harmless error, then is there any way to suppress the error in the log?

Presumably by blocking ports 80 and 443 directly since they were not using a transparent proxy.