@rainbowHash said in HaProxy Postfix ssl offloading:

where to configure the haproxy backend on Pfsense to enable the send-proxy option

You can manually write such a option in the advanced server pass-tru options text field. Either per server separately if you edit a server and expand the extra options part of each server. Or in the the box that applies 'to all servers' in that backend.

Thanks i was just wondering

not for https sites as far as i know. does duckduckgo have a dns safe mode?

@kiokoman Thanks!

under windows you can also modify C:\Windows\System32\drivers\etc\hosts and add it there

@KOM Thank You for the effort. At least I know it can't be done.

Try this

setup a WPAD (make web browser use it ) Manual configure any device that cannot use a WPAD Use transparent proxy with MITM splice all to catch the rest
https://forum.netgate.com/topic/100342/guide-to-filtering-web-content-http-and-https-with-pfsense-2-3/178

You need to monitor it, see where it's really going and then block that.

@lido14
'Normally' IPFW is not running when only pfSense is used without captive-portal..

The quickest fix is probably to give pfSense a reboot.. Haproxy loads and configures IPFW if it 'needs' transparent-client-ip with its current config settings.. If none of the backends require this the IPFW related configuration code is likely completely skipped. It does not remember that it still needs to disable the old ipfw settings.... I guess i need to set a little 'flag' that transparent-client-ip was used and check that to remove the last rules if the current config doesn't use it anymore.. I'm not sure if unloading ipfw itself is possible.. i think there was a issue there...

Will be nice to learn how to do it both ways - using haproxy and just using the internal CAs as @johnpoz proposes. I went the haproxy route and couldnt get it to work. I have the certs issued and haproxy setup. Perhaps @Renat you can provide a guide how to do it and I will see if that can get me over the hump since I have already done most of the steps? ( some screenshots of haproxy setup). Also anything has to be done on the synology side?

It shouldn't cause any problems, but if you're unsure then wait until there is low traffic and then try it. It's easy enough to revert.

You see any errors in the cache log?

That image appears to be called from some local location data:image/png;base64,iVBORw0K......

I'm not sure that would be cached at all anyway.

Steve

@vacquah While it works, the Synology does not seem to automatically update the certs even though it is supposed to. I do get a reminder so can manually get it to update.

On the synology side you need to set it up with the certificates part on the control panel. There are plenty of web hits on how to do this part.
The HAProxy part is basically how I have it in a few posting before this. You need to be careful of the order of things as I had my pfSense path first and it was matching that and going there and never got to the synology match. After a reordering it worked as it should.

That package has ZERO to do with passive.. Its Active Client Proxy.. Ie client using active connection to server outside pfsense.

When connection in passive mode the internal IP address is given to the client thru the WAN interface

Yeah setup your server to give out your actual public..
here
https://docs.netgate.com/pfsense/en/latest/nat/ftp-without-a-proxy.html

BTW - not related to your ftp problem, but you should be on p3

Ok. So I got the system to work by disabling the firewall on pfsense itself. That led me to the firewall on pfSense and added 7445 on the actual server firewall. I just assumed that by enabling LightSquid it would have added that rule.

Thanks, and I hope that helps someone else having the issue.