@wesleylc1
Then it seems you have answered your question why the host header must be send in checks 👍 . HAProxy's health-checks by default do not send this header and your nginx configuration needs it to find the correct virtual host with the server_name configuration. The 'default virtual host' likely returns the 400 response status. Its nice to know that doing some research and actually understanding how things work you can succeed with fishing without needing other people to give you the fish, that will definitely help with future diagnosing of issues.

@kiokoman thanks!

Make a bug report at https://redmine.pfsense.org/projects/pfsense-packages

Yeah, that looks more like real data. ☺

@gwaitsi Unfortunately I doesn't know, something wrong maybe with you CA. I done this before without any issue. It must process with success by cert install. No download needed. Can you try create new CA over Cert Manager and try again?

Some applications do not work well with PAC file.

Are you using authentication ?
Based on your config, it seems that you are bumping everything, tried splice all?

Based on the problems I had, I found this:

Some apps can work with PAC file, others not.
Some apps can work with proxy authentication, like Kerberos for an exemple, others not.

So, sometimes you will see Access Denied in Squid, because the apps like Pokerstars for an example are not carrying credentials to the proxy.

Here, I have a Squid proxy with SSO, using Kerberos.

Some apps don't work if I set Direct at the PAC file, however, they do work when I set a bypass like this:

before_auth:

acl whitelist dstdomain .pokerstars.com .dropbox.com <---- This allow everything to pokerstars.com and dropbox.com to go through the proxy without authentication
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -k /usr/local/etc/squid/mykeytab.keytab
auth_param negotiate children 100
auth_param negotiate keep_alive on
http_access allow whitelist <----- This allow whitelist before auth is required
acl auth proxy_auth REQUIRED
http_access deny !auth
http_access allow auth

ACME/Let's Encrypt is the best thing to do here, assuming you have a public domain available you can leverage and a supported DNS provider.

There must be a domain involved that you aren't blocking. If you see them watching YouTube, check Squid's access log to see where they actually are going.

Hmm, you could try using the url mode redirect method. Or maybe one of the other redirect methods.

Steve

Those are probably CDNs hosting the videos, and you may end up playing whack-a-mole trying to whitelist them all. Either allow IP addresses globally, or create an ACL for just your wife and allow them there.

you can also force google and bing into safe mode

We did a hangout walk though on this. It explains everything you need to know:
https://youtu.be/xm_wEezrWf4

Steve

How is any of that configured? What are those IP addresses? What's working/not working?

Steve