@sarasaunders Thanks to you for help, we will get back to you after our tests.

@tleadley This has never been answered, it was a configuration error with a hairpin DNS. It was corrected by creating the correct rules to forward to the appropriate server behind our DMZ interface. We also switched to HAproxy which gave us the ablility to host multiple sites with multiple certs!

We can mark this solved!

If squid starts and then dies due to some reason, it should be logged in Status - System Logs. What do you get if you shell in and run:

or

@aGeekhere I don't have time to finish reading the post right now but it looks like a lot of good info. I don't remember seeing that page.

The reason WPAD won't do us much good is because we have to be able to filter all internet access, including public WiFi.

@wontbeherelong
Does it work when accessed outside of haproxy directly on your lan network? 'http://<IP-of-your-plex-server>/plex/'

Read my guide https://forum.netgate.com/topic/100342/guide-to-filtering-web-content-http-and-https-with-pfsense-2-3/176

Pretty much defaults. At first I thought it might be an infected device but I see similar traffic on different devices with different OS's.

I'm running transparent http/https splice all

You're welcome, glad you have it working now.

-Rico

@KOM All is working. I figured it out. There were some private IP addresses in use upstream that were the same as those configured on my LAN interface. I connected to a different network and all is fine now. Thanks.

@Soarin
They break because the webserver which listens on :9220 doesn't know the the client is connecting to :443 and then when it includes 'absolute links' or tries to redirect from one page to another it will send the wrong location to the client.. Which then tries to follow that and fails to connect to :9220 which isnt available from 'outside'.. Best way to solve this is to make the webserver / webapplication 'aware' that the client uses https://domain:443/ as with phpmyadmin the "PmaAbsoluteUri" setting does, or convince the webserver/webapplication to only send 'relative' paths and not absolute ones...

For the 'wrong' redirect's you could probably configure haproxy to replace the wrong 'Location:' header with the correct one..
If 'absolute links' which point to :9220 are in the 'body' of the webserver replies / the webpage served, then your basically out of luck as haproxy will not replace that content inside the body of a reply.. (unless you go for some custom heavy duty Lua scripting....)

Yes it is possible. People can help you but they will not do it all for you. Go ahead and try it, and come back here if you have questions or problems. Have you seen the official Netgate video on squid and squidguard?

Clone and named frontend3-offloading-redirect-2 applied the change

it seems to work now , but I do not understand my error or what cause it.
I am getting a 503 error on one web site, I have to look to find out why?

Thank you would not have been able to find the error with out you. Much appreciated.

Charles

@Rico

Good point.

@KOM said in Filter some stations and full access to other Squid Guard:
the other group has all denied with a whitelist allowed at the top.

And the websites placed inside the whitelist ... I understand, thank you very much for the help, I am very clear now.

i am using Chrome (cleared cache) or Safari. Both Browsers have the same problem. I can not edit any haproxy rules without jumping back to another rule. So something really messed up here. i wont touch the system until i am back from vacation but this is horrible. Thinking to downgrade to 2.4.4_2 and reinstall haproxy 0.59_18

@stephenw10 Yes, the Squid reverse proxy is fully functional again.