All..... The script came from user Remzej. I have it on a cron job to check every 5 minutes (we are a busy proxy environment)... */2 * * * * root /usr/bin/nice -n20 /usr/local/bin/php-cgi -f /usr/local/pkg/monitor_memory_usage.php #!/usr/local/bin/php-cgi -f <?php /* monitor_memory_usage.php part of pfSense (https://www.pfsense.org) Copyright (c) 2011-2015 Rubicon Communications, LLC (Netgate) All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ require_once('config.inc'); require_once('util.inc'); require_once('squid.inc'); global $config; // Monitor memory usage by remzej // Get SWAP usage funtion function swap_usage() { exec("/usr/sbin/swapinfo", $swap_info); $swap_used = ""; foreach ($swap_info as $line) { if (preg_match('/(\d+)%$/', $line, $matches)) { $swap_used = $matches[1]; break; } } return $swap_used; } // Get memory usage function function mem_usage() { $memory = ""; exec("/sbin/sysctl -n vm.stats.vm.v_page_count vm.stats.vm.v_inactive_count " . "vm.stats.vm.v_cache_count vm.stats.vm.v_free_count", $memory); $totalMem = $memory[0]; $availMem = $memory[1] + $memory[2] + $memory[3]; $usedMem = $totalMem - $availMem; $memUsage = round(($usedMem * 100) / $totalMem, 0); return $memUsage; } // Get memory and SWAP usage value $memusage_pct = mem_usage(); $swapusage_pct = swap_usage(); // Display memory usage echo "Memory Usage: " . $memusage_pct . "%" . PHP_EOL; echo "SWAP Usage: " . $swapusage_pct . "%" . PHP_EOL; // If memory usage is above 90%, stop and restart squid services. if (($memusage_pct > 90) or ($swapusage_pct > 80)) { squid_stop_monitor(); if (is_service_running('squid')) { stop_service("squid"); } squid_restart_services(); log_error(gettext(sprintf("[squid] Memory usage is $memusage_pct percent, Swap Usage is $swap_usage percent, stopping and restarting services."))); } log_error(gettext(sprintf("[squid] Memory usage is $memusage_pct percent and Swap Usage is $swapusage_pct"))); ?>

@ramalave , thanks for the list of networks. It helped in my case as well with squid in transparent mode. Are there any other solutions available to fix Windows Updates issues when squid works in transparent mode? Thanks!

Hello PiBa ! Thanks for your time, can't believe it was that simple, but it works great !!!! thank you again !!

Worked like a charm! Thank you!!

@veldthui Deleting the backend would prevent the rule from being applied when rules get loaded again.. Maybe reloading rules is not triggered when applying settings for a disabled haproxy.. You could 'force' a reload of the rules from the status/filterreload page (if i remember the name of that menu correctly).. That would load the new ruleset without haproxy adding its rules at that time if the backend was deleted.. As for 'needing' transparent client ip.. to get traffic going its not needed. if you want make rules based on the client-ip on the server, then it might be required if proxy-protocol and http-headers are out of the question.. It does come with these disadvantages though that it needs to be in the reply path, and will 'block' other direct requests... It might be possible to open a second port or adding a second private IP on the webserver for the purpose of haproxy connecting to it with client-ip's thus 'avoiding' blocking the regular direct traffic and your nat-portforward..

@2fst4u said in HAProxy client certificate validation per app: What extra settings does the development package provide? The development package allows specifying client certificate options per shared-frontend by using the crt-list option of haproxy 1.8 with a specific sslbindconf for each sni where 1.7 does not support that and thus hides those options in the webgui. b.t.w. that the package is called -devel does not mean the software isn't stable.. The current development version of haproxy is '2.0-dev' and 1.9 is also marked stable.. though still as some rough edges... 1.8 is really stable for everything it supports.

thank you ! very good the video, the more I believe that my error is in the frontends, I created a standard frontend, and then I was creating new frontends sharing the first one. I've done different now, I'm creating the ACLs and ACTIONS directly on the default frontend like the image below [image: 1555491780592-captura-de-tela-2019-04-17-a-s-06.01.04.png] [image: 1555491911057-captura-de-tela-2019-04-17-a-s-06.04.42.png] This has worked well for me.

@KOM I will wait for the purchase of the new Hardware and perform the system update. Thanks a lot for the help.

HAproxy is certainly the path there but you're going to want to get rid of all of those port forwards. HAproxy frontend listens on WAN address, looks at the connection details, and proxies to the appropriate backend servers. You don't have to port forward, you just open 80/443 so HAproxy can receive connections.

Thanks for the information. Seems about the same settings as it's on my PFsense. I'll give it a try with an additional webserver, might be that my OWA is messing up the mappings.

@treybeatty Can you define what 'stooped' means exactly? Error while starting haproxy? Haproxy starts and stats page works, but client traffic does not reach the (web)servers ? Any error message shown in the browser? Can you 'curl' to haproxy locally on the pfSense box itself? Does the stats page show the (web)servers as 'up' ?

@KOM Thanks your comments have been very useful !!! n.n/

Hello, how are you ! I'm having the problem that you, more in my case is the zimbra the console console uses port 7071 and webmail uses port 443 you can put the screens of your HA-proxy. Thank you so much

@stephenw10 I'm sorry for answering just now, had some family issues, but I solved the problem by cleaning the cache and restarting the desktop. I have no problem with any browser. Thanks for the thelp and attention!

Connnect to console via ssh and Shell (F8) Then just type: tcpdump -i <interface> -s 65535 -w <some-file> (where interface must by eth1 or vmx1 depending on your ethernet driver).

Ouch... Really sorry! I think I've made a mistake... I don't have Pfsense server anymore but i think that It was not External FQDN but reverse https default site witch cares... And I'm wondering if you don't have to use an host name and not a domains one, something like host.mydomain.com and not only a domain.com... But My certificate wasn't a wildcard. So it could be wrong. To be complete there's some points I have to add here: to get through this issue, I used the console to look at the squids configurations files. it's not so difficult and there can be found the ssl adresses usable to connect I ve never been able to have everything working as it should with PFsense with squid on it. One colleague of mine tried again with a fresh install of Pfsense to be sure theyre's no artefact of what I did. But for me, as I read it so many times, pfsense does not work fine with squid (we forgot Squid and changed to a commercial solution)

Thanks for posting your solution, whatever it is.