Commonly that's caused by Squid and clients resolving URLs to different IPs because they are using different DNS servers. https://docs.netgate.com/pfsense/en/latest/cache-proxy/squid-troubleshooting.html?highlight=squid#sites-not-loading-with-splice-error-409-in-access-log Steve

...turns out ACLs are processed in order, just like firewall rules. My bad! Just have to keep a wildcard ACL matching a redir action just like before but at the very end of the ACL list, no default backend needed. I'm so stupid!--no wonder why I kept noticing the little blue anchors next to each entry. ...is it anchor or anvil? 🤨 IDK anymore.

@periko I will answer my own post. Looks like I found the issuem, once we enable and setup bind, for some reason the file /etc/resolv.conf lost the line: nameserver 127.0.0.1 Them squid read this file and for some reason the queries fall. Now, I have 2 paths: Add manually the localhost in the resolv.conf file in the first line. Or add as alternative dns in squid localhost 127.0.0.1 Using any of this 2 options everything start working. Them bind have some daemon, because I select LAN+Localhost for listen. Hope some could check this which affect proxy transparent MITM. Thanks.

Hmm, not sure I've seen that specific use case but I would set it up and try the different algorithms to see what works best for you. Steve

@Bismarck ,thanks for the help. I saw the ssl_bumps just underneath "custom options before auth" but there's a 2 line space between this section and the config so not sure if it's part of it. Custom options before auth acl sglog url_regex -i sgr=ACCESSDENIED http_access deny sglog ssl_bump peek step1 ssl_bump splice all

@PiBa Ok, I increased the time and it works well

hi @KOM unfortunately i did not find any solution.

I think you answered your own question. It doesn't block until you clear their local cache... so maybe it's been working all along and blocking as it should, but the blocked content is being pulled from local cache and/or squid? I don't know how squid behaves if you ask for content that is technically blocked for that user, but is sitting in squid's cache. Squidguard is a helper program that gets called for each URL that squid needs to fetch. If the required content is still is cache and not stale, it will server from there first.

NFM! thanks.

Bump anyone???

Hi. The attached file contains the procedure to achieve this goal. Someone in the past has done this. Use at your own risk. Autenticacao Transparente Squid + WMI + Squidguard.zip

What do you put in the Base URL on Ombi, Sonarr, etc. when using HAProxy? EDIT: I think I found the answer. You don't need it unless you want /ombi for example after your domain name. (yourdomain.com/ombi)

Hi PiBa, As usual you saved the day. that did the job and its now back to logging on the local file or even in remote syslog