@Soloam You can simply uninstall the old and then install the new and the config will remain in place. Also if for some reason you want to go back that is the way. Though some 'extra' settings would then be 'lost'. Anyway always good to have a config backup :).

Its also possible since your post has only been 1 day. And is in the wrong section... Your asking about how to filter https with squidguard.. Not Firewall.. Blocking only specific https sites with a firewall that are hosted off CDNs yeah going to be very difficult.. But blocking via proxy is not that difficult, you don't need to do mitm if your using explicit proxy (ie client directed to the proxy). But if doing it via transparent - then yes it becomes more difficult I have moved your thread to correct area so you might get an answer on how to do it with squidguard... But then again they prob just going tell you to RTFM ;) For example check out the hangout by jimp - he goes over all the different way to filter https traffic From the hangout https://youtu.be/xm_wEezrWf4 [image: 1553001045431-hangout.png] Moving to proxy section.

@InterLoper thanks for that, I found a guide online for HAProxy and it mentions that I need to create a ddns (so I created home.domain.com), then it suggests to create cname for each subdomain(so for plex, I have plex (for the name field), cname (for the type), 1H (for TTL), home.domain.com (for data field)). Will this way work too? or should I follow what you suggested, to create a DDNS entry for each subdomain (plex, nextcloud, sonarr, radarr, sabnzbd, etc)? Which method do you recommend? Thanks for your help

Does anyone have a way to resole it? Please help.

Thanks for the reply i think i had something on the states i rebooted and started working just have on quick question it might not be about this topic it has to do with HA proxy but on the same setup (first had to test out the NAT before proceding to HA) I have VIP 181.xx.xx.236 and my wan is 181.xx.xx238 but cant seem to get HA proxy working on the VIP i got working with the WAN see pictures Thank you[image: 1552780801123-screenshot-at-2019-03-16-18-58-04-resized.png] [image: 1552780800974-screenshot-at-2019-03-16-18-57-35-resized.png]

@bmeeks Thank you for your reply. I did the inter-vlan on cisco switch L3 and created static routes on pfsense ... From pfsense LAN i can ping the switch and other hosts. I am using a computer from a vlan and i still can ping google.com and i can access Pfsense webgui and get internet without proxy. That means vlans config is correct right ? I am having errors with https, and http pages it tells me it's not allowed to access these pages. Is there a rule to force traffic to pass through Proxy ? Ps: when i connect my laptop directly to pfsense everything works even proxy .

@interloper Do you have a guide on how you setup your google domain settings for your subdomains? I am trying to figure it out but having a hard time. Here is my open topic on this forum (https://forum.netgate.com/post/830593). Thanks

@johnpoz said in Squidguard Filter: Allow only certain IPs without disabling "Do not allow IP-Addresses in URL": x My exact problem is I want to block all web traffic without using domain names. But there's some chat apps in China use port 80 and ip address for communication. So, if I disallow "IP addresses in URL", that chat app fails to connect to servers.

@kom OK the problem comes from the DHCP. I didn't put the localdomain. Now it works. It was never mentioned in the guides I followed. Thanks for your help!!!

@poenskop Para solucionar el error Could not find report index file. Check and save sarg settings and try to force sarg schedule. Lo que hice fue cambiar el directorio de salida del reporte de sarg en el archivo sarg.conf para que quedara de la siguiente manera: Output dir (-o) = /usr/local/www/html/ después de esto en la consola crear un enlace simbólico hacia ese directorio ln -s /usr/local/www/html /usr/local/sarg-reports con esto se soluciono el problema ya pude ver el reporte y desapareció el mensaje Error: Could not find report index file. Check and save sarg settings and try to force sarg schedule.

@michaelschefczyk Recently (26-1-2019) haproxy itself removed the warning from their docs, the package on pfSense should get a little update to remove that warning as well.. "It was mentioned when releasing 1.8 but early bugs have long been addressed" http://git.haproxy.org/?p=haproxy.git;a=commit;h=1f672a8162eda18c404c6784dd749b6e061e2e4d Afaik there are no issues anymore.. (Which in the early days used to included haproxy crashes and hangs spinning at 100% cpu usage of a core..)

@gertjan said in Squid HTTPS Interception not working?: For https port 3129 could be used I guess - example : https://www.microlinux.fr/squid-https-centos-7/ (Squid version 3.5). True, the official doc is hard to read. Well, in order to get this working, I have the SSL interception running on port 3129 and the main proxy on 3128. Pointing clients at 3129 for HTTPS results in no connectivity. However upon just telling clients to use 3128 for HTTP and HTTPS, I can see HTTPS Man in the middle working and the certificates are being issued by my CA as expected. This suggests that PfSense+Squid is doing some sort of redirection internally to 3129 for HTTPS, or the seperate port setting for HTTPS does nothing, and it just listens on 3128 full stop.

@jason0 The HSTS cache can be a bit extra tricky to get rid of also.. Instructions for most browsers can be found though.

I think problem isn't with squid, rather with Windows 10 - system proxy settings doesn't enought, I don't know why. But with winhtt set proxy it works. Respect for your work, KOM and best regards.

@itbrain Added the screenshots back..