Hi @surinameclubcard thanks for taking the time to answer! I will definitely try that second example then. FWIW, I am currently using the first example i.e. NAT then HAProxy, and can confirm that does work.

Replying to myself: I just did a clean install of pfSense 2.4.4p1 and tried above with the haproxy-devel package:

Create a frontend, name it "test", save, Open "test", add an ACL, notice there is no "Traffic is ssl (no value needed):" option, Just to continue, name the ACL "https", expression="Host starts with:", value="https", save, Open "test" once again, edit the ACL, notice now there is the "Traffic is ssl (no value needed):" option, Change the expression to "Traffic is ssl (no value needed):", remove the value, save, same error. Or the ACL was completely removed.

Either something is broken or I am completely not understanding this user interface?

Anyone challenged with clamav and icap errors? I've increased the parameters recommended here. It seems to resolve the issue I'm currently seeing, but I now have each parameter at 3x their original default. I just hit another icap error and am getting ready to go to 4x, but I can't help but think clamav isn't worth running.

Thanks for the info. Astounding is what this is. :-)

@massao said in PROXY x PROXY TRANSPARENTE:

I have yes DHCP but in mikrotik, and Active Directory in windows 2012 R2.
The structure looks like this: 2 Internet link arriving in Mikrotik, and mikrotik connected pfsense and AD

ok .
Use your AD to host wpad file via IIS.
Use DHCP to serve wpad files.
all machine should be configured with "automatic detect settings" this can be done via AD too.

Refer below link : https://findproxyforurl.com/deploying-wpad/

@genseb I have not used transparent proxy.
may be it should create automatic NAT when you add port there in Safe_ACL.
Pfsense is a Good firewall, but lot of issues in proxy.

Ok, I clicked enough around and found I needed to enable this interface. Now the enabled OPTx interfaces appear in the squid proxy interface list.

I didn't know that that exists. Thanks

I odn't think so. pfSense squid has no definition for snmp_port that I could find. Nothing in the GUI either, so it may not support SNMP at all.

@helpuser
copy your keytab file as: /etc/krb5.keytab
chown :proxy /etc/krb5.keytab
chmod 0750 /etc/krb5.keytab

squid.conf :
auth_param negotiate program /libexec/squid/negotiate_wrapper_auth --ntlm /libexec/squid/ntlm_auth mydomain.ru --helper-protocol=squid-2.5-ntlmssp --kerberos /libexec/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME

Refer below link : https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

@mr-newbie By the way, I have installed squid, squid proxy and light squid. I also configured LDAP for my Active Directory users so the transparent proxy was not enabled. Thanks for your suggestion. :)

From my understanding memory cache amount is the minimum squid will use for cache plus you also have to allow for antivirus scan's, in transit object's, etc.
For instance on my home network I use 1024mb and 256kb and when I check System Activity squid is using 2646mb. and Clam is using another 948mb.plus you have to provide memory for any other package's you install and the firewall itself.

@piba I might try creating a lua script in the future, i guess i start reading about the inner working of Remote Desktop Gateway or try a attempt to decompile some MS binaries :-) to get a idea what they are doing. Thanks for the help so far.

Yes I can confirm it works after applying that patch. 👍