The directive cachemgr_passwd does not allow the ability to add a username right? How can one get if (OriginAuthorization.user) { const auto savedPassword = OriginAuthorization.password; if (pathPassword) OriginAuthorization.password = pathPassword; OriginAuthorization.commit(msg); OriginAuthorization.password = savedPassword; // restore the global password setting } to function without the username to go with cachemgr_passwd now? It would require both now if (ProxyAuthorization.password && !ProxyAuthorization.user) { std::cerr << "ERROR: Proxy authentication password (-w) is given, but username (-u) is missing\n"; exit(EXIT_FAILURE); } if (OriginAuthorization.password && !OriginAuthorization.user) { std::cerr << "ERROR: WWW authentication password (-W) is given, but username (-U) is missing\n"; exit(EXIT_FAILURE); } right?

@oguruma said in HAProxy: Rules based on url?: I'd like to restrict example.com/app/* (the backend for business users) to specific IP addresses (basically my LAN or VPN'd into the LAN), while if the destination is example.com/'anything-but-app'* (the website) can accept connections from any IP address. These are two rules in fact. Do you really need both of them? Assuming it is sufficient to restrict access to example.com/app/*, you can do it this way: In Firewall > Aliases create an alias for the allowed networks, say AllowedNets. Then create an ACL, call it "AllowedNets", "Source IP matches IP or Aliases", check "Not" and state AllowedNets as value. If you also need to limit the rule to the certain host create an "host matches" ACL and put example.com into the value box. Call it MyHost. Add an ACL, say "MyPath", "Path starts with" "/app/". Create an action "http-request deny", in the condition ACL box insert "MyHost MyPath AllowedNets" (all the ACL you've created before, separated by spaces).

Hello, exactly the same issue with a RDweb (rds gateway) server behind with a letsencrypt certificate. Does someone have a fix? Regards

I have an update to this. I had been testing my configuration from my PC on LAN. I use Pure NAT and never had a problem (and don't have now) but I tried connecting to my web server from outside and didn't have issues with POST. I started looking into what could be causing this issue on my PC and found that disabling AdGuard app resulted in no 500 error. Going into its settings I found that setting "Adjust size of fragmentation of initial TLS packet" and "Plain HTTP request fragment size" back to default 1 resulted in no 500 errors anymore. Because I am on PPPoE I had set those values to 1492. Now, why would this this crash HAProxy? Is there any way to find out the exact HAProxy error? The logging was set to debugging and I could only see connection attempts in the logs, no errors. Why would anything crash HAProxy? Shouldn't it fail gracefully? Refuse connections maybe if it's not happy about something? I was using those settings for many months and I don't think I ever saw error 500 on the internet. I never crashed any other reverse proxy. Can it be related to that I am using haproxy-devel per recommendations here? I could not find any meaningful description why the devel package was created and what's changed in it compared to the non-devel. https://cgit.freebsd.org/ports/commit/?id=acb561a07356b92137b8388c668b2c622638acb6 https://cgit.freebsd.org/ports/commit/?id=c958e9dfd9b3bdefd1d53b28dc5882ca061ccb16 https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-haproxy https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-haproxy-devel Is there any chance HAProxy will stop crashing if I move to the non-devel package? Both of them use the dependency from Sept. 2023 while the latest non-devel haproxy is from June 2024: https://www.freshports.org/net/haproxy

@Giganic I'm sadly not familiar with Authentik, so I don't know another way. I'd think, that there isn't any possibility to add an additional listen section to the HAproxy configuration in pfSense. All settings are generated from the GUI and there is no option for doing that.

@mcury Vlw, vou dar uma pesquisada sobre.

Wait…. Have you blocked DoH ?? And HTTP3 DoH over QUIC ? Your systems have to use pfSense as the DNS

@dalla Primero crear una lista alias de IP en Firewall Firewall > Alias Creas tu lista de IP_CNE Luego Service > Squid Proxy Server en la Pestaña General en el grupo de reglas "Transparent Proxy Settings" Busca la linea "Bypass Proxy for These Destination IPs", alli Colocas el Alias que creastes anteriormente Ejemplo IP_CNE Salvas y reinicias el servicio

@Universal2688 Yes, you have view errors, but the frontend also shows some sessions total. You can enhance the log level in the HAproxy settings to get more details on what it does. Also you can sniff the traffic on the DMZ interface to ensure that the packets are forwarded to the correct backend. But since the Gitlab backend is showing some traffic and sessions, I presume that the traffic is forwarded to it. So possibly there is something wrong with the Gitlab backend. I don't use it, so I cannot tell you, how to configure.

Ok it seems that some time pfsense automatically generates a state file that temporary changes "survive" a reload / restart of haproxy: /tmp/haproxy_server_state If i delete the state file via CLI and then restart haproxy the config is loaded correctly.

@JonathanLee said in New Secure Squid version 6.6 status page issues NAT Questions: cache_object I went as far as to add an any any rule to see if the ACL blocking port 80 caused this issue however it does not... Same result..

Also squidclient -h 192.168.1.1:3128 mgr:info@PASSWORD squidclient -h 127.0.0.1 mgr:info@PASSWORD Gives the following error Embedding a password in a cache manager command requires providing a username with -U: mgr:info@PASSWORD Also squidclient -h 192.168.1.1:3128 /squid-internal-mgr/info@PASSWORD squidclient http://127.0.0.1:3128/squid-internal-mgr/info@PASSWORD squidclient http://192.168.1.1:3128/squid-internal-mgr/info@PASSWORD squidclient -h http://127.0.0.1/squid-internal-mgr/info@PASSWORD How can we access the status page currently?

@cavouto have you created a new certificate yet non rsa? I needed one that ECDSA with prime256v sha256 and not RSA anymore that solved my errors The error is gone when this cert is used :)

@JonathanLee tls 1.3 has been used for quite some time.. Any time I bother to look at the connection to pretty much anything its tls 1.3.. This connection to the forums is using tls 1.3 ensi is dead but long live ech, that could be problematic I would bet.. But again I don't do any sort of mitm, its not good practice - I want my ssl/tls to be end to end.. As the internet gods intended it to be ;) I have no need or desire to run a proxy.. If I want to block someting I would filter on IP or DNS.. Yes I block the bane of filtering doh and dot. I run a reverse proxy, but not as a filtering method or as a way to do mitm.. But as a way to offload the ssl connection because the actual services have no ssl support at all, or are a pain to setup. These connections are tls 1.3.. And I don't even allow 1.2, if your not using 1.3 then your not accessing it. And use strict sni - so if you don't send the valid sni your not being proxied in either. This keeps rando port scanners from being able to actually get to the sites interface. And I block most of the known scanners from talking to any of my forwards anyway, and only allow access into my forwards if your coming from US IP, etc.

This seems to improve speeds http_upgrade_request_protocols websocket allow all accept_filter httpready accept_filter dataready collapsed_forwarding on half_closed_clients off pipeline_prefetch 6

@viragomann said in HAProxy forwardfor: @varazir You can see the http headers in the capture? yes, strange is that it's only for Authelia I don't get the header set. I think I'm going to remove it. Using wireguard to connect to my home network.

So generation 2 proxy technology can help if its built right...

@JonathanLee said in Any experience with HAproxy 3.0 ?: Sorry, could You be so please to explain Your reply? I asking because some improvements and new features in HAproxy 3.0 are really great (and some of them - was so long asking for). Of coarse, in hi-loading environment would be better to using SEPARATE HAproxy-balanser (no matter containerized or on bare metal) from pfSense . But the same time this not mean not to updating HAproxy to 3.0 in pfSense+ or CE. Am I wrong with this? @Sergei_Shablovsky Did you see you can run it in a docker container now? Sorry no time to seeking for right video, but this one probably not need the translation. @Sergei_Shablovsky is that the high availability software for running two different firewalls? As I know, One short example...., and another one. The last from this two examples are the "best pair" HAproxy+Keepalived that used widely and successfully from 2020-2024. And I personally know a bunch of projects (both hiload and enterprise) with implement, orcestrate and monitoring this HAproxy+Keepalived pair sucsessfuly