@gurpal2000
We are talking about backends.

There is a "Default Backend" setting in the frontend. This is used if no rule matches a traffic.

Howerver, you can as well add an action for the primary backend and negate the existing ACL.

@nalle_j
So you have to investigate, what's going wrong.

I assume, that the packets reach the remote backend server, since the health check succeed, as you wrote.

To get sure, sniff the traffic at the remote site. First on the server-facing interface. If you can see requests and responses either, sniff on the Wireguard interface, and if there are no responses, sniff on the WAN to see if the packets go out to the default gateway.

Any tips on how to get this working?

@johnpoz, you are correct. I should have added that in my head it seemed like a security issue but it obviously wasn't because of the default rules.

This is pretty complex I use a separate VLAN that only gets the resources it needs for VPN but check your ACLs and if you really want to send VPN traffic into the proxy you need to force that traffic into the proxy NAT it

UPDATE 4-25-24

Added timeframes to secure web cache use

Add this to the top of the config

acl block_hours time 01:30-05:00 ssl_bump terminate all block_hours http_access deny all block_hours

@viragomann Yes, not sure why that made a difference but it's working.

follow this for use with creating a dstdom.broken file for use with pinned certificates..

https://wiki.squid-cache.org/SquidFaq/WindowsUpdate

same item however add the
office.com
office.net domains into the folder so everything works and cache for updates still works

acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

this works for me and all updates restored and office use