Added a custom ACL and used this https://stackoverflow.com/questions/23342036/haproxy-restrict-single-backend-by-ip-range

I moved the galaxy backend to the ssl offload fronted.

@lorelore75 You can install it while running, though it might cause a interruption regarding the handling of requests, and do check the new version is running after installing. Haproxy-devel replaces haproxy, and uses the same configuration settings so 'upgrade' should be pretty much seamless. Going back to 'haproxy' package should also be possible but sometimes 'upgraded' settings don't take effect in the older version.. So careful a quick comparison of the expected haproxy.cfg is wise to do :), but i guess thats also true when performing upgrades :)

@jimp Thank you very much for your reply! This solved my problem. I suppose I could have worded my previous comment a little differently. I've found lots of others online who are having a similar troubles. As such, I wasn't so much surprised that nobody else was having the same issue, rather, I was surprised that I hadn't yet found an answer similar to what you've provided, above. Thanks again for your help with this!

How to configure

You should now see squid pkg version 0.4.44_7 which includes the recompiled clamav package.

Nope, I have never seen that error message before but it seems to be related to the backend. Can you post a picture of how your backend is configured

@jimp could you point me in the right direction how to setup so HAProxy on pfSense handels the certs ( not just getting them )

@piba How do I get information about this image?

Is Squid the only package on the pfSense box? Also I would check if the firewall rule that Squid adds in transparent mode is conflicting with other firewall rule's. With that amount of user's there is quite a lot of tuning that can be done.

Common is literally applied for everyone. Group policies are only for those clients inside the group. The order is important. Did you confirm that your clients are even using the proxy?

That was it, thank you for your help!

Problem solved. Set SSL/MITM Mode to Splice All.

Ok after some reading, it seems I don't need to filter https. All I really need to do is block certain https domains from my kids on my home network while allowing all other traffic, prevent kids from circumventing proxy, monitor traffic stats per IP, and no issues with online games like logging into Warframe. To block https domains, I found some info on setting the ssl intercept to "splice all" and putting ".*" in the acl whitelist, then use squidguard to block https. However, I'm not exactly sure how to set this up with squidguard or if it will fix my Warframe login issue. I'm trying to learn this so I don't really want to use something like OpenDNS if I can help it. I'm running psSense in a VM with working backup so I'll try any suggestions because I can easily restore my pfSense firewall. Thanks.