Hi
I had the same problem
But I put the list IP of this site in Bypass and the problem was resolved

Go to Firewall Aliases>ADD+
Name: trello
Type : Network(s)
23.45.96.0/20
104.66.78.18/20

Save

And Go to Services > Squid Proxy server
in Bypass Proxy for These Destination IPs type : trello

Save and restart squid service

@marcelloc said in pfSense keeps blocking google.com, I lost all hope:

If you run a tcpdump on your LAN while trying to google something with chrome, you will see it going on UDP port 443 instead of default TCP port.

That's the QUIC protocol right? You can block it with a firewall rule blocking udp80/443

https://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol

or disable it using a Chrome flag:
chrome://flags > QUIC protocol > Disable

I'm sure there was a good thread about it here on this forum but now for the life of me I can't find it.

I just can not believe this bug even exists, let alone after so many many years after it has been created (8 years).☹

you must configure the authentication in both now so that it works, you need to create an acl of groups with AD in the squidguard by changing the parameters of the example:

ldapusersearch ldap://192.168.0.100/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=domain%2cDC=com))

@_neok said in Squid + Squidguard + active directory + SSO:

This video is a bit old but the general outlines helped me make it work.

Yes this works, i have modified this package according to my requirement and works like a charm.

That is the solution that gives me a lot of troubles... When I point https://mydomin.com/media/ => https://media.local:2020/media/ I have to configure media.local to have a service running on a different path, and that brings a lot of problems. The easyest solution would be to mask the url and rewrite https://mydomin.com/media/ to https://media.local:2020 that way I don't need to mess with the destinations servers.

Thanks derelict
🌷

i know this pfsense chat but you seem very smart in this other stuff too i had another question if i have a unraid and it rsyncs to a freenas if data on teh unraid bit rots wont it bit rot the freenas or should i be scrapping unraid all together. i just like it its easier to use then freenas but i do like some things freenas has so there is no happy medium or best solution windows i guess lol

@brlamnr said in HAProxy TCP/use client ip and carp cluster problem:

@piba said in HAProxy TCP/use client ip and carp cluster problem:

@brlamnr
Can you check result of command 'ipfw show' ?

Following after activating client-ip:

00010 0 0 fwd ::1 tcp from 10.3.128.10 443 to any in recv cxl0.79
00011 108 20412 fwd ::1 tcp from 10.3.128.11 443 to any in recv cxl0.79
65535 48732381 4651172490 allow ip from any to any

It didn't work. Same behavior. Thanks.

Edit file /usr/local/www/sqstat/sqstat.php

change line

$res .= "$('#sqstat_updtime').html({$time}');";

to

$res .= "$('#sqstat_updtime').html('{$time}');";

If the destination ip/port is the pfSense ip with proxy port, then it's a direct connect.
If the destination ip/por is an valip ip address with port 80 or 443 then it's a transparent connection if transparent mode is configured.

The basic usage for tcpdump is:

tcpdump -ni YOUR_LAN_OR_WAN_INTERFACE host YOUR_CLIENT_IP

@cloudfw said in Squid as transparent HTTP/HTTPS whitelist only proxy:

@marcelloc But why is it working with HTTP then? same thing DNS lookup, then direct http to IP traffic. Have you had this HTTPS setup working?

Because http traffic is not encrypted, squid can see the packet content. With ssl in splice all mode, squid does not intercept the connection, it just tries to check the server certificate. before establishing a tunnel between the client and the server.

i'll give it a try.. thanks

@valnurat said in How do I know if it is working?:

Okay, but what metadata is cached?

I'm not using Squid, but I tend to say : all classic http (non-https) web access. Forget about SSL caching (check Google, he will tell you why).
Squid main goal isn't being a "cache", it's more a proxy thing.