All i can say, most possibly its your configuration.

@dotslashniks I think you should still be able to see LAN addresses under the Status/Traffic Graph/. Make sure the Interface selected is LAN. I personally don't find the traffic graph extremely useful. Try installing the ntopng package. It's a great package for checking traffic. Look it up on YouTube, there are great tutorials on what it can do.

@piba said in HAProxy - Log host name:

@aeleus
Use the 'Advanced pass thru' textbox to put that config setting into ?

Thanks, Piba!

That works.

A client has to explicitly know it's using DNS over TLS, it isn't as simple as forwarding 53 to 853. Running that on 53 may just confuse clients.

Even so I'm not sure HAProxy can be used to present a certificate and work with DNS over TLS. Maybe as a simple TCP frontend to a real DNS over TLS backend like Unbound.

But if you want something local to answer on 53 and then send the requests out to an upstream DNS over TLS server, then the DNS Resolver on pfSense can handle that. It can also act directly as a DNS over TLS server. It's possible to do with the custom options for DNS Resolver but there are native GUI controls for it in 2.4.4.

any help in this regard ?

@piba said in HAProxy 0.59_7 not working with SSL. :(:

it does seem that backend-exch80_ipvANY isnt 'up' yet.. Have you checked what the stats page says in LastChk column

That's the next thing I have to fix on the server side it seems. The server reports a 503 server when I do HTTP to it. I think in the past I had it setup to redirect to HTTPs but after CU10 it might have broke. So no worries right now. 443 works, so does the webserver on 443 and 80. autodiscover is on the same server as OWA so it too is broke on 80.

@PiBa
Yes, I can at least access the macOS Server portal / Profile Manager externally now. SCEP device enrollment isn't working externally for me, though it is internally. I'm not sure how important that is--I think that's (mostly) an enroll once kind of deal. It looks like someone else beat me to experiencing this trouble, and found at least a sledge hammer style workaround. ;-)
Thanks for all your help!

Hi,

This is something that has to be implemented into the mail server. Every mail server. Thus impossible.

Sending and retrieving mails is being done using SSL connections more and more often, so pfSense can't "see" in the data stream that it is an "email".

And even if you pulled it off, people stopped using their fat mail client, to browse to their web mail, and then download or upload the attachment. All this will be done over https;//, leaving you out of the game completely.

Read also, for example, https://security.stackexchange.com/questions/14120/open-source-tool-to-block-email-attachments

edit : if you have people on your network(s) that are capable of downloading (or sending) unknown, potentially dangerous files as attachments, then you throw them on a captive portal and Wifi , using AP's with client isolating activated (== no more local network sharing) and if there is more then one AP, also enforce sharing among these AP's.
Only then people (clients, visitors) can mess up badly, and only have their device being fckd up without exposing others on your local net(s).

Ooohh. I see. Thank you, Periko 👌

Hi periko,

Thank you for the advise. I am able to clear the log with the command suggested and my hard disk is now at 60%.

clean and simple, thanks _neok.

You need enable MIT feature. This link could be help you.
https://turbofuture.com/internet/Intercepting-HTTPS-Traffic-Using-the-Squid-Proxy-in-pfSense

Hand up if it was useful.

Gabriel

Hi, PiBa!

Or perhaps you want to configure a 'port' option on the server to make it check on a different port than the regular traffic >>go's to? Could add that on the server-pass-thru option.

This is exactly what I need! Thanks, it works for me with the server-pass-thru option :)

Dear PiBa,

Again, thank you very much! The complaint did not exist in previous versions. Your way does work. Placing the statement in the "Advanced pass thru" box does work also. I would not have understood this without your explanation!

Regards,

Michael

@piba

Thanks a lot for all your help.

I got Siri to work by adding the following to my wpad files:

if (shExpMatch(url, "guzzoni.apple.com")) ||
shExpMatch(url, ".guzzoni-apple.com.akadns.net"))
return "DIRECT";

Basically, it's bypassing the proxy but that's all I could find.

This is where I found it:
https://apple.stackexchange.com/questions/253843/siri-on-macos-behind-a-corporate-proxy#253947

and

https://blog.mansshardt.net/siri-ios-macos-hinter-squid-proxy-zum-laufen-bringen/

You will need to use google translate unless you know how to read German.