any help in this regard ?

@piba said in HAProxy 0.59_7 not working with SSL. :(: it does seem that backend-exch80_ipvANY isnt 'up' yet.. Have you checked what the stats page says in LastChk column That's the next thing I have to fix on the server side it seems. The server reports a 503 server when I do HTTP to it. I think in the past I had it setup to redirect to HTTPs but after CU10 it might have broke. So no worries right now. 443 works, so does the webserver on 443 and 80. autodiscover is on the same server as OWA so it too is broke on 80.

@PiBa Yes, I can at least access the macOS Server portal / Profile Manager externally now. SCEP device enrollment isn't working externally for me, though it is internally. I'm not sure how important that is--I think that's (mostly) an enroll once kind of deal. It looks like someone else beat me to experiencing this trouble, and found at least a sledge hammer style workaround. ;-) Thanks for all your help!

Hi, This is something that has to be implemented into the mail server. Every mail server. Thus impossible. Sending and retrieving mails is being done using SSL connections more and more often, so pfSense can't "see" in the data stream that it is an "email". And even if you pulled it off, people stopped using their fat mail client, to browse to their web mail, and then download or upload the attachment. All this will be done over https;//, leaving you out of the game completely. Read also, for example, https://security.stackexchange.com/questions/14120/open-source-tool-to-block-email-attachments edit : if you have people on your network(s) that are capable of downloading (or sending) unknown, potentially dangerous files as attachments, then you throw them on a captive portal and Wifi , using AP's with client isolating activated (== no more local network sharing) and if there is more then one AP, also enforce sharing among these AP's. Only then people (clients, visitors) can mess up badly, and only have their device being fckd up without exposing others on your local net(s).

Ooohh. I see. Thank you, Periko

Hi periko, Thank you for the advise. I am able to clear the log with the command suggested and my hard disk is now at 60%.

clean and simple, thanks _neok.

You need enable MIT feature. This link could be help you. https://turbofuture.com/internet/Intercepting-HTTPS-Traffic-Using-the-Squid-Proxy-in-pfSense Hand up if it was useful. Gabriel

Hi, PiBa! Or perhaps you want to configure a 'port' option on the server to make it check on a different port than the regular traffic >>go's to? Could add that on the server-pass-thru option. This is exactly what I need! Thanks, it works for me with the server-pass-thru option :)

Dear PiBa, Again, thank you very much! The complaint did not exist in previous versions. Your way does work. Placing the statement in the "Advanced pass thru" box does work also. I would not have understood this without your explanation! Regards, Michael

@piba Thanks a lot for all your help.

I got Siri to work by adding the following to my wpad files: if (shExpMatch(url, "guzzoni.apple.com")) || shExpMatch(url, ".guzzoni-apple.com.akadns.net")) return "DIRECT"; Basically, it's bypassing the proxy but that's all I could find. This is where I found it: https://apple.stackexchange.com/questions/253843/siri-on-macos-behind-a-corporate-proxy#253947 and https://blog.mansshardt.net/siri-ios-macos-hinter-squid-proxy-zum-laufen-bringen/ You will need to use google translate unless you know how to read German.

@piba You were correct, I had to change the SSL checkbox for the wanhttps Now everything is working and I am back to the SSL Labs A+ rating (if that is worth anything)

@ageekhere In this case, do I keep the Proxy settings transparent with Splice All enabled?

[Solved] I found the log rotate check button for SquidGuard in the GUI. Thanks

I think I have cracked this. What you do is to upgrade in the package manager: To: haproxy net 0.59_4 The Reliable, High Performance TCP/HTTP(S) Load Balancer. This package implements the TCP, HTTP and HTTPS balancing features from haproxy. Supports ACLs for smart backend switching. That seems to pull the HAProxy 1.7.11 as an dependency at least it now claims to be running 1.7.11 and the first tests looks reassuring.