I think I have cracked this. What you do is to upgrade in the package manager:
To:

haproxy net 0.59_4 The Reliable, High Performance TCP/HTTP(S) Load Balancer.
This package implements the TCP, HTTP and HTTPS balancing features from haproxy.
Supports ACLs for smart backend switching.

That seems to pull the HAProxy 1.7.11 as an dependency at least it now claims to be running 1.7.11 and the first tests looks reassuring.

I solved the problem myself.

All my configuration was correct, there is a bug with the squid addon: you can not start the squid service from the web interface, when you click on "start the service" in the image below nothing happens, the service doesn't start and you don't have any error message:
0_1533074663644_squid screenshot.png

I had to connect to the pfsense terminal and run a "ps aux |grep squid" to see that th service was not running (i didn't have any error message in /var/log/squid).

A simple "squid start" solves the problem, does someont knows where can i report this bug ?

@maverick_slo
using 2.4.4'beta' with php7 i guess? PR with version 0.59_6 that should fix that one is pending..

Same here, re-appearing in 2.4.3-RELEASE-p1 on a Netgate SG-3100. Looks to me too high i/o(???)

PFSense installed on 'thrid party' pc hardware works normally. Restarting ClamAV works for some hours and then protocol errors appear again. Updating ClamAV once a day lowered to once a week -> no difference Bypassing will prevent this ICAP protocol error but is not really a solution.

Thanks,
Imp

@gertjan said in SSL Man In the Middle Filtering blocking any app:

The MITM "problem" will probably never get solved.

Thank you very much

Hi
I had the same problem
But I put the list IP of this site in Bypass and the problem was resolved

Go to Firewall Aliases>ADD+
Name: trello
Type : Network(s)
23.45.96.0/20
104.66.78.18/20

Save

And Go to Services > Squid Proxy server
in Bypass Proxy for These Destination IPs type : trello

Save and restart squid service

@marcelloc said in pfSense keeps blocking google.com, I lost all hope:

If you run a tcpdump on your LAN while trying to google something with chrome, you will see it going on UDP port 443 instead of default TCP port.

That's the QUIC protocol right? You can block it with a firewall rule blocking udp80/443

https://wiki.squid-cache.org/KnowledgeBase/Block%20QUIC%20protocol

or disable it using a Chrome flag:
chrome://flags > QUIC protocol > Disable

I'm sure there was a good thread about it here on this forum but now for the life of me I can't find it.

I just can not believe this bug even exists, let alone after so many many years after it has been created (8 years).☹

you must configure the authentication in both now so that it works, you need to create an acl of groups with AD in the squidguard by changing the parameters of the example:

ldapusersearch ldap://192.168.0.100/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=domain%2cDC=com))

@_neok said in Squid + Squidguard + active directory + SSO:

This video is a bit old but the general outlines helped me make it work.

Yes this works, i have modified this package according to my requirement and works like a charm.

That is the solution that gives me a lot of troubles... When I point https://mydomin.com/media/ => https://media.local:2020/media/ I have to configure media.local to have a service running on a different path, and that brings a lot of problems. The easyest solution would be to mask the url and rewrite https://mydomin.com/media/ to https://media.local:2020 that way I don't need to mess with the destinations servers.