Hello,

i have exactly the same problem. how can be this solved? I wold like to split interface by purpose.
Now reverze proxy is catched on all virtual ip and wan ip.

Jan

hsts does not hinder you bumping tls traffic, it just forces the client to use tls instead of plain text. you have to have your ca in place on your client devices. I would recommend

1. setting up a ca in pfsense (you don't necessarily have to have the private key on the pfsense box and I recommend againt it, it is you last resort if you private keys of you sub cas are leaked at some point)
2. setting up a sub ca for ssl bumping
3. exporting the ca certificate of the top ca (just the cert)
4. selecting the right ca in the squid config
5. configure bumping as i describe over here https://forum.pfsense.org/index.php?topic=135178.0
6. put on the whitelist what you desire
7. install ca on the client. that should generally be done by your endpoint management solution (active directory gpo, kaspersky endpoint security, you name it). if you want to manually install the ca make sure you put it into the /SYSTEM'S/ Trusted Root Certifaction Authorities else it won't work.
8. here you go (push f12 in your browser to verify your certs are being generated by your bumping ca.

Have you had any luck?  I'm trying to get Squid to work with my VPN, whenever I enable squid guard I loose my VPN connection, it bypasses it for some reason?

Have you had any luck?  I'm trying to get Squid to work with my VPN, whenever I enable squid guard I loose my VPN connection, it bypasses it for some reason?

Hi!

I did some more testing now I am not at home. So it seems like everything is working fine :). Now testing with different SSL certificates. Thanks!

Thanks KOM, seems to work after pressing save and apply in general.

Cheers!

That's got nothing to do with squid.  Add a host override in your DNS config to resolve that host to whatever address you specify.

BUMP, does anyone use Squid with OPEN VPN?

I'm facing the same problem, however in my case when PfSense server restarts the Squid initialization path returns to "redirect_program /usr/pbi/squidguard-amd64/bin/squidGuard" and I get the same error: "No such file or directory", so I did not find yet any solution.

The Cache/Proxy forum is a better place to ask your squid questions.  The Documentation forum is for issues with pfSense's documentation.

@beauw:

Okay - remzej's script saved me so much grief.

I run PFsense with about 1200 clients and the squid memory continually increases over the day until it locks up with no reboot.  Even on the newest versions.

I adjusted the script to reboot only on memory (65% for me) and it works like a charm.

Once I got the cron running, it checks every 15 mins.  At the most, the reboot results in 15 seconds downtime for the network which is palatable.

Thanks again remzej for your contribution….

Do You have rule this similar it?


Read what KOM said, you're asking in the wrong place.

Can you share your haproxy.conf from the bottom of the settings tab? (please wrap inside code # tags using the buttons above the message text..)

Also please checkout: https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/haproxy_troubleshooting

Squidguard is a helper app that takes URLs from squid and processes them in realtime as they're requested by the user.  You definitely need squid installed first.

good morning people,

I'm running exactly the same versions, and going through the same difficulty as my friend RPX_D, did anyone ever figure out the problem.

Active squidguard on the hour I have problem with https sites, and I am forced to disable ….

So i'm assuming ClamAV is still NOT preffered way to do AV screening. I'm sort of glad to hear that anyway as when i enable squid proxy and clamav, one of those two slows down my DNS significantly to

the order of 10x where dns lookup was 30ms now with all those services running is 600ms which is 2000% slow down. I think it's proxy not clam av but that's a no go for me if that's the price to pay.

I'm still trying to figure out why i would need proxy server for 3 clients max and why would anyone want to deal with cache of that later.