This look more like a pfBlocker issue to me.

Not yet no time currently. Just exploring my options but will definitly try it. Thanks!

Squid is a caching proxy.  Squidguard is an URL filter.  Squidguard requires squid.  Squid uses authentication to allow/deny access while squidguard uses it for grouping purposes.

Added This to Firewall LAN rules whatsapp now passes the proxy.    

Hi Marcello, I installed Pfsense version 2.4.3  it works now SquidAnalyzer. Programs I installed in the system Squid SquidGuard in squidanalyzer TOP DENIED empty

Fixed keytab, got Kerberos. But cpu load is very high. Where i must paste “KRB5RCACHETYPE=none export KRB5RCACHETYPE” in /usr/local/pkg/squid.inc, to disable cache ?

Hello Milan, here is a tip for you. use samba44. It has all kerberos support tools, including the keytab generation and it's quite simple to use it. Also, you will need squidguard to make your AD group search. You will need to add the Kerberos auth config lines in the advanced configuration for squid. (squid page. All the way down the page) Also, The correct authentication sequence should be:  Kerberos, NTLMv2 and then (optional) Basic Auth. Unless you really want to use Kerberos ONLY. hope that helps you. Fabricio.

Hi Michael, I'm trying to configure a haproxy with a EC certificate and i configured global setting like you described: ssl-default-bind-options no-sslv3 no-tls-tickets ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA my .pem file has privatekey + cert +certCA, still haproxy fails: parsing [/etc/haproxy/haproxy.cfg:48] : 'bind 10.10.1.5:443' : unable to load SSL private key from PEM …ne.com.pem' I'm runnig a v1.5 haproxy, what was the version you used? thanks, Ricardo

Try this screencast http://sys-squad.com/licao/259 It's in Portuguese but I think it will help. I strongly recommend e2guardian v5 under pfSense 2.4

I'd utilize pfBlockerNG for blocking domains via its DNSBL (or IP for that matter). It's much faster and better. What's your network size, how many clients are there?

http://blogs.fcoos.net/block-p2p-traffics-with-pfsense-using-snort-ips/

Your server timeout is 2 minutes for the webapp, and a connect timeout shouldn't really be above 10 seconds, if it takes 10 seconds to get a working tcp connection there is some serious network issues even when accessing a server over the internet.. As for dropping established connections there could be different factors causing that.. Configuring the syslog on the haproxy settings tab(perhaps to the local syslog unixsocket) and enabling 'detailed logs' on the frontend should help tell if the client or server breaks the connection or a timeout is hit perhaps.. In case of doubt also run also capture the packets on both wan and lan side of haproxy to check with wireshark which side traffic gets interrupted.

if you use splice all it does not bump at all. Which CA du you see on your client. Every host should turn up as signed by your ca if bumbing is applied. Whitelist/Blacklist of squid does NOT apply to SSL at all. As I wrote before in another thread Splice Whitelist is defect too. If possible post resulting squid.conf here and a screenshot of what goes wrong. Press F12 in your browser to see 'security' details. Or try with openssl s_client -connect to see certificate and ssl details. ssl bump is not for the faint harted though. a lot of problems on the horizon. hpkp, tls 1.3, missing intermediate certificates, incompatible ciphers etc etc to mention some. some experience with tls required I would say.

@demux: Hi. We are going to use a central ICAP-enabled AV scanner that runs on a dedicated machine.  We do not want to use clamav (neither locally nor remote). From looking at the various GUI settings I cannot find an easy way to configure squid to use another ICAP path except the one to the local clamav (c-icap). Is there a setting that I am missing or is there another way to set this up in a simple way (means without overriding the GUI config manually). I know that we could do that using a parent proxy setup, but we believe that taking the ICAP approach is faster and with less overhead - and makes more sense with regard to structure. (At the moment I cannot say which engine we are going to use as this is not yet finally decided.  But a written requirement is that we can talk to it using ICAP because of pfsense.) Where is the best place to configure another ICAP machine? Thanks for your help! demux. I'm looking for the same thing. I would like to have a GUI menu where i can specify the external ICAP Server IP address, reqmode/respmode and port. I suppose this could be easily done by developers. For now the best way i've found to config these parameters is by using the "Diagnostics –> Edit File" functionality to edit these two files: /usr/local/pkg/squid_antivirus.inc /usr/local/etc/squid/squid.conf Just edit the following lines using the correct IP/port/etc...and restart squid: icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/request adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/response adaptation_access service_resp allow all I hope someone more expert than me can find a simpler way or maybe some developer can introduce this feature :) Thanks

Hello. I have done 2 target categories (social sites & job sites) User(A)  group will get only social access, user(B)  group will get only job access. In user(A)  group one ip will get both sites access. So i create that ip in another group & allows both categories. But its no working. Please help me about this issue. (SORRY FOR MY BAD ENGLISH)

@cplmayo: Got it working today, firewall rule was blocking the traffic. Knew it would be something stupid that I missed. Hello, im running in the exact same issue, could you so kind and share which firewall rule was blocking the traffic?

Have you selected the 'default backend' in the frontend? Or use a 'use backend' action.?